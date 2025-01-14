Version: 18.x (unreleased)

On this page

Teleport Authorization

Teleport handles both authentication and authorization.

Authentication is about proving an identity of a user or a service.

Authorization is proving access rights to something.

This article explains authorization of users and services with RBAC.

Teleport supports several types of user accounts:

Interactive and non-interactive.

Local and external.

Each user is associated with one or several roles after successful authentication.

Interactive users can be local or external. Local user accounts store login credentials - password hash and MFA device data in Teleport's backend. External user accounts authenticate with a third-party identity provider using SSO protocols - OAuth 2.0, OIDC or SAML.

Let's review the example Alice who is authenticating using SSO provider of her organization with Teleport:

tip Every time SSO user logs in, Teleport creates a temporary user account record that automatically expires with SSO session and logs audit log entries. Teleport creates this record to avoid name collisions with local users.

A user could be external to the Teleport cluster, if another cluster or certificate authority issues a certificate that this cluster trusts. In this case, Teleport activates trusted cluster mapping logic.

Local interactive users have a record in Teleport's backend with credentials.

A cluster administrator have to create account entries for every Teleport user with tctl users add or API call.

Every local Teleport User must be associated with a list of one or more roles. This list is called "role mappings".

Teleport supports non-interactive users for automation services, e.g. Jenkins or micro-services running in your organization.

Local non-interactive users also have a user entry that maps their name to roles, but they do not have credentials stored in the database. Non-interactive users have to use Teleport's machine ID product to receive and renew certificates. Teleport Machine ID's bot runs alongside services and rotates SSH and X.509 certificates on behalf of non-interactive users:

External non-interactive users behave just like local ones, but it is another cluster or certificate authority that issues certificates for them.

They do not have local user records in Teleport backend. Teleport activates trusted cluster mapping logic to support this use case.

Every Teleport user is assigned one or several roles that govern access to resources and Teleport's API.

Each Teleport role works by having two lists of rules: allow rules and deny rules:

Everything is denied by default.

Deny rules get evaluated first and take priority.

A rule consists of two parts: the resources and verbs.

Here's an example of an allow rule describing a list verb applied to the sessions resource. It means "allow users of this role to see a list of recorded SSH or Kubernetes sessions".

allow: - resources: [ session ] verbs: [ list ]

Roles define what principals (e.g. Linux OS users or Kubernetes group) users assigned to the role are allowed to assume:

spec: allow: logins: [ ubuntu ] kubernetes_groups: [ viewer ]

In case if a user has many roles, the list of principals is merged in one set.

Role labels define what resources rules in the role apply to. For example, let's review a role that specifies access for SSH nodes and kubernetes clusters:

spec: allow: node_labels: 'environment': '^test|staging$' kubernetes_labels: 'region': 'us-west-*' 'cluster_name': '^us.*\.example\.com$'

Here is how labels, allow rules and principals are applied:

For allow rule to match, all labels in the rule should match, for example, in the Kubernetes rule above, both region and cluster_name should match.

rule to match, all labels in the rule should match, for example, in the Kubernetes rule above, both and should match. For deny rule to match, any label in the rule could match.

Principals and labels

Let's assume Alice is assigned two roles: dev and prod :

Dev role allows SSH access as root and unrestricted access to kubernetes as system:masters for any kubernetes cluster or node with labels matching 'test' or 'stage'.

metadata: name: dev spec: allow: logins: [ root ] kubernetes_groups: [ 'system:masters' ] node_labels: 'environment': [ 'test' , 'stage' ] kubernetes_labels: 'environment': [ 'test' , 'stage' ] kubernetes_resources: - kind: '*' namespace: '*' name: '*' verbs: [ '*' ]

Prod role allows SSH access as ubuntu and view access to kubernetes for any kubernetes cluster or node with labels matching 'prod'

metadata: name: prod spec: allow: logins: [ ubuntu ] kubernetes_groups: [ 'view' ] node_labels: 'environment': [ 'prod' ] kubernetes_labels: 'environment': [ 'prod' ] kubernetes_resources: - kind: '*' namespace: '*' name: '*' verbs: [ '*' ]

Here is how Teleport will evaluate Alice's access:

Alice can SSH as root to server labeled as test or stage

or Alice can not SSH as root to server labeled as prod , because prod role only allows access as ubuntu to prod -labeled servers.

The same applies to Kubernetes:

Alice can access kubernetes cluster as system:masters if it's labeled as test or stage .

if it's labeled as or . Alice can access kubernetes clusters only as a view role if it's labeled as prod .

Roles support template variables. Here is a role snippet that explains how variables are interpolated.

spec: allow: logins: [ ' {{internal.logins}} ' ] kubernetes_groups: [ ' {{external.groups}} ' ]

tip Any role that uses variable interpolation is treated as a role template. You can add interpolation to any role spec.

*Variable interpolation rules

If external.groups is a list that contains ["dev", "prod"] the expression ["{{external.groups}}"] will interpolate to list ["dev", "prod"] .

is a list that contains the expression will interpolate to list . If external.groups is a variable that equals "dev" the expression ["{{external.groups}}"] will interpolate to ["dev"] .

is a variable that equals the expression will interpolate to . If external.groups is missing, the expression "{{external.groups}}" will evaluate into empty string "" . You can use predicate language function calls in templates, e.g. {{email.local(external.foo)}} .

is missing, the expression will evaluate into empty string . You can use predicate language function calls in templates, e.g. . You can combine string prefixes and values, for example: "IAM#{{regexp.replace(external.foo, "^bar-(.*)$", "$1")}};" .

. Invalid expressions will be ignored, e.g. external.foo}} will be skipped, just as invalid function calls.

will be skipped, just as invalid function calls. Invalid values will be omitted, for example -foo is not a valid Unix login, so if variable external.foo equals "-foo" , it will be omitted in logins: ["{{external.foo}}"] .

For full details on how variable expansion works in Teleport roles, see the Access Controls Reference.

How role templates are evaluated

Every Teleport component - whether a Proxy Service instance, Auth Service instance, or Agent -has up to date copy of all roles. Teleport components evaluate role templates at the time of access to any resource.

Let's review a case with the following role template:

metadata: name: devs spec: allow: kubernetes_groups: [ " {{external.k8s_groups}} " ] kubernetes_labels: "env": [ " {{external.env}} " ] kubernetes_resources: - kind: pod namespace: "*" name: "*"

User Alice authenticates with Teleport and receives the following variables from the identity provider:

k8s_groups: ["view", "edit"] env: ["stage"]

These variables get encoded in the X.509 certificate as extensions.

When proxy authorizes the attempt to connect to the Kubernetes cluster it interpolates the role template and the variables, and gets:

metadata: name: devs spec: allow: kubernetes_groups: [ "view" , "edit" ] kubernetes_labels: "env": [ "stage" ] kubernetes_resources: - kind: pod namespace: "*" name: "*"

Finally, the proxy applies the resulting role to the kubernetes cluster Alice tries to access and checks it against cluster. If the cluster has labels "env": "stage" the attempt succeeds, otherwise it fails.

The example below illustrate how to restrict session access only for the user who created the session using role conditions:

kind: role metadata: name: only-own-sessions spec: allow: rules: - resources: [ session ] verbs: [ list , read ] where: contains(session.participants, user.metadata.name)

tip You can use where fields in all resource rules. Check out the full role reference contains full role spec for details.

Alongside allow and deny rules, roles control a variety of options, for example:

kind: role version: v5 metadata: name: relaxed spec: # options specify connection, in case if user has multiple non-default # conflicting options, teleport chooses the least permissive value. options: # max_session_ttl defines the TTL (time to live) of certificates # issued to the users with this role. max_session_ttl: 8h # lock sets locking mode for user of this role, # valid values are "strict" or "best_effort" lock: strict

In case if user has multiple roles that specify conflicting options, for example, role relaxed sets the max_session_ttl to 8h and restricted that sets max_session_ttl to 4h , most secure value will be used, in this case Teleport will choose to limit sessions to 4 hours.

Teleport applies the same logic to other values, for example if two roles specify both strict and best_effort options, Teleport will choose strict option.

tip The full version of Just In Time Access Requests is available only in Teleport Enterprise (including Enterprise Cloud).

Roles allow requesting elevated privileges - other roles or individual resources.

Roles control who can review requests for privileges and define how many approvals or rejections are required: