self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-21 09:44:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
teleport/rfd/0007-rbac-oss.md
Andrew Lytvynov 9c01c4b84a
RFD 0: RFDs (#5228) 
Belated doc describing the RFD format and process.
As always, everything is up for discussion.

Also, updated prior RFDs to conform to the style.
2021-01-09 10:59:42 -08:00

155 lines
2.9 KiB
Markdown
Raw Blame History

---
authors: Alexander Klizhentas (sasha@goteleport.com)
state: draft
---
# RFD 2 - Open Source Roles
## What
Enable role based access control in open source.
## Why
Provide better user experience for open source users.
Unify user experience, testing and development for open source branches.
## Details
### New Open Source Features
The following features will become available starting 5.1 version.
**Role Based Access Control**
All RBAC features, except FedRamp feature flags.
**Access Workflow Plugins**
Some access workflows plugins will become available in the open source:
* Access Workflows Golang SDK and API
* Webhook
* Slack
* Gitlab
* Mattermost
* JIRA Plugin
* PagerDuty Plugin
### Enteprise Only Features
The following features will remain enterprise only.
**FedRamp**
* Max connections AC control (and all future AC controls):
```yaml
role:
options:
max_connections: 3
```
* Teleport fips mode flag
```bash
$ teleport start --fips
```
**Single Sign On**
OIDC and SAML connectors
**Extended access workflows**
New feature flags allowing waiting room and always requesting flow
will be enterprise only.
```yaml
role:
options:
# enterprise only values
request_access: 'note|always'
```
OSS users can request roles using `tsh login --request-roles` on demand.
User interface with approval requests, waiting room remains in enterprise.
### Migration Details
**Open Source Users**
Open source users will be assigned to a new `user` role. This role
is almost backwards compatible with builtin OSS role `admin`,
except it does not allow to modify resources. Otherwise all users
will become admins after migration:
```yaml
role:
name: user
spec:
options:
port_forwarding: true
max_session_ttl: 30h
forward_agent: true
enhanced_recording: ['command', 'network']
allow:
logins: ['{{internal.logins}}']
node_labels: '*': '*'
```
Another role, `admin` will be created.
```yaml
kind: role
metadata:
name: admin
spec:
allow:
logins: ['this-login-does-not-exist']
rules:
- resources: ['*']
verbs: ['*']
deny: {}
```
Migration tutorial will advice to promote designated local user
to admin:
```bash
$ tctl users update alice --set-roles=admin
```
**Github Connector**
Github in open source mode will support both `teams_to_logins`
and `teams_to_roles` modes.
**Adding users in tctl**
Both OSS (legacy) user add will be supported to preserve backwards
compatibility.
```
# Adding a user to Teleport with the principle joe, root & ec2-user
$ tctl users add joe joe,root,e2-user
# Becomes alias of
$ tctl users add joe --traits=internal.logins=joe,root,e2-user --roles=user
# Adding a user to Teleport as role Admin.
$ tctl users add --roles=admin joe
```
**Tsh status**
Tsh status loses `RBAC only` notice:
```
$ tsh status
...
* RBAC is only available in Teleport Enterprise
https://gravitational.com/teleport/docs/enterprise
```
Reference in a new issue View git blame Copy permalink