Skip to content

Fix RBAC permissions for the Teleport Slack plugin

Pierre Guinoiseau requested to merge pguinoiseau/fix-teleport-slack-plugin-rbac into master

What

Fix RBAC permissions for the Teleport Slack plugin.

Why

Should fix this:

❯ k -n teleport-cluster-staging logs teleport-staging-slack-8cf8949c6-tc9gh
INFO   Starting Teleport Access Slack Plugin 15.4.0: teleport-slack/main.go:93
INFO   Access list monitor is running accesslist/app.go:121
ERRO   Watcher event loop failed error:[
ERROR REPORT:
Original Error: *interceptors.RemoteError access denied to perform action "read" on "access_monitoring_rule"
Stack Trace:
        /go/src/github.com/gravitational/teleport/api/client/streamwatcher.go:86 github.com/gravitational/teleport/api/client.(*streamWatcher).receiveEvents
        /opt/go/src/runtime/asm_amd64.s:1650 runtime.goexit
User Message: access denied to perform action "read" on "access_monitoring_rule"] watcherjob/watcherjob.go:129
INFO   Access list monitor is finished accesslist/app.go:137
ERRO   Plugin is not ready common/app.go:160
ERRO   Terminating with fatal error [1]... error:[
ERROR REPORT:
Original Error: *interceptors.RemoteError access denied to perform action "list" on "access_monitoring_rule", access denied to perform action "read" on "access_monitoring_rule"
Stack Trace:
        /go/src/github.com/gravitational/teleport/api/client/accessmonitoringrules/access_monitoring_rules_client.go:122 github.com/gravitational/teleport/api/client/accessmonitoringrules.(*Client).ListAccessMonitoringRulesWithFilter
        /go/src/github.com/gravitational/teleport/integrations/access/common/config.go:63 github.com/gravitational/teleport/integrations/access/common.(*wrappedClient).ListAccessMonitoringRulesWithFilter
        /go/src/github.com/gravitational/teleport/integrations/access/accessrequest/app.go:604 github.com/gravitational/teleport/integrations/access/accessrequest.(*App).getAllAccessMonitoringRules
        /go/src/github.com/gravitational/teleport/integrations/access/accessrequest/app.go:583 github.com/gravitational/teleport/integrations/access/accessrequest.(*App).initAccessMonitoringRulesCache
        /go/src/github.com/gravitational/teleport/integrations/access/accessrequest/app.go:148 github.com/gravitational/teleport/integrations/access/accessrequest.(*App).run
        /go/src/github.com/gravitational/teleport/integrations/lib/process.go:234 github.com/gravitational/teleport/integrations/access/slack.Bot.SupportedApps.NewApp.NewServiceJob.func1
        /go/src/github.com/gravitational/teleport/integrations/lib/process.go:255 github.com/gravitational/teleport/integrations/lib.(*serviceJob).DoJob
        /go/src/github.com/gravitational/teleport/integrations/lib/process.go:101 github.com/gravitational/teleport/integrations/lib.NewProcess.func2.1
        /opt/go/src/runtime/asm_amd64.s:1650 runtime.goexit
User Message: access denied to perform action "list" on "access_monitoring_rule", access denied to perform action "read" on "access_monitoring_rule"] lib/bail.go:32

Also updates permissions based on the documentation: https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-slack/#step-38-create-a-user-and-role-for-the-plugin

Edited by Pierre Guinoiseau

Merge request reports