Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adjust tctl sso commands to new teams_to_roles field. #13463

Merged
merged 2 commits into from
Jun 14, 2022
Merged

Adjust tctl sso commands to new teams_to_roles field. #13463

merged 2 commits into from
Jun 14, 2022

Conversation

Tener
Copy link
Contributor

@Tener Tener commented Jun 14, 2022
edited
Loading

With recent addition of teams_to_roles field to Github auth connectors, some adjustments are needed:

  1. Make tctl sso configure github populate teams_to_roles field
  2. Add a new SSO diagnostic field to carry teams_to_roles mapping
  3. Make tctl sso test aware of teams_to_roles mapping from diagnostic field
  4. Populate diagnostic field in relevant part of code.

This PR supersedes code changes in #13148.

@github-actions github-actions bot added the tctl tctl - Teleport admin tool label Jun 14, 2022
@Tener Tener requested review from xacrimon and espadolini June 14, 2022 09:03
xacrimon
xacrimon approved these changes Jun 14, 2022
View reviewed changes
Copy link
Contributor

@xacrimon xacrimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved but one question. Do we need to have any additional changes to support changing/printing/anything else to the existing but deprecated teams_to_logins field since that may still be in use?

@Tener Tener mentioned this pull request Jun 14, 2022
Merged
@Tener
Copy link
Contributor Author

Tener commented Jun 14, 2022
edited
Loading

Approved but one question. Do we need to have any additional changes to support changing/printing/anything else to the existing but deprecated teams_to_logins field since that may still be in use?

With respect to tctl sso ... commands? No further changes are needed as far as I can tel.

In general though? I think these 2 places may need updating:

teleport/tool/tctl/common/collection.go

Lines 391 to 399 in 40200e8

func (c *githubCollection) writeText(w io.Writer) error {
t := asciitable.MakeTable([]string{"Name", "Teams To Logins"})
for _, conn := range c.connectors {
t.AddRow([]string{conn.GetName(), formatTeamsToLogins(
conn.GetTeamsToLogins())})
}
_, err := t.AsBuffer().WriteTo(w)
return trace.Wrap(err)
}

teleport/lib/auth/auth_with_roles.go

Lines 2562 to 2579 in a61d38a

func (a *ServerWithRoles) checkGithubConnector(connector types.GithubConnector) error {
mapping := connector.GetTeamsToLogins()
for _, team := range mapping {
if len(team.KubeUsers) != 0 || len(team.KubeGroups) != 0 {
return trace.BadParameter("since 6.0 teleport uses teams_to_logins to reference a role, use it instead of local kubernetes_users and kubernetes_groups ")
}
for _, localRole := range team.Logins {
_, err := a.GetRole(context.TODO(), localRole)
if err != nil {
if trace.IsNotFound(err) {
return trace.BadParameter("since 6.0 teleport uses teams_to_logins to reference a role, role %q referenced in mapping for organization %q is not found", localRole, team.Organization)
}
return trace.Wrap(err)
}
}
}
return nil
}

I feel like those 2 changes are out of scope of this PR... There may also be other places that need changing? I'm not sure though.

espadolini
espadolini reviewed Jun 14, 2022
View reviewed changes
api/types/types.proto Show resolved Hide resolved
tool/tctl/sso/configure/github.go Outdated Show resolved Hide resolved
tool/tctl/sso/configure/github.go Show resolved Hide resolved
espadolini
espadolini approved these changes Jun 14, 2022
View reviewed changes
api/types/types.proto Show resolved Hide resolved
@Tener Tener enabled auto-merge (squash) June 14, 2022 09:52
@Tener Tener merged commit 7f8a2e6 into master Jun 14, 2022
@Tener Tener deleted the tener/tctl-sso-teams-to-roles branch July 22, 2022 08:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xacrimon xacrimon xacrimon approved these changes

@espadolini espadolini espadolini approved these changes

@GavinFrazar GavinFrazar Awaiting requested review from GavinFrazar

@timothyb89 timothyb89 Awaiting requested review from timothyb89

Assignees
No one assigned
Labels
tctl tctl - Teleport admin tool
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Tener @espadolini @xacrimon