-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Predictable option combining #43
Comments
Write tests with new heuristics and types and review with @nklaassen to make sure it all makes sense.
|
|
I don't think that's the case actually. Consider two policies (predicate does not use roles): Policy A:
policy b:
If you only consider policy a, Alice would be allowed to get a cert with logins root for 1 hour. That is not the case today, because Alice will be only allowed to get a cert with root for 10 minutes, as limited by the option. Our goal today is to stick to backwards compatibility and use the safest default. In this case Regarding all your other questions, can you please present them with specific examples we use today. I'm not sure I understand all other questions well enough to answer them. |
It is possible to answer these questions with predicate in Z3 and without it in Golang it today, because all the parameters are known.
Do you have any specific policy examples that you are not clear about? If you write those down in RBAC we will show a scenario in predicate that matches this behavior. |
Please disregard my last comment, I was misunderstanding the cases when these options needed to be combined and thought this was a much more general problem if options may need to combine in different ways depending on the context. Essentially all my questions are answered by the fact that these options are can all basically be considered statically at the time user certificates are generated and most of these are baked into the certificate. |
Some answers to current questions:
That's not correct, unfortunately we currently choose the most permissive option here
same as agent forwarding
Currently its
It's a union, which is the least permissive, you're right
logical OR, unfortunately we currently choose the most permissive option here
basically its
one non-empty prompt is chosen arbitrarily
Currently its
union |
Thanks @nklaassen. I've updated the issue description with your answers + other observations/questions. These include:
The information in the table now contains:
|
In the end of this text there's a table containing all Teleport RBAC options:
As it can be seen in the 3rd column, there's no consistent rule applied when combining options belonging to different roles (e.g. both
and
andor
are used for booleans).Option combining should select the least permissive alternative, but that's not always the case (see e.g.
forward_agent
andport_forwarding
).Predictable combining rules
Ideally we should always apply the same rule (e.g. always
and
).However, this is not possible as options can be booleans, numbers, and strings (at least).
So maybe we can try to apply:
and
for booleansmin
for everything else1.
and
for booleansIf an option is a boolean, then
false
should represent the least permissive option.This ensures that when we
and
two of these, we get the least permissive alternative.For this, the option verb should be something permissive (e.g.
allow_*
).2.
min
for everything elseThis should work if the option values can be totally ordered.
This is already the case for numbers (used e.g. in
max_session_ttl
andmax_connections
).In this case, the smallest number should represent the least permissive option.
For strings, we have to totally order them in increasing permissiveness.
For example, for the
lock
option we have two possible values (strict
andbest_effort
).Here we can use
min
ifstrict < best_effort
.Least permissive by default
We want that options are combined in a way that the least permissive option is selected.
Does this mean that we should also have, by default, the least permissive option?
This doesn't happen today with:
port_forwarding
,ssh_file_copy
,desktop_clipboard
:true
false
disconnect_expired_cert
:false
true
lock
,recording_session.ssh
:best_effort
strict
enhanced_recording
:{command, network}
{command, network, disk}
Are these defaults not the least permissive option to make Teleport more usable?
With predicate, we could change these defaults, and maybe have a backwards-compatible migration if role-to-policy translation (#50) is aware of this.
Least permissive durations
For TTLs and timeouts, the least permissive default would be something like 1s.
So it seems that we would need sane defaults that are not too permissive but still allow the product to be usable at the same time.
Unrestricted defaults today
We have some options with unrestricted defaults:
client_idle_timeout
,max_sessions
,max_connections
andmax_kubernetes_connections
: the defaults seem to be0
, so no restriction is setShould this be changed?
Option naming
Prefixes
Should option names be prefixed by the protocol (e.g.
ssh
ordesktop
) they apply to for more clarity?Meaning
Should boolean option names mean permissive actions so that logical
and
always gives the least permissive?For example, today
record_session.desktop: true
is restrictive.So to combine this with
record_session.desktop: false
in a way that we get the least permissive option, we have to do a logicalor
.If we want to always do a logical
and
for boolean options, thentrue
should be the least permissive.For this, in the example above, the option name should instead be something like
desktop.allow_session_unrecorded
.The same applies to
pin_source_ip
which could instead be namedssh.allow_source_ip_unpinned
.Non-deterministic option combining
If cert extensions from different roles set different values for the same key, the value that is selected seems non-deterministic (see R23).
Should we just error in this case?
Also, from R23, it seems that these cert extensions could override the cert extensions set by Teleport itself.
Teleport RBAC options
max_session_ttl
min
30h
session_ttl
min
30h
client_idle_timeout
min
0
client_idle_timeout
min
0
means no restrictionmax_sessions
min
0
ssh.max_sessions_per_connection
min
0
means no restrictionmax_connections
min
0
ssh.max_connections
min
0
means no restrictionmax_kubernetes_connections
min
0
kubernetes.max_connections
min
0
means no restrictionlock
strict
orbest_effort
)min
wherestrict < best_effort
best_effort
locking_mode
min
wherestrict < best_effort
strict
record_session.ssh
min
wherestrict < best_effort
best_effort
ssh.session_recording_mode
min
wherestrict < best_effort
strict
cert_format
min
whereoldssh < standard
standard
ssh.cert_format
min
wherestandard < oldssh
standard
record_session.desktop
or
true
desktop.allow_session_unrecorded
and
false
forward_agent
or
false
ssh.allow_agent_forwarding
and
false
port_forwarding
or
true
ssh.allow_port_forwarding
and
false
permit_x11_forwarding
or
false
ssh.allow_x11_forwarding
and
false
ssh_file_copy
and
true
ssh.allow_file_copy
and
false
disconnect_expired_cert
or
false
ssh.allow_expired_cert
and
false
pin_source_ip
or
false
ssh.allow_source_ip_unpinned
and
false
create_host_user
and
(within only the for roles matching a Node)false
ssh.allow_host_user_creation
and
false
desktop_clipboard
and
true
desktop.allow_clipboard
and
false
desktop_directory_sharing
and
true
desktop.allow_directory_sharing
and
false
enhanced_recording
union
{command, network}
ssh.session_recording_bpf_events
union
{command, network, disk}
cert_extensions
union
+ non-determinism on key-clash{}
ssh.cert_extensions
union
+ error on key-clash{}
Teleport RBAC options (TODO)
require_session_mfa
no
,yes
,hardware_key
,hardware_key_touch
)request_access
optional
,always
orreason
)request_prompt
Undocumented options
Above we have two options from api/types/types.pb.go that are not documented:
desktop_directory_sharing
cert_format
Questions
max_session_ttl
: This does not apply only to a specific protocol (e.g.ssh
ordesktop
), right?client_idle_timeout
: This does not apply only to a specific protocol (e.g.ssh
ordesktop
), right?lock
: This does not apply only to a specific protocol (e.g.ssh
ordesktop
), right?cert_extensions
: What if cert extensions from different roles set different values for the same key? Which value is selected?require_session_mfa
: How can it be a logical "OR" if we have values likehardware_key
andhardware_key_touch
?The text was updated successfully, but these errors were encountered: