Skip to content

tctl users update --set-roles should error out for SSO users #34790

New issue
New issue
Open
Open
tctl users update --set-roles should error out for SSO users#34790

Description

@pschisa

pschisa
openedon Nov 20, 2023

Expected behavior:
tsh user update --set-roles should error out for SSO users as their roles are set via the auth_connector mapping and the user update will not functionally impact the user.

Current behavior:
The users roles appear to update from a tctl users ls but the update is overwritten on subsequent logins and does not affect the current session. This creates a situation where users believe they have updated their role mappings when in effect they have not.

Bug details:

  • Teleport version
    $ tsh version
    Teleport v14.1.3 git:v14.1.3-0-g748fa4e go1.21.4
    Proxy version: 14.1.1
paulschisa:~$ tsh status
> Profile URL:        https://test-cluster1.plainsofconquest.com:443
  Logged in as:       pschisa
  Cluster:            ip-172-31-36-239-ec2-internal
  Roles:              admin
  Logins:             pschisa, root, test-log, nessus, ec2-user, roboman, autogen, helloiamnew
  Kubernetes:         enabled
  Kubernetes users:   *
  Kubernetes groups:  system:masters
  Valid until:        2023-11-20 23:57:55 -0500 EST [valid for 12h0m0s]
  Extensions:         login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

Access lists that need to be reviewed:
	dad0eeb2-2775-422e-8b26-6c7c65f64021 (-71h58m17s left to review)

A security patch is available for Teleport. Please upgrade your Cluster to v14.1.3 or newer.

paulschisa:~$ tctl users ls | grep pschisa
pschisa                       admin
A security patch is available for Teleport. Please upgrade your Cluster to v14.1.3 or newer.

paulschisa:~$ tctl users update pschisa --set-roles=read-only
User pschisa has been updated:
	New roles: read-only
A security patch is available for Teleport. Please upgrade your Cluster to v14.1.3 or newer.

paulschisa:~$ tctl users ls | grep pschisa
pschisa                       read-only
A security patch is available for Teleport. Please upgrade your Cluster to v14.1.3 or newer.

paulschisa:~$ tsh ls
Node Name                  Address            Labels
-------------------------- ------------------ --------------------------------------------------------------------------------------------------------------------------------------------------
iamtheappman               ⟵ Tunnel           arch=unknown,env=staging,hostname=Test-Cluster-Node2-US-East-Grafana,region=east1,version=v14.0.3,aws/Name=grafana-debian10,aws/tag-test2=imthetag
test-cluster-node1-us-east 172.31.36.239:3022 region=east1,version=v14.1.1

paulschisa:~$ #still the same node permissions from admin role
zsh: command not found: #still
paulschisa:~$ logintc1
> Profile URL:        https://test-cluster1.plainsofconquest.com:443
  Logged in as:       pschisa
  Cluster:            ip-172-31-36-239-ec2-internal
  Roles:              admin
  Logins:             pschisa, root, test-log, nessus, ec2-user, roboman, autogen, helloiamnew
  Kubernetes:         enabled
  Kubernetes users:   *
  Kubernetes groups:  system:masters
  Valid until:        2023-11-20 23:57:55 -0500 EST [valid for 11h59m0s]
  Extensions:         login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

Access lists that need to be reviewed:
	dad0eeb2-2775-422e-8b26-6c7c65f64021 (-71h59m18s left to review)

paulschisa:~$ tctl users ls | grep pschisa
pschisa                       read-only
A security patch is available for Teleport. Please upgrade your Cluster to v14.1.3 or newer.

paulschisa:~$ tsh logout
Logged out all users from all proxies.
paulschisa:~$ logintc1
If browser window does not open automatically, open it by clicking on the link:
 http://127.0.0.1:50720/3a463624-2d08-4333-92e0-3de06491cb02
> Profile URL:        https://test-cluster1.plainsofconquest.com:443
  Logged in as:       pschisa
  Cluster:            ip-172-31-36-239-ec2-internal
  Roles:              admin
  Logins:             pschisa, root, test-log, nessus, ec2-user, roboman, autogen, helloiamnew
  Kubernetes:         enabled
  Kubernetes users:   *
  Kubernetes groups:  system:masters
  Valid until:        2023-11-20 23:59:38 -0500 EST [valid for 12h0m0s]
  Extensions:         login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

Access lists that need to be reviewed:
	dad0eeb2-2775-422e-8b26-6c7c65f64021 (-71h59m40s left to review)

Did you know? Teleport Connect offers the power of tsh in a desktop app.
Learn more at https://goteleport.com/docs/connect-your-client/teleport-connect/

A security patch is available for Teleport. Please upgrade your Cluster to v14.1.3 or newer.

paulschisa:~$ tctl users ls | grep pschisa
pschisa                       admin
A security patch is available for Teleport. Please upgrade your Cluster to v14.1.3 or newer.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    bugc-flInternal Customer Referencegood-starter-issueGood starter issue to start contributing to Teleporttctltctl - Teleport admin toolux

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions