-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use auto-generated menu pages for Access Controls (#41978)
* Use auto-generated menu pages for Access Controls
Introduce a generation script for table of contents pages in the docs,
i.e., pages that list the topics within a given subdirectory. This will
make it easier to:
- Carry out large-scale reorganizations of the docs, since we can
rapidly regenerate table of contents pages as we move around
directories.
- Use the navigation sidebar only for high-value links, rather than all
links, so we can create subdirectories at an arbitrary depth.
Automatically generating TOC pages ensures that all docs pages are
represented.
As a proof of concept, this change implements the auto-generation script
in the Access Controls section of the docs.
The generator considers a TOC page any page that has the same name as a
subdirectory within its current directory. It looks for the comment
`{/*TOPICS*/}` and overwrites everything below this comment with a list
of topics. The generator throws an error on `{/*TOPICS*/}` comments in
pages that don't correspond to subdirectories.
Some pages combine a list of links with lengthy explanatory text. This
change moves these into new pages called `overview.mdx` and adds more
bare-bones table of contents pages in their place.
* Use H2s for child content
This way, a user knows whether a page is a section table of contents.
Stop at one child level to avoid overwhelming the user.- Loading branch information
Showing
17 changed files
with
1,142 additions
and
1,023 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,118 @@ | ||
| --- | ||
| title: Teleport Access Controls | ||
| description: Configure Teleport to implement the principal of least privilege in your infrastructure. | ||
| --- | ||
|
|
||
| {/*TOPICS*/} | ||
|
|
||
| - [Getting Started With Access Controls](access-controls/getting-started.mdx): Get started using Teleport Access Controls. | ||
| - [Getting Started with Access Monitoring](access-controls/access-monitoring.mdx): Learn how to use Access Monitoring. | ||
| - [Manage Access to your Cluster](access-controls/introduction.mdx): How to provide role-based access control (RBAC) for servers, databases, Kubernetes clusters, and other resources in your infrastructure | ||
| - [Teleport Access Controls Reference](access-controls/reference.mdx): Explains the configuration settings that you can include in a Teleport role, which enables you to apply access controls for your infrastructure. | ||
|
|
||
| ## Access Lists | ||
|
|
||
| Use Access Lists in Teleport ([more info](access-controls/access-lists.mdx)) | ||
|
|
||
| - [Access List Reference](access-controls/access-lists/reference.mdx): An explanation and overview of Access Lists in Teleport. | ||
| - [Getting Started with Access Lists](access-controls/access-lists/guide.mdx): Learn how to use Access Lists to manage and audit long lived access to Teleport resources. | ||
|
|
||
| ## Cluster Access and RBAC | ||
|
|
||
| How to configure access to specific resources in your infrastructure or your Teleport cluster as a whole. ([more info](access-controls/guides.mdx)) | ||
|
|
||
| - [Dual Authorization](access-controls/guides/dual-authz.mdx): Dual Authorization for SSH and Kubernetes. | ||
| - [Hardware Key Support](access-controls/guides/hardware-key-support.mdx): Hardware Key Support | ||
| - [Headless WebAuthn](access-controls/guides/headless.mdx): Headless WebAuthn | ||
| - [IP Pinning ](access-controls/guides/ip-pinning.mdx): How to enable IP pinning for Teleport users | ||
| - [Impersonating Teleport Users](access-controls/guides/impersonation.mdx): How to issue short-lived certs on behalf of Teleport users using impersonation. | ||
| - [MFA for Administrative Actions](access-controls/guides/mfa-for-admin-actions.mdx): Require MFA checks to perform administrative actions. | ||
| - [Moderated Sessions](access-controls/guides/moderated-sessions.mdx): Describes the purpose of moderated sessions and how to configure roles to support moderated sessions in a Teleport cluster. | ||
| - [Passwordless](access-controls/guides/passwordless.mdx): Learn how to use passwordless authentication with Teleport. | ||
| - [Per-session MFA](access-controls/guides/per-session-mfa.mdx): Require MFA checks to initiate sessions. | ||
| - [Second Factor: WebAuthn](access-controls/guides/webauthn.mdx): Configuring WebAuthn support in Teleport clusters. | ||
| - [Session and Identity Locking](access-controls/guides/locking.mdx): How to lock compromised users or agents | ||
| - [Teleport Role Templates](access-controls/guides/role-templates.mdx): This guide explains templating in Teleport roles. Templates allow you to enable access to resources depending on the traits of a local or single sign-on user. | ||
|
|
||
| ## Compliance Frameworks | ||
|
|
||
| How to use Teleport's access controls to streamline compliance without sacrificing productivity. ([more info](access-controls/compliance-frameworks.mdx)) | ||
|
|
||
| - [FedRAMP Compliance for Infrastructure Access](access-controls/compliance-frameworks/fedramp.mdx): How to configure SSH, Kubernetes, database, and web app access to be FedRAMP compliant, including support for FIPS 140-2. | ||
| - [SOC 2 compliance for SSH, Kubernetes, and Databases](access-controls/compliance-frameworks/soc2.mdx): How to configure SOC 2-compliant access to SSH, Kubernetes, databases, desktops, and web apps | ||
|
|
||
| ## Configure Teleport as an identity provider | ||
|
|
||
| How to set up Teleport's identity provider functionality ([more info](access-controls/idps.mdx)) | ||
|
|
||
| - [Access GCP Web Console and API with a federated authentication.](access-controls/idps/saml-gcp-workforce-identity-federation.mdx): Manage Google Cloud Platform (GCP) web console access with Teleport SAMl IdP. | ||
| - [SAML IdP Attribute Mapping](access-controls/idps/saml-attribute-mapping.mdx): How to map user attributes to custom SAML response | ||
| - [SAML Identity Provider Reference](access-controls/idps/saml-reference.mdx): Reference documentation for the SAML identity provider | ||
| - [Use Teleport's SAML Provider to authenticate with Grafana](access-controls/idps/saml-grafana.mdx): Configure Grafana to use identities provided by Teleport. | ||
| - [Using Teleport as a SAML identity provider](access-controls/idps/saml-guide.mdx): How to configure and use Teleport as a SAML identity provider. | ||
|
|
||
| ## Device Trust | ||
|
|
||
| Device Trust allows Teleport admins to enforce the use of trusted devices. ([more info](access-controls/device-trust.mdx)) | ||
|
|
||
| - [Device Trust Overview](access-controls/device-trust/concepts.mdx): Teleport Device Trust Concepts | ||
| - [Enforce Device Trust](access-controls/device-trust/enforcing-device-trust.mdx): Learn how to enforce trusted devices with Teleport | ||
| - [Getting Started with Device Trust](access-controls/device-trust/guide.mdx): Get started with Teleport Device Trust | ||
| - [Jamf Pro Integration](access-controls/device-trust/jamf-integration.mdx): Sync your Jamf Pro inventory into Teleport | ||
| - [Manage Trusted Devices](access-controls/device-trust/device-management.mdx): Learn how to manage Trusted Devices | ||
|
|
||
| ## Just-in-Time Access Request Plugins | ||
|
|
||
| Use Teleport's Access Request plugins to least-privilege access without sacrificing productivity. ([more info](access-controls/access-request-plugins.mdx)) | ||
|
|
||
| - [Access Requests with Microsoft Teams](access-controls/access-request-plugins/ssh-approval-msteams.mdx): How to set up Teleport's Microsoft Teams plugin for privilege elevation approvals. | ||
| - [Access Requests with Opsgenie](access-controls/access-request-plugins/opsgenie.mdx): How to set up Teleport's Opsgenie plugin for privilege elevation approvals. | ||
| - [Access Requests with ServiceNow](access-controls/access-request-plugins/servicenow.mdx): How to set up Teleport's ServiceNow plugin for privilege elevation approvals. | ||
| - [Run the Discord Access Request Plugin](access-controls/access-request-plugins/ssh-approval-discord.mdx): How to set up Teleport's Discord plugin for privilege elevation approvals. | ||
| - [Run the Jira Access Request Plugin](access-controls/access-request-plugins/ssh-approval-jira.mdx): How to set up the Teleport Jira plugin to notify users when another user requests elevated privileges. | ||
| - [Run the Mattermost Access Request plugin](access-controls/access-request-plugins/ssh-approval-mattermost.mdx): How to set up Teleport's Mattermost plugin for privilege elevation approvals. | ||
| - [Run the PagerDuty Access Request Plugin](access-controls/access-request-plugins/ssh-approval-pagerduty.mdx): How to set up Teleport's PagerDuty plugin for privilege elevation approvals. | ||
| - [Run the Slack Access Request Plugin](access-controls/access-request-plugins/ssh-approval-slack.mdx): How to set up Teleport's Slack plugin for privilege elevation approvals. | ||
| - [Teleport Access Requests with Email](access-controls/access-request-plugins/ssh-approval-email.mdx): How to set up the Teleport email plugin to notify users when another user requests elevated privileges. | ||
|
|
||
| ## Just-in-Time Access Requests | ||
|
|
||
| Just-in-time Access Requests allow Teleport users to request access to a resource or role depending on need. ([more info](access-controls/access-requests.mdx)) | ||
|
|
||
| - [Configure Access Requests](access-controls/access-requests/access-request-configuration.mdx): Describes the options available for configuring just-in-time access to roles and resources in your Teleport cluster. | ||
| - [Just-in-Time Access Requests](access-controls/access-requests/overview.mdx): Use just-in-time Access Requests to request elevated privileges. | ||
| - [Resource Access Requests](access-controls/access-requests/resource-requests.mdx): Teleport allows users to request access to specific resources from the CLI or UI. Requests can be escalated via ChatOps or anywhere else via our flexible Authorization Workflow API. | ||
| - [Role Access Requests](access-controls/access-requests/role-requests.mdx): Use Just-in-time Access Requests to request new roles with elevated privileges. | ||
| - [Teleport Community Edition Role Access Requests](access-controls/access-requests/oss-role-requests.mdx): Teleport Community Edition allows users to request access to roles from the CLI. | ||
|
|
||
| ## Login Rules | ||
|
|
||
| Transform User Traits with Login Rules ([more info](access-controls/login-rules.mdx)) | ||
|
|
||
| - [Deploy Login Rules using Kubernetes Operator](access-controls/login-rules/kubernetes.mdx): Use Teleport's Kubernetes Operator to deploy Login Rules to your cluster | ||
| - [Deploy Login Rules via Terraform](access-controls/login-rules/terraform.mdx): Use Teleport's Terraform Provider to deploy Login Rules to your cluster | ||
| - [Login Rules Reference](access-controls/login-rules/reference.mdx): Reference documentation for Login Rules | ||
| - [Set Up Login Rules](access-controls/login-rules/guide.mdx): Set up Login Rules to transform user traits | ||
|
|
||
| ## Teleport Access Graph | ||
|
|
||
| Includes guides for Teleport Access Graph, which allows you to visualize RBAC policies in your infrastructure. ([more info](access-controls/access-graph.mdx)) | ||
|
|
||
| - [Discover AWS Access Patterns with Teleport Policy](access-controls/access-graph/aws-sync.mdx): Describes how to import and visualize AWS accounts access patterns using Teleport Policy and Access Graph. | ||
| - [Run Teleport Access Graph on Self-Hosted Clusters with Helm](access-controls/access-graph/self-hosted-helm.mdx): undefined | ||
| - [Run Teleport Access Graph on Self-Hosted Clusters](access-controls/access-graph/self-hosted.mdx): Describes how to deploy Teleport Access Graph on self-hosted clusters. | ||
| - [Teleport Policy](access-controls/access-graph/overview.mdx): A reference for Access Graph with Teleport Policy. | ||
|
|
||
| ## Teleport Single-Sign-On | ||
|
|
||
| Learn how to configure your single sign-on provider to allow authentication to Teleport. ([more info](access-controls/sso.mdx)) | ||
|
|
||
| - [Authentication With GitLab as an SSO provider](access-controls/sso/gitlab.mdx): How to configure Teleport access using GitLab for SSO | ||
| - [Authentication With Okta as an SSO Provider](access-controls/sso/okta.mdx): How to configure Teleport access using Okta for SSO | ||
| - [OAuth2 and OIDC authentication](access-controls/sso/oidc.mdx): How to configure Teleport access with OAuth2 or OpenID connect (OIDC) | ||
| - [SSO with Active Directory Federation Services](access-controls/sso/adfs.mdx): How to configure Teleport access with Active Directory Federation Services | ||
| - [Set up Single Sign-On with GitHub](access-controls/sso/github-sso.mdx): Setting up GitHub SSO | ||
| - [Teleport Authentication with Azure Active Directory (AD)](access-controls/sso/azuread.mdx): How to configure Teleport access with Azure Active Directory. | ||
| - [Teleport Authentication with Google Workspace (G Suite)](access-controls/sso/google-workspace.mdx): How to configure Teleport access with Google Workspace (formerly known as G Suite) | ||
| - [Teleport Authentication with OneLogin as an SSO Provider](access-controls/sso/one-login.mdx): How to configure Teleport access using OneLogin as an SSO provider | ||
| - [Teleport Single Sign-On Overview](access-controls/sso/overview.mdx): How to set up single sign-on (SSO) for SSH using Teleport |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,230 +1,11 @@ | ||
| --- | ||
| title: Teleport Policy | ||
| description: A reference for Access Graph with Teleport Policy. | ||
| title: Teleport Access Graph | ||
| description: Includes guides for Teleport Access Graph, which allows you to visualize RBAC policies in your infrastructure. | ||
| --- | ||
|
|
||
| Teleport Policy streamlines and centralizes access management across your entire infrastructure. | ||
| {/*TOPICS*/} | ||
|
|
||
| Teleport Policy with Access Graph provides a visual representation of the relationships between | ||
| users, roles, and resources in your organization. It can help you answer questions like: | ||
|
|
||
| - What resources can a specific user access? | ||
| - What users can access a specific resource? | ||
| - What are the relationships between users, roles, and resources? | ||
|
|
||
| Access Graph is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product that is only | ||
| available to Teleport Enterprise customers. | ||
|
|
||
| After logging into the Teleport UI, go to the Management tab. If enabled, Access Graph options can be found | ||
| under the Permission Management section. | ||
|
|
||
|  | ||
|
|
||
| ## Graph nodes | ||
|
|
||
| Teleport Access Graph divides your infrastructure into six main components: | ||
|
|
||
| 1. Identities | ||
|
|
||
|  | ||
|
|
||
| Identities are the actors that can access your infrastructure. They can be employees, | ||
| contractors, machines or bots. | ||
|
|
||
| The number on the right hand side shows "standing privileges". | ||
| Standing privileges is the number of resources that an identity can access without | ||
| creating an access request. | ||
|
|
||
| 2. User Groups | ||
|
|
||
|  | ||
|
|
||
| Identity Groups are collections of identities. They can be used to organize users | ||
| based on their role or team, and they can be nested. | ||
|
|
||
| 3. Actions | ||
|
|
||
|  | ||
|
|
||
| Actions are the things that identities can or cannot do. Actions are related to | ||
| resources. For example, a user can SSH into a node. | ||
|
|
||
| 4. Deny Actions | ||
|
|
||
|  | ||
|
|
||
| Deny Actions are the things that identities cannot do. Deny Actions are related to | ||
| resources. For example, a user cannot SSH into a node. | ||
|
|
||
| 5. Resource Groups | ||
|
|
||
|  | ||
|
|
||
| Resource Groups are collections of resources. They can be used to organize | ||
| resources based on their role or team. | ||
|
|
||
| The number on the right hand side shows the number of resources that a resource group contains. | ||
|
|
||
| 6. Resources | ||
|
|
||
|  | ||
|
|
||
| Resources are the things that users can or cannot access. They can be | ||
| servers, databases, or Kubernetes clusters. | ||
|
|
||
| ## Graph paths | ||
|
|
||
| Teleport Access Graph shows the relationships between users, roles, and | ||
| resources. It does this by showing paths between nodes. Paths are the | ||
| relationships between nodes. Paths always connect nodes in the following order: | ||
|
|
||
| 1. Users | ||
| 1. User Groups | ||
| 1. Actions | ||
| 1. Resource Groups | ||
| 1. Resources | ||
|
|
||
| Paths can be divided into two categories: | ||
|
|
||
| 1. Allow paths | ||
|
|
||
|  | ||
|
|
||
| Allow paths connect identities to resources. They show what an identity can access | ||
| and what actions they can perform. | ||
|
|
||
| 2. Deny paths | ||
|
|
||
|  | ||
|
|
||
| Deny paths connect identities to resources. They show what an identity cannot access | ||
| and what actions they cannot perform. Deny paths take precedence over allow | ||
| paths. | ||
|
|
||
| ## How to use it | ||
|
|
||
| Teleport Access Graph can help you to answer questions like: | ||
|
|
||
| - Who can access a specific resource? | ||
|
|
||
|  | ||
|
|
||
| - What resources can a specific user access? | ||
|
|
||
|  | ||
|
|
||
| ## Navigation | ||
|
|
||
|  | ||
|
|
||
| The left hand side menu contains the main navigation options: | ||
|
|
||
| - Graph view | ||
| - Search | ||
| - SQL editor | ||
| - Integrations | ||
|
|
||
| ## Graph View | ||
|
|
||
| Graph view is the main view that shows the connections between identities and resources. | ||
| By default, an aggregated view of access paths grouped by identity is showed. | ||
|
|
||
| ## Search | ||
|
|
||
| To search for a graph node use the search bar at the top of the page or the search icon on the right hand side. | ||
|
|
||
|  | ||
|
|
||
| You can then search through all node types and all imported entities. | ||
|
|
||
| ## SQL Editor | ||
|
|
||
| Access Graph allows creating SQL like queries to explore the graph. | ||
|
|
||
|  | ||
|
|
||
| The query language allows to create different views of the graph, ex: | ||
|
|
||
| Show only allowed paths | ||
|
|
||
| ```sql | ||
| SELECT * FROM access_path WHERE kind = 'ALLOWED'; | ||
| ``` | ||
|
|
||
| Show only denied paths | ||
| ```sql | ||
| SELECT * FROM access_path WHERE kind = 'DENIED'; | ||
| ``` | ||
|
|
||
| Show all access paths for a user | ||
|
|
||
| ```sql | ||
| SELECT * FROM access_path WHERE identity = 'bob'; | ||
| ``` | ||
|
|
||
| Show all access paths for a user AND resource | ||
|
|
||
| ```sql | ||
| SELECT * FROM access_path WHERE identity = 'bob' AND resource = 'postgres'; | ||
| ``` | ||
|
|
||
| More actionable examples is available under ? icon. | ||
|
|
||
| ## Integrations | ||
|
|
||
|  | ||
|
|
||
| Integrations page shows integrations that can be enabled or are already enabled in Access Graph. | ||
|
|
||
| <Admonition title="Note" type="tip"> | ||
| Resources imported into Teleport through Teleport enabled integrations are automatically imported into | ||
| Access graph without any additional configuration. | ||
| </Admonition> | ||
|
|
||
| ## How resources and identities are represented | ||
|
|
||
| Access Graph imports all resources and identities from Teleport and keeps them up to date, so every time you make a change | ||
| to your Teleport resources, the Access Graph will reflect those changes. | ||
|
|
||
| ### Identities | ||
|
|
||
| Users are created from Teleport Users. | ||
| Local users are imported as soon as they are created. | ||
| External users (created from authentication connectors for GitHub, SAML, etc.) are imported when they log in for the first time. | ||
|
|
||
| ### User Groups | ||
|
|
||
| User Groups are created from Teleport Roles and access requests. Roles create User Groups where the members | ||
| are the users that have that role. Access requests create a temporary User Group where the members are the users that | ||
| got the access through the accepted access request. | ||
|
|
||
| ### Actions | ||
|
|
||
| Actions are created from Teleport roles. Actions can be divided into three | ||
| categories: | ||
|
|
||
| 1. Allow Actions | ||
|
|
||
| Allow Actions are created from Teleport roles. Allow Actions are the things | ||
| that users can do. For example, a user can SSH into a node. | ||
|
|
||
| 2. Deny Actions | ||
|
|
||
| Deny Actions are created from Teleport roles. Deny Actions are the things | ||
| that users cannot do. For example, a user cannot SSH into a node. Deny | ||
| Actions take precedence over Allow Actions. | ||
|
|
||
| 3. Temporary Actions | ||
|
|
||
| Temporary Actions are created when a user is granted temporary access to a | ||
| resource. They are automatically deleted when the user's access expires. | ||
| The temporary actions can be identified by having `Temporary: true` property. | ||
|
|
||
| #### Resource Groups | ||
|
|
||
| Resource Groups are created from Teleport roles. | ||
|
|
||
| #### Resources | ||
|
|
||
| Resources are created from Teleport resources like nodes, databases, and | ||
| Kubernetes clusters. | ||
| - [Discover AWS Access Patterns with Teleport Policy](access-graph/aws-sync.mdx): Describes how to import and visualize AWS accounts access patterns using Teleport Policy and Access Graph. | ||
| - [Run Teleport Access Graph on Self-Hosted Clusters with Helm](access-graph/self-hosted-helm.mdx): undefined | ||
| - [Run Teleport Access Graph on Self-Hosted Clusters](access-graph/self-hosted.mdx): Describes how to deploy Teleport Access Graph on self-hosted clusters. | ||
| - [Teleport Policy](access-graph/overview.mdx): A reference for Access Graph with Teleport Policy. |
Oops, something went wrong.