New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows user creation #24780
Windows user creation #24780
Conversation
@zmb3 @timothyb89 @gabrielcorado friendly ping |
rdpc, err := rdpclient.New(rdpclient.Config{ | ||
Log: log, | ||
GenerateUserCert: func(ctx context.Context, username string, ttl time.Duration) (certDER, keyDER []byte, err error) { | ||
return s.generateUserCert(ctx, username, ttl, desktop) | ||
return s.generateUserCert(ctx, username, ttl, desktop, createUsers, groups) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I could be mistaken, but my understanding is that a role that allows for creating users looks like
kind: "role"
version: "v5"
metadata:
name: "example"
spec:
options:
create_desktop_user: true
allow:
desktop_groups: [ "reader", "writer", "{{external.desktop_groups}}" ]
windows_desktop_logins: ['DBAdmin']
windows_desktop_labels:
'env': ['staging', 'test']
and that such a role would only allow a user to create the DBAdmin
user with the given desktop_groups
on nodes with the labels env: staging
or env: test
. However, afaict, the certificate created here won't restrict the system to only creating the DBAdmin
user in those groups -- for example, a user might have another role like
kind: "role"
version: "v5"
metadata:
name: "another-example"
spec:
options:
create_desktop_user: true
allow:
desktop_groups: [ "reader" ]
windows_desktop_logins: ['SystemAdmin']
windows_desktop_labels:
'env': ['staging', 'test']
In that case, the user's intention would be to only allow SystemAdmin
to be created and given the reader
group on env: staging/test
nodes, however groups, err := authCtx.Checker.DesktopGroups(desktop)
would result in a groups = ["reader", "writer", "{{external.desktop_groups}}"]
and createUsers
would be true. In which case if the user were logging in as SystemAdmin
, that user would be created and then added to all of ["reader", "writer", "{{external.desktop_groups}}"]
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this is how it would work, this behavior matches what we have in server access, login is not considered there when gathering groups, only node labels, host_groups
and create_host_user
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gotcha. I see that as an error prone API design and think we should reconsider making it "role-bound", but beyond the scope here.
Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com>
Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com>
…n' into probakowski/windows_user_creation
@@ -85,6 +85,7 @@ allow: | |||
deny: {} | |||
options: | |||
cert_format: "" | |||
create_desktop_user: null |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add an omitempty
so this doesn't happen? It's odd for a boolean to also be able to be null.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All our booleans are nullable so it follows the convention here
@probakowski See the table below for backport results.
|
* Windows auto user creation * changes in role * fix roles * make grpc * fix imports * fix test * fix test * fix test * fix test * fix test * windows labels * rename OID, add json tags * params to struct * grpc * Update lib/services/role.go Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com> * Update lib/services/access_checker.go Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com> * grpc * bump e * only add extension when we create user --------- Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com>
* Windows auto user creation * changes in role * fix roles * make grpc * fix imports * fix test * fix test * fix test * fix test * fix test * windows labels * rename OID, add json tags * params to struct * grpc * Update lib/services/role.go Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com> * Update lib/services/access_checker.go Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com> * grpc * bump e * only add extension when we create user --------- Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com>
* Windows user creation (#24780) * Windows auto user creation * changes in role * fix roles * make grpc * fix imports * fix test * fix test * fix test * fix test * fix test * windows labels * rename OID, add json tags * params to struct * grpc * Update lib/services/role.go Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com> * Update lib/services/access_checker.go Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com> * grpc * bump e * only add extension when we create user --------- Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com> * grpc --------- Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com>
* Windows auto user creation * changes in role * fix roles * make grpc * fix imports * fix test * fix test * fix test * fix test * fix test * windows labels * rename OID, add json tags * params to struct * grpc * Update lib/services/role.go * Update lib/services/access_checker.go * grpc * bump e * only add extension when we create user --------- Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com>
This change adds automatic user creation for non-AD Windows desktops.
It also bumps
e
reference