[v10] Add missing role options to docs (#14324)

Backport of #14101
gravitational · Jul 11, 2022 · b683866 · b683866
1 parent 5b6676e
commit b683866
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 5 deletions.
diff --git a/docs/pages/access-controls/reference.mdx b/docs/pages/access-controls/reference.mdx
@@ -91,7 +91,7 @@ logins:
 
 ### Role options
 
-As shown above, a role can define certain restrictions on SSH sessions initiated by users.
+As shown above, a role can define certain restrictions on sessions initiated by users.
 The table below documents the behavior of each option if multiple roles are assigned to a user.
 
 | Option | Description | Multi-role behavior |
@@ -101,8 +101,20 @@ The table below documents the behavior of each option if multiple roles are assi
 | `port_forwarding` | Allow TCP port forwarding | Logical "OR" i.e. if any role allows port forwarding, it's allowed |
 | `client_idle_timeout` | Forcefully terminate active SSH sessions after an idle interval | The shortest timeout value wins, i.e. the most restrictive value is selected |
 | `disconnect_expired_cert` | Forcefully terminate active SSH sessions when a client certificate expires | Logical "OR" i.e. evaluates to "yes" if at least one role requires session termination |
-| `max_connections` | Limit on how many active SSH sessions can be started via Teleport | |
 | `max_sessions` | Total number of session channels which can be established across a single SSH connection via Teleport | |
+| `enhanced_recording` | Indicates which events should be recorded by the BFP-based session recorder | |
+| `permit_x11_forwarding` | Allow users to enable X11 forwarding with OpenSSH clients and servers | |
+| `require_session_mfa` | Require additional MFA tap before initiating a session | Logical "OR" i.e. evaluates to "yes" if at least one role requires session MFA |
+| `lock` | Locking mode (`strict` or `best_effort`) | `strict` wins in case of conflict |
+| `request_access` | Enterprise-only access request strategy (`optional`, `always` or `reason`) | |
+| `request_prompt` | Prompt for the access request "reason" field | |
+| `max_connections` | Enterprise-only limit on how many concurrent sessions can be started via Teleport | |
+| `max_kubernetes_connections` | Defines the maximum number of concurrent Kubernetes sessions per user | |
+| `record_session` | Configures session recording behavior | |
+| `desktop_clipboard` | Allow clipboard sharing for desktop sessions | Logical "AND" i.e. evaluates to "yes" if all roles enable clipboard sharing |
+| `pin_source_ip` | Enable source IP pinning for SSH certificates | Logical "OR" i.e. evaluates to "yes" if at least one role requires session termination |
+| `cert_extensions` | Specifies extensions to be included in SSH certificates | |
+| `create_host_user` | Allow users to be automatically created on a host | |
 
 ## Preset roles
 

diff --git a/docs/pages/desktop-access/rbac.mdx b/docs/pages/desktop-access/rbac.mdx
@@ -24,7 +24,7 @@ spec:
     # Desktop sessions will never be recorded if auth_service.session_recording
     # is set to 'off' in teleport.yaml or if the cluster's session_recording_config
     # resource has set 'mode: off'.
-    record_sessions:
+    record_session:
       desktop: true
 
     # Specify whether clipboard sharing should be allowed with the
@@ -152,7 +152,7 @@ By default, desktop session recording is considered enabled in Teleport roles
 unless it is explicitly disabled:
 
 ```yaml
-record_sessions:
+record_session:
   desktop: false
 ```
 

diff --git a/docs/pages/includes/role-spec.mdx b/docs/pages/includes/role-spec.mdx
@@ -25,6 +25,11 @@ spec:
     # max_sessions is total number of session channels that can be established
     # across a single connection. Setting it to 10 matches OpenSSH default behavior.
     max_sessions: 10
+    # Defines which events are recorded by the BPF-based session recorder.
+    enhanced_recording:
+    - command
+    - disk
+    - network
     # permit_x11_forwarding allows users to use X11 forwarding with openssh
     # clients and servers through the proxy
     permit_x11_forwarding: true
@@ -45,13 +50,15 @@ spec:
     # cluster. This setting slows down Teleport performance because it has to track
     # connections cluster-wide.
     max_connections: 2
+    # limit number of concurrent Kubernetes sessions per user
+    max_kubernetes_connections: 1
     # Specify whether or not to record the user's desktop sessions.
     # Desktop session recording is enabled if one or more of the user's
     # roles has enabled recording. Defaults to true if unspecified.
     # Desktop sessions will never be recorded if auth_service.session_recording
     # is set to 'off' in teleport.yaml or if the cluster's session_recording_config
     # resource has set 'mode: off'.
-    record_sessions:
+    record_session:
       desktop: true
     # Specify whether clipboard sharing should be allowed with the
     # remote desktop (requires a supported browser). Defaults to true
@@ -71,6 +78,8 @@ spec:
        mode: extension
        name: login@github.com
        value: "{{ external.github_login }}"
+    # Controls whether this role supports auto provisioning of users.
+    create_host_user: true
 
   # The allow section declares a list of resource/verb combinations that are
   # allowed for the users of this role. By default, nothing is allowed.