Filter IC Permission Sets based on access #49936
Conversation
tcsc
added
no-changelog
|
|
||
| // RequiresRequest indicates that the user needs to raise an access request to | ||
| // be granted this permission set | ||
| bool RequiresRequest = 4 [(gogoproto.jsontag) = "assignment_name,omitempty"]; |
There was a problem hiding this comment.
Why is the RequiresRequest attribute needed for the permission_set object?
The RequiresRequest attribute is only used by the Front End. For the same flow in Okta, when an app has multiple okta_groups or AWS app access with multiple IAM configurations, the RequiresRequest attribute was not necessary apart from the top level app property and Instead, the logic riels on the top-level app.RequiresRequest flag.
So why is it handled differently in this case? For the AWS IC flow, why is the RequiresRequest flag needed for each selected object, whereas for other flows (e.g., Okta with multiple okta_groups), the logic relies on the top-level app.RequiresRequest flag?
Also does the FE is aware of this change ?
cc: @flyinghermit
There was a problem hiding this comment.
We could probably do this with the enriched resource, outside of the AppV3 and avoiding the protobuf change.
There was a problem hiding this comment.
OK, so the reason this needs to be in the protobuf definition is that the app representing the IC Account goes over the wire (at least logically) at some point between the Unified Resource Cache listing and being rendered to json.
As far as I can tell, we need to calculate which Account Assignments are available to (or requestable by) a user during this listing, because once we have transmitted the resource to the URC client, we no longer have the tools available to evaluate the user's access.
If we want to expose this requestability info to the UI, then we need to expose it to the Unified Resource Cache client first, and for that it has to be part of the App's wire format.
If a user is granted access to an IC Permission Set via an access request, the UI treats the referenced account as if all Permission Sets are granted. This hides the requestable Permission Sets from the user, making it impossible for a user to requests more Permission Sets on that account. This patch filters the Permission Sets delivered to the UI based on whether the user already has access the Permission Sets and marks any requestable Permission Sets on the account. This provides the UI with enough information to decide how to display the Permission Set list in order to get around the issue.
tcsc
force-pushed
the
tcsc/idc-filter-permission-sets
branch
from
155d548 to
5b55287
Compare
| @@ -472,7 +472,7 @@ func (a *AppV3) GetDisplayName() string { | |||
| if a.Spec.IdentityCenter == nil { | |||
| return "" | |||
| } | |||
| return a.GetName() | |||
| return a.Metadata.Description | |||
There was a problem hiding this comment.
This change is not related to "Filter IC Permission Sets based on access" right ?
Just want to make sure that this is not leftover from local stash.
There was a problem hiding this comment.
I needed to change the name value of the "app" to be the account ID - for two reasons:
- so I can pull it out to build the dummy Account Assignment that we use to query access
- to avoid the uniqueness issues we discussed yesterday
The knock-on effect of this is that the friendly name is now pulled from the app description.
| continue | ||
| } | ||
| output = append(output, ps) | ||
| if _, requestable := checker.requestableMap[ps.AssignmentID]; requestable { |
There was a problem hiding this comment.
Why the checker.requestableMap map is updated here? This filterICPermissionSets function is called after the checker.requestableMap map is used in
teleport/lib/auth/auth_with_roles.go
Line 1457 in 5b55287
There was a problem hiding this comment.
The access check for the AccountAssignment on line 1530 modifies the requestableMap as a side effect, and that's how we pull out whether the assignment requires an Access Request.
There was a problem hiding this comment.
Ah, Thanks. I had in mind the previous logic model but for this flow where the checker.checkAccess is reused that makes sens.
|
|
||
| var output []*types.IdentityCenterPermissionSet | ||
| for _, ps := range pss { | ||
| assignment.Metadata.Name = ps.AssignmentID |
There was a problem hiding this comment.
Why the assignment.Metadata.Name needs to be updated. Does the checker.checkAccess RBAC check depends on the resource name ?
There was a problem hiding this comment.
Yes - when it writes to the requestable map
Co-authored-by: Marek Smoliński <[email protected]>
public-teleport-github-review-bot
bot
removed request for
gabrielcorado and
zmb3
Backports #49936 If a user is granted access to an IC Permission Set via an access request, the UI treats the referenced account as if all Permission Sets are granted. This hides the requestable Permission Sets from the user, making it impossible for a user to requests more Permission Sets on that account. This patch filters the Permission Sets delivered to the UI based on whether the user already has access the Permission Sets and marks any requestable Permission Sets on the account. This provides the UI with enough information to decide how to display the Permission Set list in order to get around the issue. --------- Co-authored-by: Marek Smoliński <[email protected]>
* [v17] Filter IC Permission Sets based on access Backports #49936 If a user is granted access to an IC Permission Set via an access request, the UI treats the referenced account as if all Permission Sets are granted. This hides the requestable Permission Sets from the user, making it impossible for a user to requests more Permission Sets on that account. This patch filters the Permission Sets delivered to the UI based on whether the user already has access the Permission Sets and marks any requestable Permission Sets on the account. This provides the UI with enough information to decide how to display the Permission Set list in order to get around the issue. --------- Co-authored-by: Marek Smoliński <[email protected]> * fix bad cherrypick --------- Co-authored-by: Marek Smoliński <[email protected]>
If a user is granted access to an IC Permission Set via an access request,
the UI treats the referenced account as if all Permission Sets are granted.
This hides the requestable Permission Sets from the user, making it
impossible for a user to requests more Permission Sets on that account.
This patch filters the Permission Sets delivered to the UI based on whether
the user already has access the Permission Sets and marks any requestable
Permission Sets on the account.
This provides the UI with enough information to decide how to display the
Permission Set list in order to get around the issue.