docs: role definition update (#32728)

* docs: update session resources * adds instance, session_tracker and updates ssh_session
2024-10-19 08:43:58 +00:00 · 2023-10-10 12:16:03 -04:00 · 2023-10-10 12:16:03 -04:00 · 0098f11c79
parent 6f654c05d1
commit 0098f11c79
2 changed files with 9 additions and 7 deletions
--- a/docs/pages/access-controls/reference.mdx
+++ b/docs/pages/access-controls/reference.mdx
@ -435,18 +435,18 @@ metadata:
 spec:
  allow:
    rules:
-    # Teleport allows shared session access by default, so for our restrictions
-    # to work we first allow access to ssh_sessions...
-    - resources: [ssh_session]
+    # Teleport allows session access to the user's sessions
+    # and sessions they can join by default. This allows seeing any sessions.
+    - resources: [session_tracker]
      verbs: ['*']
  deny:
    rules:
    # ... and then limit that access via a deny rule.
    # Deny rules take precedence over allow rules, so the resulting role allows
    # users to create SSH sessions but to only view their own sessions.
-    - resources: [ssh_session]
+    - resources: [session_tracker]
      verbs: [list, read, update, delete]
-      where: '!contains(ssh_session.participants, user.metadata.name)'
+      where: '!contains(session_tracker.participants, user.metadata.name)'
 ```

 ## Second Factor - U2F
@ -462,7 +462,7 @@ Here is an explanation of the fields used in the `where` and `filter` conditions
 | -------------------------- | ------------------------------------------------- |
 | `user.spec.roles`          | The list of roles assigned to a user              |
 | `session.participants`     | The list of participants from a session recording |
-| `ssh_session.participants` | The list of participants from an SSH session      |
+| `session_tracker.participants` | The list of participants from an SSH session      |
 | `user.metadata.name`       | The user's name                                   |

 Check out our [predicate language](../reference/predicate-language.mdx#scoping-allowdeny-rules-in-role-resources)
--- a/docs/pages/includes/role-spec.mdx
+++ b/docs/pages/includes/role-spec.mdx
@ -392,7 +392,9 @@ spec:
    # access_plugin_data - allows modifying Access Request plugin data
    #
    # session            - session playback records
-    # ssh_session        - an active SSH session
+    # session_tracker    - an active session
+    # ssh_session        - allows seeing active sessions page
+    # instance           - a Teleport instance
    # event              - structured audit logging event
    #
    #