self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-19 00:33:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Move Access Requests guides to Access Controls (#14598)

Browse source 
Reorganize our Access Request guides

Fixes #13696

Most guides to Access Requests are currently not listed on the sidebar,
and the guides that are listed are available for Cloud as well as
Enterprise. This change makes it easier to find our Access Requests
guides by moving them to the Access Controls section and listing all
guides on the sidebar. It adds the "Access Requests" and "Access Request
Plugins" subsections to "Access Controls".

Since the Access Controls section includes one subsection, called
"Guides", this change also renames that subsection--and adds a
descriptive intro paragraph to the section's menu page--in order to
accommodate the Access Requests and Access Request Plugins subsections.

Move some guides into "Access Requests"
This commit is contained in:
Paul Gottschling 2022-08-01 13:44:36 -04:00 committed by GitHub
parent 925351e5be
commit e7f2b5f1de
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
21 changed files with 166 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CHANGELOG.md
View file

@ -1847,7 +1847,7 @@ This is a minor Teleport release with a focus on new features and bug fixes.
### Improvements
* Alpha: Enhanced Session Recording lets you know what's really happening during a Teleport Session. [#2948](https://github.com/gravitational/teleport/issues/2948)
* Alpha: Workflows API lets admins escalate RBAC roles in response to user requests. [Read the docs](./docs/pages/enterprise/workflow). [#3006](https://github.com/gravitational/teleport/issues/3006)
* Alpha: Workflows API lets admins escalate RBAC roles in response to user requests. [Read the docs](./docs/pages/access-controls/access-requests.mdx). [#3006](https://github.com/gravitational/teleport/issues/3006)
* Beta: Teleport provides HA Support using Firestore and Google Cloud Storage using Google Cloud Platform. [Read the docs](./docs/pages/setup/deployments/gcp.mdx). [#2821](https://github.com/gravitational/teleport/pull/2821)
* Remote tctl execution is now possible. [Read the docs](./docs/pages/setup/reference/cli.mdx#tctl). [#1525](https://github.com/gravitational/teleport/issues/1525) [#2991](https://github.com/gravitational/teleport/issues/2991)

82
docs/config.json
View file

@ -734,7 +734,7 @@
"slug": "/access-controls/getting-started/"
},
{
"title": "Guides",
"title": "Cluster Access and RBAC",
"slug": "/access-controls/guides/",
"entries": [
{
@ -773,6 +773,46 @@
}
]
},
{
"title": "Access Requests",
"slug": "/access-controls/access-requests/",
"entries": [
{
"title": "Role Requests",
"slug":"/access-controls/access-requests/role-requests/"
},
{
"title": "Resource Requests",
"slug":"/access-controls/access-requests/resource-requests/"
}
]
},
{
"title": "Access Request Plugins",
"slug": "/access-controls/access-request-plugins/",
"entries": [
{
"title": "Mattermost",
"slug":"/access-controls/access-request-plugins/ssh-approval-mattermost/"
},
{
"title": "PagerDuty",
"slug":"/access-controls/access-request-plugins/ssh-approval-pagerduty/"
},
{
"title": "Jira Server",
"slug":"/access-controls/access-request-plugins/ssh-approval-jira-server/"
},
{
"title": "Jira Cloud",
"slug":"/access-controls/access-request-plugins/ssh-approval-jira-cloud/"
},
{
"title": "Slack",
"slug":"/access-controls/access-request-plugins/ssh-approval-slack/"
}
]
},
{
"title": "Reference",
"slug": "/access-controls/reference/"
@ -1393,6 +1433,46 @@
"source": "/setup/admin/graceful-restarts/",
"destination": "/setup/admin/upgrading-the-teleport-binary/",
"permanent": true
},
{
"source": "/enterprise/workflow/",
"destination": "/access-controls/access-requests/",
"permanent": true
},
{
"source": "/enterprise/workflow/ssh-approval-mattermost/",
"destination": "/access-controls/access-request-plugins/ssh-approval-mattermost/",
"permanent": true
},
{
"source": "/enterprise/workflow/ssh-approval-mattermost/",
"destination": "/access-controls/access-request-plugins/ssh-approval-pagerduty/",
"permanent": true
},
{
"source": "/enterprise/workflow/ssh-approval-jira-server/",
"destination": "/access-controls/access-request-plugins/ssh-approval-jira-server/",
"permanent": true
},
{
"source": "/enterprise/workflow/ssh-approval-jira-cloud/",
"destination": "/access-controls/access-request-plugins/ssh-approval-jira-cloud/",
"permanent": true
},
{
"source": "/enterprise/workflow/ssh-approval-slack/",
"destination": "/access-controls/access-request-plugins/ssh-approval-slack/",
"permanent": true
},
{
"source": "/enterprise/workflow/resource-requests/",
"destination": "/access-controls/access-requests/resource-requests/",
"permanent": true
},
{
"source": "/enterprise/workflow/role-requests/",
"destination": "/access-controls/access-requests/role-requests/",
"permanent": true
}
]
}

12
docs/pages/access-controls/access-request-plugins/index.mdx Normal file
View file

@ -0,0 +1,12 @@
---
title: Just-in-Time Access Request Plugins
description: "Use Teleport's Access Request plugins to least-privilege access without sacrificing productivity."
layout: tocless-doc
---
Teleport Just-in-Time Access Requests allow users to receive temporary elevated
privileges by seeking consent from one or more reviewers, depending on your
configuration.
(!docs/pages/includes/access-request-integrations.mdx!)

0
docs/pages/enterprise/workflow/ssh-approval-jira-cloud.mdx → docs/pages/access-controls/access-request-plugins/ssh-approval-jira-cloud.mdx
View file

0
docs/pages/enterprise/workflow/ssh-approval-jira-server.mdx → docs/pages/access-controls/access-request-plugins/ssh-approval-jira-server.mdx
View file

0
docs/pages/enterprise/workflow/ssh-approval-mattermost.mdx → docs/pages/access-controls/access-request-plugins/ssh-approval-mattermost.mdx
View file

0
docs/pages/enterprise/workflow/ssh-approval-pagerduty.mdx → docs/pages/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx
View file

5
docs/pages/enterprise/workflow/ssh-approval-slack.mdx → docs/pages/access-controls/access-request-plugins/ssh-approval-slack.mdx
View file

@ -527,12 +527,11 @@ $ sudo systemctl enable teleport-slack
$ sudo systemctl start teleport-slack
```
## Next steps
- Read our guides to configuring [Resource Access
Requests](./resource-requests.mdx) and [Role Access
Requests](./role-requests.mdx) so you can get the most out
Requests](../access-requests/resource-requests.mdx) and [Role Access
Requests](../access-requests/role-requests.mdx) so you can get the most out
of your Access Request plugins.
## Feedback

28
docs/pages/enterprise/workflow/index.mdx → docs/pages/access-controls/access-requests.mdx
View file

@ -1,16 +1,22 @@
---
title: Just-in-time Access Requests
title: Just-in-Time Access Requests
description: Teleport allows users to request new access capabilities from the CLI or UI. Requests can be escalated via ChatOps or anywhere else via our flexible Authorization Workflow API.
h1: Teleport Just-in-time Access Requests
layout: tocless-doc
---
Teleport Just-in-time Access Requests allow any developer to request access to
Teleport Just-in-Time Access Requests allow any user to request access to
a resource or role depending on need. The request can then be approved or
denied based on a configurable number of approvers.
Just-in-Time Access Requests are a powerful way to implement the principle of
least privilege in your organization, leaving an attacker with no permanent
admins to target. Users receive elevated privileges for a limited period of
time. And aside from their reviewer privileges, users who review requests can
have limited access to cluster resources.
<ScopedBlock scope={["oss"]}>
Just-in-time Access Requests are a feature of Teleport Enterprise.
Just-in-Time Access Requests are a feature of Teleport Enterprise.
Open-source Teleport users can get a preview of how Access Requests work by
requesting a role via the Teleport CLI. Full Access Request functionality,
including Resource Access Requests and an intuitive and searchable UI are
@ -20,11 +26,10 @@ available in Teleport Enterprise.
## Resource Access Requests
Resource Access Requests follow the principle of least privilege. On teams
leveraging Teleport, engineers can easily get access to only the individual
resources they need, when they need it.
With Resource Access Requests, engineers can easily get access to only the
individual resources they need, when they need it.
[Get started with Resource Access Requests](./resource-requests.mdx).
[Get started with Resource Access Requests](./access-requests/resource-requests.mdx).
## Role Access Requests
@ -32,9 +37,4 @@ Role Access Requests balance security and flexibility. Engineers can request
temporary credentials with elevated roles in order to perform critical
system-wide tasks.
[Get started with Role Access Requests](./role-requests.mdx).
## Integrating with an External Tool
(!docs/pages/includes/access-request-integrations.mdx!)
[Get started with Role Access Requests](./access-requests/role-requests.mdx).

0
docs/pages/enterprise/workflow/resource-requests.mdx → docs/pages/access-controls/access-requests/resource-requests.mdx
View file

0
docs/pages/enterprise/workflow/role-requests.mdx → docs/pages/access-controls/access-requests/role-requests.mdx
View file

68
docs/pages/access-controls/guides.mdx
View file

@ -1,36 +1,40 @@
---
title: Access Controls Guides
description: Detailed guides for configuring Teleport Access Controls.
title: Configure Access
description: How to configure access to specific resources in your infrastructure or your Teleport cluster as a whole.
layout: tocless-doc
---
<ul>
<ScopedBlock scope={["cloud", "enterprise"]}>
<li>
[Dual Authorization](./guides/dual-authz.mdx). Protect access to critical resources with dual authorization.
</li>
</ScopedBlock>
<li>
[Role Templates](./guides/role-templates.mdx). Setup dynamic access policies with Role Templates.
</li>
<li>
[Impersonating Teleport Users](./guides/impersonation.mdx). Create certs for CI/CD using impersonation.
</li>
<li>
[Passwordless](./guides/passwordless.mdx). Use passwordless authentication (Preview).
</li>
<li>
[Second Factor - WebAuthn](./guides/webauthn.mdx). Add Two-Factor Authentication through WebAuthn.
</li>
<li>
[Per-session MFA](./guides/per-session-mfa.mdx). Per-session Multi-Factor Authentication.
</li>
<li>
[Locking](./guides/locking.mdx). Lock access to active user sessions or hosts.
</li>
<ScopedBlock scope={["cloud", "enterprise"]}>
<li>
[Moderated Sessions](./guides/moderated-sessions.mdx). Require session auditors and allow fine-grained live session access.
</li>
</ScopedBlock>
</ul>
Teleport gives you fine-grained control over who can access resources in your
infrastructure as well as how they can access those resources. Once you have
deployed a Teleport cluster, configure access controls to achieve the right
security policies for your organization.
<TileSet>
<Tile title="Dual Authorization" href="./guides/dual-authz.mdx" icon="lock">
Protect access to critical resources with dual authorization.
</Tile>
<Tile title="Role Templates" icon="lock" href="./guides/role-templates.mdx">
Set up dynamic access policies with role templates.
</Tile>
<Tile title="Impersonating Teleport Users" href="./guides/impersonation.mdx"
icon="lock">
Create certificates for other users with impersonation.
</Tile>
<Tile title="Passwordless" icon="lock" href="./guides/passwordless.mdx">
Use passwordless authentication (Preview).
</Tile>
<Tile href="./guides/webauthn.mdx" title="WebAuthn" icon="lock">
Add two-factor authentication through WebAuthn.
</Tile>
<Tile href="./guides/per-session-mfa.mdx" title="Per-Session MFA" icon="lock">
Per-session multi-mactor authentication.
</Tile>
<Tile href="./guides/locking.mdx" title="Locking" icon="lock">
Lock access to active user sessions or hosts.
</Tile>
<Tile href="./guides/moderated-sessions.mdx" title="Moderated Sessions"
icon="lock">
Require session auditors and allow fine-grained live session access.
</Tile>
</TileSet>

2
docs/pages/access-controls/guides/dual-authz.mdx
View file

@ -22,7 +22,7 @@ of two team members for a privileged role `dbadmin`.
</ScopedBlock>
<Admonition title="Note" type="tip">
The steps below describe how to use Teleport with Mattermost. You can also [integrate with many other providers](../../enterprise/workflow/index.mdx).
The steps below describe how to use Teleport with Mattermost. You can also [integrate with many other providers](../access-requests.mdx).
</Admonition>
## Prerequisites

2
docs/pages/access-controls/guides/locking.mdx
View file

@ -32,7 +32,7 @@ A lock can target the following objects or attributes:
- a Teleport Node by the Node's UUID (effectively unregistering it from the
cluster)
- a Windows desktop by the desktop's name
- an [Access Request](../../enterprise/workflow/index.mdx) by UUID
- an [Access Request](../access-requests.mdx) by UUID
## Prerequisites

2
docs/pages/api/introduction.mdx
View file

@ -13,7 +13,7 @@ to programatically interact with the API. [tsh and tctl](../setup/reference/cli.
Here is what you can do with the Go Client:
- Integrating with external tools, which we have already done
for [several tools](../enterprise/workflow/index.mdx#integrating-with-an-external-tool),
for [several tools](../access-controls/access-request-plugins/index.mdx),
such as Slack, Jira, and Mattermost.
- Writing a program/bot to manage Access Requests automatically, based on your use case. One idea
is to allow/deny developer requests based on their currently assigned tasks.

2
docs/pages/architecture/authorization.mdx
View file

@ -374,7 +374,7 @@ spec:
- [Access Control Reference](../access-controls/reference.mdx).
- [Teleport Predicate Language](../setup/reference/predicate-language.mdx).
- [Access Requests Guides](../enterprise/workflow/index.mdx)
- [Access Requests Guides](../access-controls/access-requests.mdx)
- [Architecture Overview](overview.mdx)
- [Teleport Auth](authentication.mdx)
- [Teleport Nodes](nodes.mdx)

2
docs/pages/database-access/introduction.mdx
View file

@ -11,7 +11,7 @@ Some of the things you can do with Database Access:
- Users can retrieve short-lived database certificates using single sign-on
flow thus maintaining their organization-wide identity.
- Configure role-based access controls for databases and implement custom
[Access Request](../enterprise/workflow/index.mdx) workflows.
[Access Request](../access-controls/access-requests.mdx) workflows.
- Capture database access events as well as query activity in the audit log.
Database Access currently supports the following databases:

5
docs/pages/enterprise/introduction.mdx
View file

@ -15,7 +15,7 @@ The table below gives a quick overview of the benefits of Teleport Enterprise.
| Teleport Enterprise Feature | Description |
| - | - |
| [Single Sign-On (SSO)](#sso) | Allows Teleport to integrate with existing enterprise identity systems. Examples include Active Directory, GitHub, Google Apps and numerous identity middleware solutions like Auth0, Okta, and so on. Teleport supports SAML and OAuth/OpenID Connect protocols to interact with them. |
| [Access Requests](workflow/index.mdx) | User interface for teams to create and review requests to access infrastructure with escalated privileges. |
| [Access Requests](../access-controls/access-requests.mdx) | User interface for teams to create and review requests to access infrastructure with escalated privileges. |
| [FedRAMP/FIPS](#fedrampfips) | Access controls to meet the requirements in a FedRAMP System Security Plan (SSP). This includes a FIPS 140-2 friendly build of Teleport Enterprise as well as a variety of improvements to aid in complying with security controls even in FedRAMP High environments. |
| [Hardware Security Module support](./hsm.mdx)|The Teleport Auth Service can use your organization's HSM to generate TLS credentials, ensuring a highly reliable and secure public key infrastructure.|
| [Moderated Sessions](../access-controls/guides/moderated-sessions.mdx)|Allow or require moderators to be present in SSH or Kubernetes sessions.|
@ -82,7 +82,8 @@ See our [FedRAMP for SSH and Kubernetes](fedramp.mdx) guide for more information
With Teleport we've introduced the ability for users to request additional roles. The Access Request API makes it easy to dynamically approve or deny these requests.
See [Access Requests Guide for more information](workflow/index.mdx)
See [Access Requests Guide for more
information](../access-controls/access-requests.mdx)
## Hardware Security Module support

6
docs/pages/enterprise/soc2.mdx
View file

@ -59,10 +59,10 @@ Each principle has many “Points of Focus” which will apply differently to di
| CC6.1 - Manages Credentials for Infrastructure and Software | New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. | [Invite nodes to your cluster with short lived tokens](../setup/admin/adding-nodes.mdx) |
| CC6.1 - Uses Encryption to Protect Data | The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. | Teleport Audit logs can use DynamoDB encryption at rest. |
| CC6.1 - Protects Encryption Keys | Processes are in place to protect encryption keys during generation, storage, use, and destruction. | Teleport acts as a Certificate Authority to issue SSH and x509 user certificates that are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically |
| CC6.2 - Controls Access Credentials to Protected Assets | Information asset access credentials are created based on an authorization from the system&#39;s asset owner or authorized custodian. | [Request Approval from the command line](../setup/reference/cli.mdx#tctl-request-approve) | [Build Approval Workflows with Access Requests](./workflow/index.mdx) | [Use Plugins to send approvals to tools like Slack or Jira](./workflow/index.mdx) | | |
| CC6.2 - Removes Access to Protected Assets When Appropriate | Processes are in place to remove credential access when an individual no longer requires such access. | [Teleport issues temporary credentials based on an employees role and are revoked upon job change, termination or end of a maintenance window](./workflow/index.mdx) |
| CC6.2 - Controls Access Credentials to Protected Assets | Information asset access credentials are created based on an authorization from the system&#39;s asset owner or authorized custodian. | [Request Approval from the command line](../setup/reference/cli.mdx#tctl-request-approve) | [Build Approval Workflows with Access Requests](../access-controls/access-requests.mdx) | [Use Plugins to send approvals to tools like Slack or Jira](../access-controls/access-requests.mdx) | | |
| CC6.2 - Removes Access to Protected Assets When Appropriate | Processes are in place to remove credential access when an individual no longer requires such access. | [Teleport issues temporary credentials based on an employees role and are revoked upon job change, termination or end of a maintenance window](../access-controls/access-requests.mdx) |
| CC6.2 - Reviews Appropriateness of Access Credentials | The appropriateness of access credentials is reviewed on a periodic basis for unnecessary and inappropriate individuals with credentials. | Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time. |
| CC6.3 - Creates or Modifies Access to Protected Information Assets | Processes are in place to create or modify access to protected information assets based on authorization from the assets owner. | [Build Approval Workflows with Access Requests](./workflow/index.mdx) to get authorization from asset owners. |
| CC6.3 - Creates or Modifies Access to Protected Information Assets | Processes are in place to create or modify access to protected information assets based on authorization from the assets owner. | [Build Approval Workflows with Access Requests](../access-controls/access-requests.mdx) to get authorization from asset owners. |
| CC6.3 - Removes Access to Protected Information Assets | Processes are in place to remove access to protected information assets when an individual no longer requires access. | Teleport uses temporary credentials and can be integrated with your version control system or even your HR system to [revoke access with the Access requests API](../api/introduction.mdx) |
| CC6.3 - Uses Role-Based Access Controls | Role-based access control is utilized to support segregation of incompatible functions. | [Role based access control (&quot;RBAC&quot;) allows Teleport administrators to grant granular access permissions to users.](../access-controls/introduction.mdx) |
| CC6.3 - Reviews Access Roles and Rules | The appropriateness of access roles and access rules is reviewed on a periodic basis for unnecessary and inappropriate individuals with access and access rules are modified as appropriate. | Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time. |

16
docs/pages/includes/access-request-integrations.mdx
View file

@ -1,11 +1,11 @@
Admins can review Just-in-time Access Requests via a third-party communication
service. The Access Request API makes it easy to dynamically approve or deny
these requests.
With Teleport's Access Request plugins, users can request,
approve, and deny access without leaving your organization's existing messaging
and project management solutions.
| Integration | Feature | Type | Setup Instructions |
| - | - | - | - |
| Slack | | Chatbot | [Setup Slack](/docs/enterprise/workflow/ssh-approval-slack.mdx) |
| Mattermost | | Chatbot | [Setup Mattermost](/docs/enterprise/workflow/ssh-approval-mattermost.mdx) |
| Jira Server | | Project Board | [Setup Jira Server](/docs/enterprise/workflow/ssh-approval-jira-server.mdx) |
| Jira Cloud | | Project Board | [Setup Jira Cloud](/docs/enterprise/workflow/ssh-approval-jira-cloud.mdx) |
| PagerDuty | | Schedule | [Setup PagerDuty](/docs/enterprise/workflow/ssh-approval-pagerduty.mdx) |
| Slack | | Chatbot | [Set up Slack](/docs/enterprise/workflow/ssh-approval-slack.mdx) |
| Mattermost | | Chatbot | [Set up Mattermost](/docs/enterprise/workflow/ssh-approval-mattermost.mdx) |
| Jira Server | | Project Board | [Set up Jira Server](/docs/enterprise/workflow/ssh-approval-jira-server.mdx) |
| Jira Cloud | | Project Board | [Set up Jira Cloud](/docs/enterprise/workflow/ssh-approval-jira-cloud.mdx) |
| PagerDuty | | Schedule | [Set up PagerDuty](/docs/enterprise/workflow/ssh-approval-pagerduty.mdx) |

2
docs/pages/setup/security/reduce-blast-radius.mdx
View file

@ -288,7 +288,7 @@ Two `user`s can grant elevated privileges to another `user` temporarily without
- [Per-session MFA](../../access-controls/guides/per-session-mfa.mdx)
- [Dual authorization](../../access-controls/guides/dual-authz.mdx)
- [Role templates, allow/deny rules, and traits](../../access-controls/guides/role-templates.mdx)
- [Access requests and plugins](../../enterprise/workflow/index.mdx)
- [Access Requests](../../access-controls/access-requests.mdx)
### Background reading
- [Authentication connectors](../reference/authentication.mdx)