Limiting users to view only their sessions

sasha · March 12, 2019, 5:42pm

Ported from github question https://github.com/gravitational/teleport/issues/2599

Excuse me if it is an existing issue.
I want UserA to be able to view only UserA’s sessions on WebUI.
Is it possible with Teleport Community Edition?

sasha · March 12, 2019, 5:43pm

Right now it’s not possible to limit users to view only their sessions in the web ui neither in OSS nor in Enterprise versions of teleport.

abe · March 12, 2019, 8:21pm

What if the users are within completely different Teleport roles?

sasha · March 13, 2019, 2:03am

For now we can only completely turn off the users ability to view sessions:

For example, auditor role with no ability to SSH, but only view sessions:

kind: role
version: v3
metadata:
  name: auditor
spec:
  # SSH options used for user sessions 
  options:
    # max_session_ttl defines the TTL (time to live) of SSH certificates 
    # issued to the users with this role.
    max_session_ttl: 1h

  # Allow logins (bogus SSH principal is necessary to login into web UI
  allow:
    logins: ['this-login-does-not-exist']

    rules:
    - resources:
      - session
      verbs:
      - list
      - read

  # the deny section uses the identical format as the 'allow' section.
  # the deny rules always override allow rules.
  deny:
    node_labels:
      '*': '*'

Or here is the example role that does not allow session view but allows SSH logins:

kind: role
version: v3
metadata:
  name: user
spec:
  # SSH options used for user sessions 
  options:
    # max_session_ttl defines the TTL (time to live) of SSH certificates 
    # issued to the users with this role.
    max_session_ttl: 1h

  # Allow logins
  allow:
    logins: ['bob']
    node_labels:
      '*': '*'
  # Deny viewing sessions
  deny:
    rules:
    - resources:
      - session
      verbs:
      - list
      - read

levkkuro · March 13, 2019, 3:10pm

Thank you for the information.
Just in case, Is Role function impossible with Teleport Community Edition?
Is my understanding correct?

# tctl get roles/admin > admin-role.yaml
# tctl create -f admin-role.yaml
error: creating resources of type "role" is not supported

belgiumitguy · March 13, 2019, 4:37pm

Yes by default we all get into the admin role definition.
No other role function with Community Edition.
You can still ask for a trial version with the sales team.

levkkuro · March 14, 2019, 1:42am

Thank you for answering!!

I want to know ENTERPRISE’s price.
Please kindly send me ENTERPRISE price list.

Please regard this topic closed.

belgiumitguy · March 14, 2019, 8:38am

Sorry @levkkuro,

I’m not working for gravitational, i’m just an user like you
All the information are available through gravitational website.

levkkuro · March 15, 2019, 12:33am

I’m sorry too!
I contact website.