You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Teleport code is hard to reason about because it uses word "role" in two completely different contexts.
"Service roles": these are roles for built-in Teleport services such as "Proxy", "Web", "Node", as defined in /roles.go. These are used for creating certificates used by Teleport services to interact with each other. The same roles are used in iconic places like /lib/auth/auth_with_roles.go
"User roles": these are roles assigned to Teleport users. Currently they are implemented using exactly the same data structure (and name) as "service roles". They are, however, separated by having their own "checker", which is awesome, but the data structure itself does not scale well for both service and user purposes.
Re-using the same data structure in both contexts makes it hard to reason about security. One checker (for services) would ignore a lot of fields that are user-specific, etc. Also reading the code makes it hard to understand which role is meant in what context.
Proposal
Have two separate data structures: ServiceRole and UserRole. The service role should continue using the format we have now. This basically means that no changes will be introduced to v2.3 to service roles. But UserRole structure should be based on Expanded Role format #1092
Do a code review on pieces that heavily use roles and provide comments and/or rename functions to indicate which role is meant. Role-related code is poorly commented and hard to understand right now
The text was updated successfully, but these errors were encountered:
Problem
Teleport code is hard to reason about because it uses word "role" in two completely different contexts.
"Service roles": these are roles for built-in Teleport services such as "Proxy", "Web", "Node", as defined in
/roles.go. These are used for creating certificates used by Teleport services to interact with each other. The same roles are used in iconic places like/lib/auth/auth_with_roles.go"User roles": these are roles assigned to Teleport users. Currently they are implemented using exactly the same data structure (and name) as "service roles". They are, however, separated by having their own "checker", which is awesome, but the data structure itself does not scale well for both service and user purposes.
Re-using the same data structure in both contexts makes it hard to reason about security. One checker (for services) would ignore a lot of fields that are user-specific, etc. Also reading the code makes it hard to understand which role is meant in what context.
Proposal
Have two separate data structures:
ServiceRoleandUserRole. The service role should continue using the format we have now. This basically means that no changes will be introduced to v2.3 to service roles. ButUserRolestructure should be based on Expanded Role format #1092Do a code review on pieces that heavily use roles and provide comments and/or rename functions to indicate which role is meant. Role-related code is poorly commented and hard to understand right now
The text was updated successfully, but these errors were encountered: