Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

implement ssh access decision method prototype #52542

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

implement ssh access decision method prototype #52542

wants to merge 2 commits into from
+1,938 −460

Conversation

fspmarshall
Copy link
Contributor

@fspmarshall fspmarshall commented Feb 27, 2025
edited
Loading

The PR implements a prototype of the EvaluateSSHAccess decision service RPC implementation. Almost everything here is either a placeholder, or a WIP subset of the intended final logic.

In addition to the core functionality of EvaluateSSHAccess, this PR also introduces supporting functionality around generation of fake identities for dry run queries with tctl. This allows the decision service to approximate what the parameters of a users certificate identity would likely be given only their username, and use that approximation in making its decisions.

The identity generation logic in this PR supersedes two previous design iterations that were proposed but never merged: #50559 and #50482. The logic here tries to strike a balance between the two previous strategies by preserving a mostly isolated set of types and codepaths for identity generation, but eliminating the need for an extra round-trip.

Part of ongoing work related to the PDP proposal (https://github.com/gravitational/teleport.e/pull/5736).

@fspmarshall fspmarshall force-pushed the fspmarshall/pdp-ssh-breakout-2 branch 6 times, most recently from 7006482 to 07b9a43 Compare February 28, 2025 15:42
@fspmarshall fspmarshall marked this pull request as ready for review February 28, 2025 16:01
@fspmarshall fspmarshall added no-changelog Indicates that a PR does not require a changelog entry backport/branch/v15 backport/branch/v16 backport/branch/v17 labels Feb 28, 2025
@github-actions github-actions bot added size/lg tctl tctl - Teleport admin tool labels Feb 28, 2025
@fspmarshall fspmarshall mentioned this pull request Feb 28, 2025
Open
23 tasks
rosstimothy
rosstimothy reviewed Feb 28, 2025
View reviewed changes
lib/services/access_checker_test.go
Comment on lines +27 to 29
decisionpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1"
headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

decisionpb, headerv1, workloadidentityv1pb 🫠

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah... not ideal, but until we coalesce on a standard I'm going to leave as-is. IMO more important than consistency across packages is consistency in the aliasing of any given package, to ensure that types of that package are easy to grep for.

@fspmarshall fspmarshall force-pushed the fspmarshall/pdp-ssh-breakout-2 branch 2 times, most recently from ce70bb6 to 2c1c6a8 Compare February 28, 2025 22:37
rosstimothy
rosstimothy approved these changes Mar 3, 2025
View reviewed changes
@fspmarshall fspmarshall force-pushed the fspmarshall/pdp-ssh-breakout-2 branch from 2c1c6a8 to ff401cf Compare March 4, 2025 16:28
@fspmarshall fspmarshall force-pushed the fspmarshall/pdp-ssh-breakout-2 branch from ff401cf to dd64674 Compare March 4, 2025 22:11
timothyb89
timothyb89 approved these changes Mar 5, 2025
View reviewed changes
tool/tctl/common/decision/evaluate_ssh_command.go
c.command.Flag("username", "The username to evaluate access for.").StringVar(&c.sshDetails.username)
c.command.Flag("login", "The os login to evaluate access for.").StringVar(&c.sshDetails.login)
c.command.Flag("server-id", "The host id of the target server.").StringVar(&c.sshDetails.serverID)
c.command.Flag("username", "The username to evaluate access for.").StringVar(&c.Username)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it make sense to make this required at the parser level, or is there some advantage to the empty check in Run()?

Suggested change
c.command.Flag("username", "The username to evaluate access for.").StringVar(&c.Username)
c.command.Flag("username", "The username to evaluate access for.").Required().StringVar(&c.Username)

@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from rudream March 5, 2025 23:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timothyb89 timothyb89 timothyb89 approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

@rudream rudream rudream approved these changes

Assignees
No one assigned
Labels
backport/branch/v15 backport/branch/v16 backport/branch/v17 no-changelog Indicates that a PR does not require a changelog entry size/lg tctl tctl - Teleport admin tool
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@fspmarshall @timothyb89 @rosstimothy @rudream