Remove explicit "deny" from preset "auditor" role, make preset roles V4 #8959
Conversation
justinas
force-pushed
the
justinas/remove-explicit-deny-from-auditor
branch
from
7bc0b61 to
1cf5b27
Compare
justinas
changed the title
| Version: types.V3, | ||
| Version: types.V4, |
There was a problem hiding this comment.
Looks like the editor role will lose wildcard allow rules for nodes, k8s, etc. Not sure if this is intentional
There was a problem hiding this comment.
I think that makes sense, the intention of these roles seems to be to grant distinct, limited sets of permissions each. If you'd like access, you should create a user with access,editor. A "superuser" would be one with all three roles.
There was a problem hiding this comment.
It probably does make sense I just think we should be careful/intentional with this change as it may break some user's expectations of the editor role (even though this will not affect existing clusters, it could break expectations for new clusters).
Can we confirm this won't break the editor's ability to edit any labelled resource? I'm not sure if that's even something you can do but worth double checking.
With 8.0 we are already changing admin/auditor so it probably is the time to make this change but I think this is at least worth calling out in the PR description and getting UX sign-off
There was a problem hiding this comment.
@nklaassen you're right, with this change editor role on its own does not allow editing nodes, DBs, etc. Not sure whether should be this case, the description of editor in the docs is somewhat vague:
Allows editing of cluster configuration settings.
https://goteleport.com/docs/ver/8.0/access-controls/reference/#preset-roles
Alternatively, we could leave these roles on V3, only remove explicit deny on auditor. This means auditor remains with insecure defaults (wildcard labels), but nologin-FOO and the absence of {{internal.logins}} should prevent from accidentally granting infra access to auditors.
There was a problem hiding this comment.
I think to edit nodes, DBs, etc., requiring users to have access,editor makes the most sense and keeps things nicely modular. Whether we slowly deprecate this or remove the default labels now doesn't make much of a difference since it won't affect current clusters and users will have to adapt to these fixed presets sooner or later.
So I agree, let's update the PR description to include this hidden change and get it signed off.
There was a problem hiding this comment.
@Joerger thanks for your 2¢, I have updated the description, but I'm not very familiar with the UX review process, could you tag the key people for a review?
There was a problem hiding this comment.
IMO we should still update the editor role to v4. We can either add the explicit wildcard allow labels to keep the existing functionality, or leave them off if we intentionally want the editor role to be more restricted, I'm not sure which is better but I would view adding the wildcard allow labels as the default, non-change. If we want to remove them that may be valid but is kind of a separate issue. But I think it's fine either way. Last time I needed UX review it's just @klizhentas
…V4 (#8959) * Remove explicit "deny" from preset "auditor" role * Upgrade preset roles to V4
This PR intends to make the
auditorpurely additive and bring the combination of built-inaccess,auditor,editorroles up to par with the legacyadmin. The two main goals of this:auditorrole to the account in order to try out session replay and losing permissions to the infra itself is a confusing outcome.Previously, the
auditorrole would explicitlydenyaccess to infrastructure, and as such combining it withaccesstook away the permissions granted by theaccessrole. This made sense asv3roles had laxallowrules by default (node_labels: {'*': '*'}). However,v4roles do notallowanything implicitly (see Roles V4 PR).By this reasoning, removing
denytogether with moving the roles tov4should be safe (i.e. not giveauditorextra permissions), while removing its negative interplay with other built-in roles.Additional impact of this change:
editorrole does not grant access to compute infrastructure by default, theeditorrole by itself is not sufficient to edit nodes, DBs, and other labelled resources. The user must be givenaccess,editorroles to be able to edit these objects.