Allow including access lists in other access lists #38738
Conversation
lxea
force-pushed
the
lxea/recursive-accesslists
branch
2 times, most recently
from
fa58f2a
to
7e449e3
Compare
lxea
force-pushed
the
lxea/recursive-accesslists
branch
5 times, most recently
from
c9bda8d
to
91b8d4e
Compare
lxea
force-pushed
the
lxea/recursive-accesslists
branch
from
91b8d4e
to
95d5adb
Compare
|
Is there an RFD or other design document for this feature somewhere? My gut reaction to the idea of access list recursion (or cross-dependency of any kind) is that it seems risky and hard to reason about. In general, I'm of the opinion that composition of access-control primitives should have a well-defined acyclic hierarchy wherever possible. One of the key design goals of a good access-control system should be to mitigate/prevent human error, both on the part of the programmer and the end user. Keeping the compositional structure as simple as possible to trace, reason about, and model is an important part of that. |
There isn't an RFD but I'm happy to write one up. Keeping the hierarchy acyclic seems like it would be ideal, however I'm not sure if the services being integrated with (Azure Entra groups @justinas) support cycles in their group hierarchies |
Entra (sadly) seems to support cycles. Generally we'd like to represent the imported data as faithfully as possible. Maybe we could assume that cycles are uncommon in real-life scenarios and refuse to process such data, but that decision would not be up to me I think 🙂 /cc @jakule |
Maybe having it require --force flag in the terminal/a warning in the ui, if the data being imported or acl being modified introduces a cycle would be useful? or maybe that would just be unnecessary overhead |
There was a problem hiding this comment.
@lxea @justinas @fspmarshall @jakule We do need to support nested access lists (both EntraID and Github can have nested groups/teams) but I agree that cycles ("A" is member of "B", "B" is a member of "C", "C" is a member of "A") add too much complexity in the system so let's prevent them and see if anyone complains. I can't come up with a reasonable real-world scenario where such group membership could be useful.
Let's also not call them "recursive". Let's call them "nested".
lxea
force-pushed
the
lxea/recursive-accesslists
branch
from
95d5adb
to
b4271ad
Compare
lxea
force-pushed
the
lxea/recursive-accesslists
branch
3 times, most recently
from
46692ee
to
e62c03c
Compare
|
@lxea Is this implementation ready for re-review now that the RFD is approved, have you applied all changes discussed in the RFD? |
lxea
force-pushed
the
lxea/recursive-accesslists
branch
from
e62c03c
to
1d50e98
Compare
This comment was marked as outdated.
This comment was marked as outdated.
kiosion
force-pushed
the
lxea/recursive-accesslists
branch
from
2750b21
to
cb04fa3
Compare
|
🤖 Vercel preview here: https://docs-awm8nb9xb-goteleport.vercel.app/docs/ver/preview |
kiosion
force-pushed
the
lxea/recursive-accesslists
branch
2 times, most recently
from
7ae81a9
to
69f66f6
Compare
kiosion
force-pushed
the
lxea/recursive-accesslists
branch
from
69f66f6
to
79a725f
Compare
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
- Recursively check for accesslist membership - Allow adding/removing/listing included access lists in acl commands - Add a recursive test - Use dynamic access lists structure from RFD - Resolve proto changes - Exclude 'list' members from Access List memberCount - Calc Access List member count with members of type 'list' excluded, return seperately to front end - Update examples/integrations - Update crd docs - Update tf docs - Perform calculation of inherited roles/traits to AccessList service in order to utilize cache and minimize number of requests. - Grant Okta integration RO for Access Lists - Update AccessListMember-* events - Include count for inherited grants - Include MembershipKind of affected member(s) - Emit inherited grants / members' MembershipKind for AccessListMember-* events - Update notified owners for Access Requests - Ensure dynamic owners are notified for Access Requests - Ensure dynamic owners are notified via Slack integration - Optionally pass an AbortSignal to `fetchAccessLists` in Web UI - Replace usages of `services.IsAccessListOwner/IsAccessListMember` with equivelant funcs from `Hierarchy` - Remove final references to AccessListMembershipChecker - Don't allow ACL deletion when member/owner in other lists - Guard Access List deletion behind membership/ownership checks for List - Expose Hierarchy func to recursively get all members - Tidy UserLoginStateGenerator logic involving ACL Membership/Ownership
kiosion
force-pushed
the
lxea/recursive-accesslists
branch
from
79a725f
to
1b665aa
Compare
Allows recursive inclusion of Access Lists in other Access Lists.
For example, with the hierarchy below,
user Awould inherit traits and roles fromacl C,acl B, andacl A, whileuser Bwould traits and roles fromacl Candacl B:flowchart TD A[acl A] --has member-->B(user A) C[acl B] --has member-->A C --has member--> D(user B) E[acl C] --has member-->Cchangelog: Allow nested inclusion of Access Lists as Members and Owners in other Access Lists
RFD: https://github.com/gravitational/teleport/blob/master/rfd/0170-nested-accesslists.md
E: https://github.com/gravitational/teleport.e/pull/4549
Depends on #47828.