RFD 201: Native Auto Approval #51979
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bernardjkim
force-pushed
the
rfd/0201-native-auto-approval
branch
from
bad0770 to
222d9bb
Compare
bernardjkim
added
the
no-changelog
fheinecke
reviewed
Feb 7, 2025
| enforce the same gated access, but it would reduce a lot of friction if access | ||
| requests can be automatically approved in the dev environment. | ||
|
|
||
| ## Goals |
There was a problem hiding this comment.
This sounds great! Couple of questions:
- When will Terraform support for the changes be added? This is how we deploy all internal Teleport resources currently, and will be needed to adopt this internally.
- I see "user" used throughout this document. Will this support tbot roles/service users, or just "real" users? For our internal use case, the requests will come from a tbot service user.
There was a problem hiding this comment.
- The Teleport Terraform provider already supports access monitoring rules, but the tf resource schema will need to be updated with the new
automatic_approvalfield. I'll add a note about Terraform support, and add an additional step in the Implementation Plan section. - I'm not too familiar with the capabilities of a bot user, but I would assume they would have the ability to make an access request just like a regular user, assuming that they have the correct role permissions. I'll investigate a bit more on this topic and add a section.
zmb3
reviewed
Feb 8, 2025
| but a big part of this feature request is to provide a frictionless user | ||
| experience. For example, access lists can be used to achieve similar behavior, | ||
| but a limitation with access lists is that the user must logout and login again | ||
| to renew their certificates to obtain the new roles. |
There was a problem hiding this comment.
This limitation applies to access requests too, doesn't it?
| 3. Automatic approvals can be configured to approve access to select resources. | ||
| For example, the requesting user is pre-approved to access all resources in the | ||
| `dev` environment. | ||
| 4. Automatic approvals can be configured using Access Monitoring Rules. |
There was a problem hiding this comment.
Is this a goal or an implementation detail?
| Note: Access monitoring rules do not currently support access requests by | ||
| resources, in any capacity. It will require more than just extending the access | ||
| monitoring rule predicate language to support this use case. Goal [3] will be | ||
| left out of scope for this RFD. It probably deserves it's own separate RFD. As a |
There was a problem hiding this comment.
Suggested change
| left out of scope for this RFD. It probably deserves it's own separate RFD. As a | |
| left out of scope for this RFD. It probably deserves its own separate RFD. As a |
| left out of scope for this RFD. It probably deserves it's own separate RFD. As a | ||
| workaround to support this use case, auto approval rules can be configured to | ||
| approve a role that only has the permission to access resources in a specific | ||
| environment. |
There was a problem hiding this comment.
Can we be more specific here? Teleport doesn't have any concept of "environments" - we have labels though. I assume you mean some sort of label selector here?
Comment on lines
+68
to
+69
| This feature will be supported by a new `access-native` plugin. This native | ||
| plugin will implement the same interface as already existing access plugins. |
There was a problem hiding this comment.
It's a bit odd for the RFD to start with "users don't want to manage auto approval via a plugin" and have the proposed solution be yet another plugin.
If it's another plugin, why are we calling it "native" auto approval? To me, native suggests built-in and available by default.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Supports #51682
This RFD describes native auto approval implementation. Rendered