ReviewAccessRequest RPC does not respect Machine ID Role Impersonation #33028

strideynet · 2023-10-05T18:12:14Z

Expected behavior:

When interacting with the ReviewAccessRequest RPC and my identity is in a state of role impersonation, whether or not I am able to review a request should be based on the roles I have impersonated rather than the roles my user directly holds.

Current behavior:

The ReviewAccessRequest RPC fetches the users roles and evaluates based on those rather than the roles currently associared with the identity. This prevents Machine ID bot credentials from being able to review access requests as part of our plugins.

Suggested fix:

Following discussion, we will add support for evaluating role impersonation correctly. The code will ensure that the impersonated roles are a subset of the users impersonatable roles - this prevents recursive impersonation via access requests.

strideynet · 2023-10-12T12:32:17Z

Part of #29048

strideynet added the bug label Oct 5, 2023

strideynet self-assigned this Oct 5, 2023

strideynet added the machine-id label Oct 5, 2023

This was referenced Oct 12, 2023

Machine ID: Teleport Plugins on Kubernetes (Epic) #29048

Closed

Allow Bots to submit access request reviews #33375

Merged

strideynet closed this as completed in #33375 Oct 16, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ReviewAccessRequest RPC does not respect Machine ID Role Impersonation #33028

ReviewAccessRequest RPC does not respect Machine ID Role Impersonation #33028

strideynet commented Oct 5, 2023

strideynet commented Oct 12, 2023

ReviewAccessRequest RPC does not respect Machine ID Role Impersonation #33028

ReviewAccessRequest RPC does not respect Machine ID Role Impersonation #33028

Comments

strideynet commented Oct 5, 2023

strideynet commented Oct 12, 2023