Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tctl auth sign does not work when executed remotely via proxy #5352

Closed
webvictim opened this issue Jan 19, 2021 · 6 comments · Fixed by #6073
Closed

tctl auth sign does not work when executed remotely via proxy #5352

webvictim opened this issue Jan 19, 2021 · 6 comments · Fixed by #6073
Assignees
@klizhentas
Labels
bug c-ar Internal Customer Reference cloud Cloud tctl tctl - Teleport admin tool ux
Milestone
6.1

Comments

@webvictim
Copy link
Contributor

webvictim commented Jan 19, 2021
edited
Loading

Description

What happened: When logging into a cluster and then using Enterprise tctl to connect to the auth server remotely via the proxy, it isn't possible to use tctl auth sign even if the user you're logged in as has the admin role.

$ tctl auth sign --format=tls --user=access-plugin-slack --out=auth --ttl=8760h 
error: this request can be only executed by an admin

This makes installing Teleport plugins into Cloud instances impossible. It also makes automation use cases difficult to achieve.

What you expected to happen: If you're logged in as a user which has an admin role, you should be able to do everything you can do when running tctl locally on the auth server.

How to reproduce it (as minimally and precisely as possible): Log into a Teleport Cloud instance as an admin user using tsh, then use Enterprise tctl to try and sign a certificate remotely.

The issue seems to occur here -

teleport/lib/auth/auth_with_roles.go

Lines 1072 to 1073 in 46679fb

// this error is vague on purpose, it should not happen unless someone is trying something out of loop
return nil, trace.AccessDenied("this request can be only executed by an admin")
- when executed remotely, it seems that tctl doesn't have the built-in admin role whereas it does when running locally.

The built in admin role is allowed to do anything -

teleport/lib/auth/permissions.go

Line 440 in 46679fb

services.NewRule(services.Wildcard, services.RW()),
- which is why this works in that scenario.

Environment

  • Teleport version (use teleport version): Teleport Enterprise v5.1.0 git:v5.1.0-0-g46679fb34 go1.15.5

  • tctl version: Teleport Enterprise v5.1.0 git:v5.1.0-0-g46679fb34 go1.15.5

  • Where are you running Teleport? (e.g. AWS, GCP, Dedicated Hardware): Teleport Cloud
@webvictim webvictim added bug ux tctl tctl - Teleport admin tool cloud Cloud labels Jan 19, 2021
@klizhentas
Copy link
Contributor

Let's add impersonate section in the role for access controls:

spec: 
   allow:
      impersonate: 
         users: ['*']
         roles: ['*'] 
   deny:
     impersonate: 
         roles: ['admin']

@klizhentas klizhentas added this to the 6.0 "San Diego" milestone Jan 19, 2021
@russjones russjones modified the milestones: 6.0 "San Diego", 6.1 Jan 26, 2021
@russjones russjones modified the milestones: 6.1, Runway Milestone Feb 3, 2021
@webvictim webvictim mentioned this issue Feb 5, 2021
Closed
@travelton travelton added c-ar Internal Customer Reference C0 labels Mar 10, 2021
@klizhentas klizhentas self-assigned this Mar 11, 2021
@benarent
Copy link
Contributor

+1, I was helping @Valien with this issue and we are unable to complete Database setup due to this.

$ tctl auth sign --format=db --host=db.example.com --out=server --ttl=8760h
ERROR: this request can only be executed by a database service or an admin

@webvictim
Copy link
Contributor Author

This shouldn't be in a patch release, it should be in a minor. Patch releases are only for hotfixes.

@webvictim webvictim modified the milestones: 6.0.3 "Ides of March", 6.1 Mar 11, 2021
@webvictim webvictim mentioned this issue Mar 16, 2021
Closed
klizhentas added a commit that referenced this issue Mar 18, 2021
@klizhentas
Adds controls for impersonation requests.
ec09beb 
Fixes #5352

```yaml
allow:
  impersonate:
    users: ['alice', 'bob']
    roles: ['*']
    where: 'contains(user.spec.traits["groups"], impersonate_role.traits)'
```

Adds token permission for editor role.
klizhentas added a commit that referenced this issue Mar 19, 2021
@klizhentas
Adds controls for impersonation requests.
5085237 
Fixes #5352

```yaml
allow:
  impersonate:
    users: ['alice', 'bob']
    roles: ['*']
    where: 'contains(user.spec.traits["groups"], impersonate_role.traits)'
```

Adds "impersonator" to all X.509 and SSH client certs
issued using impersonation and does best effort to track
requests by impersonators in audit events.

Limits certs TTL to the impersonator's cert TTL.
Prevents impersonating users to recursively impersonate
other users.
Allows impersonating users to renew their own certificate,
for example to set route to cluster.

Adds missing token permission for editor role.
klizhentas added a commit that referenced this issue Mar 19, 2021
@klizhentas
Adds controls for impersonation requests.
cb6e697 
Fixes #5352

```yaml
allow:
  impersonate:
    users: ['alice', 'bob']
    roles: ['*']
    where: 'contains(user.spec.traits["groups"], impersonate_role.traits)'
```

Adds "impersonator" to all X.509 and SSH client certs
issued using impersonation and does best effort to track
requests by impersonators in audit events.

Limits certs TTL to the impersonator's max session TTL.

Prevents impersonating users to recursively impersonate
other users.

Allows impersonating users to renew their own certificate,
for example to set route to cluster.

Adds missing token permission for editor role.
klizhentas added a commit that referenced this issue Mar 19, 2021
@klizhentas
Adds controls for impersonation requests. (#6009)
05f6294 
Fixes #5352

```yaml
allow:
  impersonate:
    users: ['alice', 'bob']
    roles: ['*']
    where: 'contains(user.spec.traits["groups"], impersonate_role.traits)'
```

Adds "impersonator" to all X.509 and SSH client certs
issued using impersonation and does best effort to track
requests by impersonators in audit events.

Limits certs TTL to the impersonator's max session TTL.

Prevents impersonating users to recursively impersonate
other users.

Allows impersonating users to renew their own certificate,
for example to set route to cluster.

Adds missing token permission for editor role.
klizhentas added a commit that referenced this issue Mar 19, 2021
@klizhentas
Adds controls for impersonation requests. (#6009)
d5b7a75 
Fixes #5352

```yaml
allow:
  impersonate:
    users: ['alice', 'bob']
    roles: ['*']
    where: 'contains(user.spec.traits["groups"], impersonate_role.traits)'
```

Adds "impersonator" to all X.509 and SSH client certs
issued using impersonation and does best effort to track
requests by impersonators in audit events.

Limits certs TTL to the impersonator's max session TTL.

Prevents impersonating users to recursively impersonate
other users.

Allows impersonating users to renew their own certificate,
for example to set route to cluster.

Adds missing token permission for editor role.
@klizhentas klizhentas mentioned this issue Mar 19, 2021
Merged
klizhentas added a commit that referenced this issue Mar 19, 2021
@klizhentas
Adds controls for impersonation requests. (#6009) (#6073)
f17625c 
Fixes #5352

```yaml
allow:
  impersonate:
    users: ['alice', 'bob']
    roles: ['*']
    where: 'contains(user.spec.traits["groups"], impersonate_role.traits)'
```

Adds "impersonator" to all X.509 and SSH client certs
issued using impersonation and does best effort to track
requests by impersonators in audit events.

Limits certs TTL to the impersonator's max session TTL.

Prevents impersonating users to recursively impersonate
other users.

Allows impersonating users to renew their own certificate,
for example to set route to cluster.

Adds missing token permission for editor role.
@benarent
Copy link
Contributor

I've tried this today with a Teleport Cloud instance 6.1.5 and tctl ~ Teleport v6.2.0-beta.1, and I've tried a few things, but I'm unable to use tctl auth sign.

➜  ~ tctl auth sign --format=db --host=db.example.com --out=server --ttl=8760h         
ERROR: this request can only be executed by a database service or an admin

@webvictim webvictim reopened this May 19, 2021
@webvictim
Copy link
Contributor Author

Reopening for tracking until this is resolved.

@benarent
Copy link
Contributor

@r0mant Create a new ticket for this #6937 , I'll close this one for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@klizhentas klizhentas

Labels
bug c-ar Internal Customer Reference cloud Cloud tctl tctl - Teleport admin tool ux
Projects
None yet
Milestone
6.1
Development

Successfully merging a pull request may close this issue.

Adds controls for impersonation requests. (#6009) gravitational/teleport
5 participants
@klizhentas @travelton @benarent @webvictim @russjones