Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect RBAC processing in access tester #9441

Closed
gknw opened this issue Dec 16, 2021 · 2 comments
Closed

Incorrect RBAC processing in access tester #9441

gknw opened this issue Dec 16, 2021 · 2 comments
Labels
bug rbac Issues related to Role Based Access Control

Comments

@gknw
Copy link
Contributor

gknw commented Dec 16, 2021

Description

What happened:

Looks like RBAC treats multiple node_labels in allow role block with logical AND (#8766), but access controller treats this with logical OR

Reproduction Steps

  1. Create first node with label 'cluster' : 'production' and 'service': 'example'
  2. Create second node with label 'cluster' : 'staging' and 'service': 'example'
  3. Create role with
allow:
    logins: [admin]

    node_labels:
      'service': ['example']
      'cluster': ['production']
  1. Create user with role from step 3
  2. Login with user credential
  3. tsh ls will show only first node
  4. tctl access ls will show all nodes

Server Details

  • Teleport version: v8.0.1
  • Server OS (e.g. from /etc/os-release): Debian 11
  • Where are you running Teleport?: VDS

Client Details

  • Tsh version (tsh version): v8.0.1
  • Computer OS: Linux
  • Installed via: website download
@gknw gknw added the bug label Dec 16, 2021
@stevenGravy stevenGravy added the rbac Issues related to Role Based Access Control label Dec 16, 2021
@OliverKellyATech
Copy link

Hi Team,

Bumping this one as we ran into it today and caused quite a few problems when trying to understand how to correctly create new roles.

@zmb3 zmb3 mentioned this issue Jun 8, 2022
Closed
@zmb3
Copy link
Collaborator

zmb3 commented Jul 5, 2022

Closing, as we've deprecated the roletester with Teleport 10.

@zmb3 zmb3 closed this as completed Jul 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug rbac Issues related to Role Based Access Control
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zmb3 @OliverKellyATech @stevenGravy @gknw