Clarify RBAC rule application #11672
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
zmb3
reviewed
Apr 1, 2022
xacrimon
force-pushed
the
joel/clarify-rbac-rule-application
branch
from
ba4731b to
869d779
Compare
|
@zmb3 You're too fast:), I reworded it just a second after. |
zmb3
approved these changes
Apr 1, 2022
|
@ptgott Can I get a review? |
ptgott
reviewed
Apr 4, 2022
| @@ -76,6 +76,10 @@ spec: | |||
| count: 2 | |||
| ``` | |||
|
|
|||
| #### Combining Policies | |||
|
|
|||
| The authorizer applies require policies within a role together with an OR operator and the sets from each role with an AND operator. In practice, this means that every role with at least one require policy requires one of its policies to be met before a session can be started. | |||
There was a problem hiding this comment.
- This is the first time we mention the authorizer. Is this the same as the Auth Service? If so, I think we should say "The Auth Service" so readers can better connect this paragraph with their knowledge of Teleport.
- Is there a term defined earlier in the guide we can use instead of "the sets from each role"? I'm not confident that I understand what this refers to.
There was a problem hiding this comment.
-
The authorizer usually a common term for some control logic at any point in a stack that decides whether a user has access or not. This isn't a term frequently used in documentation I don't think but I don't have a better name for it since this code can be run at many different places.
-
Reworded, is it clearer now?
Co-authored-by: Paul Gottschling <[email protected]>
ptgott
approved these changes
Apr 6, 2022
xacrimon
added a commit
that referenced
this pull request
Apr 7, 2022
xacrimon
added a commit
that referenced
this pull request
Apr 7, 2022
* Write error and return on failed websocket upgrade (#11606) * Broadcast controls keys if session is moderated (#11661) * Clarify RBAC rule application (#11672) * Use a buffered channel for the terminate notifier (#11687) * Restrict moderated sessions users from accessing V8 kube cluster agents (#11691)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #11601