Limiting users to view only their sessions


#1

Ported from github question https://github.com/gravitational/teleport/issues/2599

Excuse me if it is an existing issue.
I want UserA to be able to view only UserA’s sessions on WebUI.
Is it possible with Teleport Community Edition?


#2

Right now it’s not possible to limit users to view only their sessions in the web ui neither in OSS nor in Enterprise versions of teleport.


#3

What if the users are within completely different Teleport roles?


#4

For now we can only completely turn off the users ability to view sessions:

For example, auditor role with no ability to SSH, but only view sessions:

kind: role
version: v3
metadata:
  name: auditor
spec:
  # SSH options used for user sessions 
  options:
    # max_session_ttl defines the TTL (time to live) of SSH certificates 
    # issued to the users with this role.
    max_session_ttl: 1h

  # Allow logins (bogus SSH principal is necessary to login into web UI
  allow:
    logins: ['this-login-does-not-exist']

    rules:
    - resources:
      - session
      verbs:
      - list
      - read

  # the deny section uses the identical format as the 'allow' section.
  # the deny rules always override allow rules.
  deny:
    node_labels:
      '*': '*'

Or here is the example role that does not allow session view but allows SSH logins:

kind: role
version: v3
metadata:
  name: user
spec:
  # SSH options used for user sessions 
  options:
    # max_session_ttl defines the TTL (time to live) of SSH certificates 
    # issued to the users with this role.
    max_session_ttl: 1h

  # Allow logins
  allow:
    logins: ['bob']
    node_labels:
      '*': '*'
  # Deny viewing sessions
  deny:
    rules:
    - resources:
      - session
      verbs:
      - list
      - read

#5

Thank you for the information.
Just in case, Is Role function impossible with Teleport Community Edition?
Is my understanding correct?

# tctl get roles/admin > admin-role.yaml
# tctl create -f admin-role.yaml
error: creating resources of type "role" is not supported

#6

Yes by default we all get into the admin role definition.
No other role function with Community Edition.
You can still ask for a trial version with the sales team.


#8

Thank you for answering!!

I want to know ENTERPRISE’s price.
Please kindly send me ENTERPRISE price list.

Please regard this topic closed.


#9

Sorry @levkkuro,

I’m not working for gravitational, i’m just an user like you :slight_smile:
All the information are available through gravitational website.


#10

I’m sorry too!
I contact website.