Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hide login principal from web UI if no node will actually allow you to use it #3311

webvictim opened this issue Jan 28, 2020 · 1 comment


Copy link

@webvictim webvictim commented Jan 28, 2020

What happened: A customer set up a Teleport role for authenticating with Gitlab - this role gives the user permission to log in as git, but denies all labels - so Teleport will prohibit any interactive logins as the git user.

Unfortunately, the list of logins in the web UI is sorted alphabetically and the default username they use is lower alphabetically in the list than git, so now all the nodes in the web UI show a default username of git (which is not permitted to log in) rather than the actual username (which is permitted to log in)

What you expected to happen: We should evaluate RBAC permissions and if the node count where a given login/principal is allowed to log in equals zero, we shouldn't show the login at all in the web UI.

Alternatively, we could provide a way to de-prioritise the git username in the web UI and send it to the bottom of the list - similar to how we prioritise root to the top of the list when that username is present.

How to reproduce it (as minimally and precisely as possible): Create a role adding a principal but denying all labels, then observe that the user still appears in the web UI even though no node can make use of it.


  • Teleport version (use teleport version): Teleport Enterprise v4.2.0git:v4.2.0-0-g3090806 go1.13.2
  • Tsh version (use tsh version): Teleport v4.2.0 git:v4.2.0-0-g3090806 go1.13.2
  • OS (e.g. from /etc/os-release): Fedora 30

This comment has been minimized.

Copy link

@benarent benarent commented Jan 31, 2020

Thanks for an awesome report of the issue @webvictim

@alex-kovoy Do you know what we currently have in place for UI login logic? If not, I can create a proposal to address this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.