Require admin MFA for get/list CAs with secrets #38529
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I wasn't able to retrieve CAs with secrets while testing this. ./build/tctl -d get cert_authority/host/local.dev --with-secrets
ERROR REPORT:
Original Error: *interceptors.RemoteError access denied to perform action "read" on "cert_authority"
Stack Trace:
github.com/gravitational/teleport/api@v0.0.0/client/client.go:4297 github.com/gravitational/teleport/api/client.(*Client).GetCertAuthority
github.com/gravitational/teleport/lib/auth/clt.go:242 github.com/gravitational/teleport/lib/auth.(*Client).GetCertAuthority
github.com/gravitational/teleport/tool/tctl/common/resource_command.go:1821 github.com/gravitational/teleport/tool/tctl/common.(*ResourceCommand).getCollection
github.com/gravitational/teleport/tool/tctl/common/resource_command.go:241 github.com/gravitational/teleport/tool/tctl/common.(*ResourceCommand).Get
github.com/gravitational/teleport/tool/tctl/common/resource_command.go:205 github.com/gravitational/teleport/tool/tctl/common.(*ResourceCommand).TryRun
github.com/gravitational/teleport/tool/tctl/common/tctl.go:245 github.com/gravitational/teleport/tool/tctl/common.TryRun
github.com/gravitational/teleport/tool/tctl/common/tctl.go:105 github.com/gravitational/teleport/tool/tctl/common.Run
github.com/gravitational/teleport/tool/tctl/main.go:29 main.main
runtime/proc.go:271 runtime.main
runtime/asm_arm64.s:1222 runtime.goexit
User Message: access denied to perform action "read" on "cert_authority" |
Joerger
force-pushed
the
joerger/require-admin-mfa-for-ca-secrets
branch
from
67e154b
to
3d9be98
Compare
smallinsky
reviewed
Feb 28, 2024
As discussed offline this is an expected RBAC denial given your roles |
smallinsky
approved these changes
Feb 28, 2024
rosstimothy
approved these changes
Feb 28, 2024
public-teleport-github-review-bot
bot
removed the request for review
from rudream
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changelog: When teleport is configured to require MFA for admin actions, MFA is required to get certificate authority secrets. Ex:
tctl auth export --keysortctl get cert_authority/host/root.example.com --with-secrets.Note: this also impact
tctl edit cert_authority. With this PR, MFA will be prompted before and after the edit. The first prompt is to retrieve the secret, and the second is to update.