mirror of
https://github.com/gravitational/teleport
synced 2024-10-19 08:43:58 +00:00
docs: role definition update (#32728)
* docs: update session resources * adds instance, session_tracker and updates ssh_session
This commit is contained in:
parent
6f654c05d1
commit
0098f11c79
|
@ -435,18 +435,18 @@ metadata:
|
|||
spec:
|
||||
allow:
|
||||
rules:
|
||||
# Teleport allows shared session access by default, so for our restrictions
|
||||
# to work we first allow access to ssh_sessions...
|
||||
- resources: [ssh_session]
|
||||
# Teleport allows session access to the user's sessions
|
||||
# and sessions they can join by default. This allows seeing any sessions.
|
||||
- resources: [session_tracker]
|
||||
verbs: ['*']
|
||||
deny:
|
||||
rules:
|
||||
# ... and then limit that access via a deny rule.
|
||||
# Deny rules take precedence over allow rules, so the resulting role allows
|
||||
# users to create SSH sessions but to only view their own sessions.
|
||||
- resources: [ssh_session]
|
||||
- resources: [session_tracker]
|
||||
verbs: [list, read, update, delete]
|
||||
where: '!contains(ssh_session.participants, user.metadata.name)'
|
||||
where: '!contains(session_tracker.participants, user.metadata.name)'
|
||||
```
|
||||
|
||||
## Second Factor - U2F
|
||||
|
@ -462,7 +462,7 @@ Here is an explanation of the fields used in the `where` and `filter` conditions
|
|||
| -------------------------- | ------------------------------------------------- |
|
||||
| `user.spec.roles` | The list of roles assigned to a user |
|
||||
| `session.participants` | The list of participants from a session recording |
|
||||
| `ssh_session.participants` | The list of participants from an SSH session |
|
||||
| `session_tracker.participants` | The list of participants from an SSH session |
|
||||
| `user.metadata.name` | The user's name |
|
||||
|
||||
Check out our [predicate language](../reference/predicate-language.mdx#scoping-allowdeny-rules-in-role-resources)
|
||||
|
|
|
@ -392,7 +392,9 @@ spec:
|
|||
# access_plugin_data - allows modifying Access Request plugin data
|
||||
#
|
||||
# session - session playback records
|
||||
# ssh_session - an active SSH session
|
||||
# session_tracker - an active session
|
||||
# ssh_session - allows seeing active sessions page
|
||||
# instance - a Teleport instance
|
||||
# event - structured audit logging event
|
||||
#
|
||||
#
|
||||
|
|
Loading…
Reference in a new issue