-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix active session filtering for legacy sessions #47448
Conversation
This code never worked correctly, but mostly went unnoticed because it is only triggered when using legacy roles prior to RoleV5. Prior to moderated sessions, RBAC for viewing active sessions was based on whether or not you could join a session as the OS login that is being used, along with a pseudo-resource of kind "ssh_session". With moderated sessions we introduced more flexible RBAC semantics that allow you to join sessions in different modes (peer, observer, moderator), even if you don't actually have permission to start sessions. In #11223 we decided that we need to support both types of RBAC checks (legacy checks against the "ssh_session" resource, and newer checks against the session_tracker and join_sessions policies). The code that was doing the legacy checks was flawed for two reasons: 1. It used (types.SessionTracker).GetKind() (which will always be "session_tracker") instead of (types.SessionTracker).GetSessionKind(). 2. When checking whether the session was SSH, it was checking for the legacy "ssh_session" value, instead of the "ssh" value that session trackers actually use.
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
This code never worked correctly, but mostly went unnoticed because it is only triggered when using legacy roles prior to RoleV5. Prior to moderated sessions, RBAC for viewing active sessions was based on whether or not you could join a session as the OS login that is being used, along with a pseudo-resource of kind "ssh_session". With moderated sessions we introduced more flexible RBAC semantics that allow you to join sessions in different modes (peer, observer, moderator), even if you don't actually have permission to start sessions. In #11223 we decided that we need to support both types of RBAC checks (legacy checks against the "ssh_session" resource, and newer checks against the session_tracker and join_sessions policies). The code that was doing the legacy checks was flawed for two reasons: 1. It used (types.SessionTracker).GetKind() (which will always be "session_tracker") instead of (types.SessionTracker).GetSessionKind(). 2. When checking whether the session was SSH, it was checking for the legacy "ssh_session" value, instead of the "ssh" value that session trackers actually use.
This code never worked correctly, but mostly went unnoticed because it is only triggered when using legacy roles prior to RoleV5.
Prior to moderated sessions, RBAC for viewing active sessions was based on whether or not you could join a session as the OS login that is being used, along with a pseudo-resource of kind "ssh_session".
With moderated sessions we introduced more flexible RBAC semantics that allow you to join sessions in different modes (peer, observer, moderator), even if you don't actually have permission to start sessions.
In #11223 we decided that we need to support both types of RBAC checks (legacy checks against the "ssh_session" resource, and newer checks against the session_tracker and join_sessions policies). The code that was doing the legacy checks was flawed for two reasons:
Changelog: fixed a bug that could allow users to list active sessions even when prohibited by RBAC.