Custom Approval Conditions

[fspmarshall]

NOTE: This is an MVP feature. Evaluation of permissions errs on the side of strictness, and some planned features (e.g. role subselection) are not yet supported.

---

Based upon RFD/0014 (#5071)

Key Features

Introduces the concept of access request "reviews" which can be used to approve/deny access requests. Unlike directly approving/denying via resource-level permissions, reviews support granular permissions and flexible multi-party approval scenarios.

Here is an example of a simple review-based configuration:

kind: role
metadata:
  name: proletariat
spec:
  allow:
    review_requests:
      roles: ['dictator']
version: v3
---
kind: role
metadata:
  name: populist
spec:
  allow:
    request:
      roles: ['dictator']
      thresholds:
        - approve: 3
          deny: 2
version: v3

In the above example, users with the role populist are able to request the role dictator. When generated, this request will automatically be configured with a review threshold requiring three approvals or two denials. In this scenario, a user with role populist will therefore be able to assume role dictator if three separate users all submit approving reviews. Users with role proletariat have permission to review requests for dictator, so three users with role proletariat will be able to approve a request for role dictator if they all agree.

Note that thresholds is a list. It is possible to specify multiple thresholds. Lets look at a more full-featured use of thresholds:

kind: role
metadata:
  name: populist
spec:
  allow:
    request:
      roles: ['dictator']
      thresholds:
        - name: 'revolution'
          approve: 3
          deny: 2
          filter: 'contains(reviewer.roles,"proletariat")'
        - name: 'coup'
          approve: 2
          deny: 1
          filter: 'contains(reviewer.roles,"military")'
version: v3

In the above scenario, reviewers with the role proletariat count toward the revolution threshold, while reviewers with the role military count toward the coup threshold (reviewers with both roles count toward both thresholds). Say, for example, that alice and bob both hold role proletariat and submit approving reviews. The revolution threshold is not yet met, so the request is still pending. Now say that carol holds role military and also submits an approval. We have more approvals than either threshold requires, but neither threshold has been reached since we have one approval that matches the coup threshold and two approvals that match the revolution threshold.

NOTE: A filter which matches against a reviewing user's roles (e.g. contains(reviewer.roles, "some-role")) effectively "leaks" the fact that the user holds that role to all other users who are allowed to view the request. It does not, however, leak what other roles might be held by the reviewer, as the actual evaluation of the filter is performed only by the auth server. The access request resource simply records a mapping of which reviews match which filters.

Reviewer permissions can also be fairly granular. Ex:

kind: role
metadata:
  name: proletariat
spec:
  allow:
    review_requests:
      roles: ['*']
      where: 'contains(request.system_annotations["mechanism"],"popular-uprising")'
  deny:
    review_requests:
      role: ['elected-representative']
version: v3

The above permits a user to review any access request, so long as that request does not include the role elected-representative and does have the system annotation mechanism: popular-uprising.

---

In addition to new RBAC options, tsh now supports a series of request subcommands.

Users are always allowed to see their own requests, and requests that they are allowed to review:

$ tsh request ls
ID                                   User  Roles    Created (UTC)       Status   
------------------------------------ ----- -------- ------------------- -------- 
094fc0f3-e5ab-47c5-816e-09326735a899 bob   dictator 30 Jan 21 03:38 UTC PENDING  
5212442f-c77c-41bb-bb14-708d2f5a0107 alice dictator 29 Jan 21 22:47 UTC APPROVED 

hint: use 'tsh request show <request-id>' for additional details

As indicated by the above hint test, tsh request show can be used to print out detailed information about a request:

$ tsh request show 5212442f-c77c-41bb-bb14-708d2f5a0107
Request ID: 5212442f-c77c-41bb-bb14-708d2f5a0107
User:       alice
Roles:      dictator
Reason:     none
Status:     APPROVED
------------------------------------------------
Approvals:
  -------------------------
  Reviewer: bob
  Reason:   "you seem cool"
  -------------------------
  Reviewer: carol
  Reason:   "very cool"

Reviews can be submitted via tsh request review:

$ tsh request review --deny --reason='you seem sus' 094fc0f3-e5ab-47c5-816e-09326735a899
Successfully submitted review.  Request state: DENIED

---

A new access_request.review audit event has been added:

{
    "event":"access_request.review",
    "id":"775ec3e0-49db-4aa6-9a4c-975763372b6f",
    "state":"PENDING",
    "reviewer":"bob",
    "proposed_state":"APPROVED"
    // ...
}
{
    "event":"access_request.review",
    "id":"775ec3e0-49db-4aa6-9a4c-975763372b6f",
    "state":"PENDING",
    "reviewer":"carol",
    "proposed_state":"APPROVED"
    // ...
}
{
    "event":"access_request.review",
    "id":"775ec3e0-49db-4aa6-9a4c-975763372b6f",
    "state":"APPROVED",
    "reviewer":"dave",
    "proposed_state":"APPROVED"
    // ...
}

Note that in the first two events, state is PENDING but proposed_state is APPROVED. This indicates that the review being submitted proposes approval, but the state of the request post-application is still PENDING. The third event shows state APPROVED indicating that the post-application state of the request is now APPROVED. This is consistent with a request with an approval threshold of 3. Subsequent reviews have no effect, but still generate events. If, for example, the next review was a denial, we would see an event like this:

{
    "event":"access_request.review",
    "id":"775ec3e0-49db-4aa6-9a4c-975763372b6f",
    "state":"APPROVED",
    "reviewer":"eve",
    "proposed_state":"DENIED"
    // ...
}

Gotchas

• In order to preserve compatibility with existing configurations, update permissions for the access_request resource still allow users to approve any request. Going forward this will not be recommended.

• Role subselection is not currently implemented for reviews. Care has been taken to ensure that this system will be compatible with role subselection, but getting role subselection to work in a correct and intuitive manner without overly complicating the implementation is tricky. I've opted not to let it be a blocker on the rest of the features.

• The current implementation is a little overly-strict when it comes to deciding which thresholds need to pass in order for a request to be approved, and a little over-eager to deny requests. In particular, it requires one threshold from each relevant allow directive, and denies the entire request if any threshold from any statically assigned role is met. In theory, this isn't always necessary, but I opted to start with the simpler and restrictive model.

• Only approval permissions from statically-assigned roles are taken into consideration. This may become a configurable behavior in the future, but once again we're erring on the side of strictness.

Other Stuff

• Roles and access requests now support a suggested_reviewers list, and tsh request ls supports a --suggested flag which lists only requests for which the current user is a suggested reviewer. The names in the suggested_reviewer list don't actually need to be teleport usernames. They could just as easily be slack usernames, emails, etc. This feature is purely for convenience and has no bearing on permissions.

[klizhentas]

@fspmarshall I think it is a very thoughtful design, could not find anything outstanding on the first pass. I liked the suggested reviewers part as well, this is exactly what customers were asking for.

I will do a second pass and will look in the code.

[russjones]

@awly @a-palchikov @andrejtokarcik Do you mind reviewing this PR?

[klizhentas]

General note to @russjones, @andrejtokarcik and @fspmarshall. This access/review/threshold system is very expressive. This raises the importance of:

#4991 and #3731

without tracing and role scenario testers, it will be extremely hard to troubleshoot and develop

[klizhentas]

any specific reason we use uint32 for state vs signed?

[fspmarshall]

Negative threshold IDs (indexes) don't make sense.

[klizhentas]

may be I'm missing something, but it seems that we are doing the same check after processing every review.
what if we split this loop into two parts (to make reading a bit easier) The first pass will process counts only (and short-circuit if the deny matches). The second pass will look for approved roles with all thresholdSets accumulated. As an advantage, you can record more votes even if the threshold matches.

[fspmarshall]

You're not missing anything, but IMO the current layout is superior because it is deterministic regardless of the length of the review list. If we tally all votes and then determined the state-transition as separate steps, then the result that would be produced by this logic continues to change as new reviews are added, even after the initial state-transition condition is reached.

Currently, this property is irrelevant since we skip this entire function once we've exited the PENDING state, but the fact that the function is deterministic means that it will be much easier to extend in the future. Say that we wanted to add an integration with the upcoming "locking" feature which automatically generated locks if a denial theshold was triggered after an approval was initially triggered. The current logic could be left basically untouched, and we could just add a new loop below that starts processing where the previous loop halted. Basically, "its not a bug, its a feature" lol.

[klizhentas]

grpc supports int64, may be use it instead?

https://developers.google.com/protocol-buffers/docs/proto3#scalar

[fspmarshall]

Any particular reason? We certainly don't need to support threshold counts so large that they would overflow a uint32.

[klizhentas]

General note to @russjones, @andrejtokarcik and @fspmarshall. This access/review/threshold system is very expressive. This raises the importance of:

#4991 and #3731

without tracing and role scenario testers, it will be extremely hard to troubleshoot and develop

[klizhentas]

@fspmarshall can you also please give an example of how to prevent access requestor from approving their own request (or if this is done automatically)? This is for the docs

[klizhentas]

Another general observation: I would explore if this code could be improved if nested loops are replaced with some auxiliary data structures, like maps, filters, or trees.

[andrejtokarcik]

I concur with @a-palchikov's comment on the RFD. We could most probably get rid of all the RoleThresholdMapping complexity if we conceded to not supporting actual multi-role requests. The tsh UI could still accept multiple specified roles but such commands would be resolved into a series of atomic requests/commands, one for each role. The issue of role subselection would immediately disappear.

This would actually facilitate one of the goals (I suppose) of introducing multi-party approvals -- to enable setups where as many requests can be reviewed by as many people as possible. With the current logic, as far as I understand, a request for roles a,b,c would require any potential reviewer to:

1. not be denied from reviewing any of a or b or c; and
2. be allowed to review all of a and b and c.

True, this is a result of the prudent decision to err on the side of strictness, yet it also implies that an inappropriately chosen request role could make the set of available reviewers de facto empty.

Complex role approval scenarios should be handled by external plugins that are well-understood or even developed by their users, not within Teleport itself. It's bound to be rather difficult to even document and communicate such complex solutions with all their edge cases.

Finally, I find the use of nested loops and code labels a bit too excessive here. It seems that many of the functions could be better structured by means of smaller helper functions.

[andrejtokarcik]

Is it really necessary to exclude the ability to change or take back one's review decision? Allowing this should be non-controversial for requests still in the PENDING state.

However, I'd perhaps go as far as to allow users to re-set their review even after their contribution has caused the review to transition to DENIED or APPROVED. In that case the review state should be re-evaluated and possibly go back to PENDING. This could help in dealing with accidental approvals including those cases when the requestor hasn't yet managed to obtain the certs with the elevated privileges.

Naturally, care must be taken so that a single user isn't able to contribute multiple times towards the thresholds.

[fspmarshall]

Our old model allowed changing request state after it was already approved, and that ended up being a bad decision in retrospect. The access request system grants privileges by allowing the user to provision certificates with additional roles. If a request is changed from approved to some other non-approved state, it gives the false impression that the privileges were never assumed. Once a request has been in the approved state for even a few milliseconds, you cannot discount the possibility that the user has assumed elevated privileges. Since our caching layer is fairly asynchronous, re-checking the request state on every user action isn't a great solution to this. Its better to have the request continue to reflect the fact that the user likely did successfully escalate privilege.

In terms of cancelling reviews before the request's state-transition occurs, I'm not fundamentally opposed. I don't see any pressing need to add it on the initial release of this feature though.

[andrejtokarcik]

Equals appears to take the threshold name into account. In order to really prevent double-storing it might be more appropriate for that field to be ignored.

[fspmarshall]

There isn't actually any harm in double-storing (I just figure its good practice not to). Since threshold names are displayed in the web UI, I don't want teleport to make the decision about which of two descriptions for a given requirement is the one that should be displayed.

[andrejtokarcik]

@klizhentas

can you also please give an example of how to prevent access requestor from approving their own request (or if this is done automatically)?

This looks pertinent:

teleport/lib/services/access_request.go

Lines 385 to 388 in 76ea3e1

	// user cannot review their own request
	if c.User.GetName() == req.GetUser() {
	return false, nil
	}

[klizhentas]

@andrejtokarcik @fspmarshall @a-palchikov re: single request to multiple request suggestion:

This would make the processing much more complex though - right now the request is a transaction with a state, it's either approved or not. With your proposal, the request would be split into multiple object, each with it's own state. This would be quite hard to reason about, as request could be partially approved/denied.

[fspmarshall]

In addition to @klizhentas's points:

• Single-role requests would break compatibility with the plugin ecosystem. Not just the plugins we've written, but plugins that customers have written as well. Care has been taken to ensure that these new API elements work seamlessly with the existing plugin API s.t. they can function in tandem, or the review system can function as a fallback if plugins go offline.
• Roles can be combined s.t. the deny directives from one role limit another. Access requests describe a set of roles which can be assumed as a unit, which means that it is possible to have scenarios where a user isn't going to get approved for admin but will get approved for admin, staging-only.

[klizhentas]

@fspmarshall @russjones almost forgot, because it's a dual authz feature, please restrict it's usage to

https://github.com/gravitational/teleport/blob/master/lib/modules/modules.go#L45

AdvancedAccessWorkflows

Similar to this:

teleport/lib/auth/auth_with_roles.go

Line 1875 in 5e9ea1c

case features.AdvancedAccessWorkflows == false &&

[a-palchikov]

Sorry if that was already explained but I don't see it explained here hence the question. Is it guaranteed that l == r.Spec.Roles implies that RTMs encode for the same roles as specified in r.Spec.Roles?

[a-palchikov]

Not sure if it's important to note but I'd find it useful to warn if the spec contains duplicate roles. Is it also complying to some old behavior and trying to keep backwards-compatible?

[a-palchikov]

Suggested change

	req.GetCreationTime().Format(time.RFC822),
	req.GetCreationTime().UTC().Format(time.RFC822),

[a-palchikov]

nit: aren't these better grouped in an AccessRrequest block in CLIConf?

[a-palchikov]

autoRequest = false would be more readable in if autoRequest && cf.DesiredRoles == ""

[a-palchikov]

nit: if this built the map for all missing roles - it would be a better UX

[fspmarshall]

I agree in theory, but the difference is negligible IMO and this function is already more busy than I'd like it to be, so I think I'm gonna leave as-is for now.

[a-palchikov]

Suggested change

	// sanity-check. we disallow extremely large threshold lists elsewhere, but its always
	// sanity-check. we disallow extremely large threshold lists elsewhere, but it's always

[a-palchikov]

"not equals" comparison is suspect unless it is guaranteed that len(approved) <= len(req.GetRoleThresholdMapping()) but it's hard to say. Would be safer to say if len(approved) < len(req.GetRoleThresholdMapping()).

[fspmarshall]

The approved mapping's keys are taken from the rtm, so I'm pretty confident in saying that its guaranteed.

[a-palchikov]

Accept the context as parameter instead of using context.TODO

[a-palchikov]

Suggested change

	// use the defaults sugested by the user's static roles.
	// use the defaults suggested by the user's static roles.

[andrejtokarcik]

A little merge leftover.