Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: role version V8 #47912

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

feat: role version V8 #47912

wants to merge 2 commits into from
+782 −42

Conversation

flyinghermit
Copy link
Contributor

  • Implemented to support app_labels matcher for saml_idp_service_provider kind. App label matchers will only be enforced in SAML service provider starting version role v8. This is managed with a new CheckRoleSupportsSAMLIdPAppLabelMatcher method which returns true when user is assigned with a role version v8.
  • The RBAC configuration fields between role version v7 and v8 all remains the same. No new fields added to the role and rule spec. Does not affect any RBAC behaviour except for saml_idp_service_provider resource.
  • The gRPC service for GetRole is updated to downgrade the role versions from v8 to v7 for clients that have version below than the v17.0.0.
  • New roles will have a default v8 version.

Not covered in this PR:

  • Operators and terraform still use v7
  • Once access role preset is updated to v8. Other presets remains as is.

@aws-amplify-us-west-2 AWS Amplify (us-west-2)
Copy link

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-47912.d212ksyjt6y4yg.amplifyapp.com

@aws-amplify-us-west-2 AWS Amplify (us-west-2)
Copy link

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-47912.d3pp5qlev8mo18.amplifyapp.com

nklaassen
nklaassen reviewed Oct 24, 2024
View reviewed changes
api/types/role.go
@@ -959,11 +959,11 @@ func (r *RoleV6) GetPrivateKeyPolicy() keys.PrivateKeyPolicy {
// setStaticFields sets static resource header and metadata fields.
func (r *RoleV6) setStaticFields() {
r.Kind = KindRole
if r.Version != V3 && r.Version != V4 && r.Version != V5 && r.Version != V6 {
if r.Version != V3 && r.Version != V4 && r.Version != V5 && r.Version != V6 && r.Version != V7 {
// When incrementing the role version, make sure to update the
// role version in the asset file used by the UI.
// See: web/packages/teleport/src/Roles/templates/role.yaml
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

was this done? or if the relevant file name changed can we update this comment?

lib/auth/grpcserver.go
// maybeDowngradeRoleVersionToV7 downgrades the role version to V7 if
// the client version passed through the gRPC metadata is below the version
// specified in minSupportedRoleV8Version.
func maybeDowngradeRoleVersionToV7(role *types.RoleV6, clientVersion *semver.Version) *types.RoleV6 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't you modify the role so that it won't grant access to the saml IDP apps if the v8 role wouldn't grant access?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nklaassen nklaassen nklaassen left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@flyinghermit @nklaassen