Add docs for role.spec.allow.reason.mode #49363
Conversation
kopiczko
added
the
no-changelog
github-actions
bot
requested review from
mmcallister,
nklaassen,
ptgott,
xinding33 and
zmb3
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
| resource allowed by "root-node-access" they will be required to provide a reason. This is true even | ||
| if they are assigned to another role which allows requesting those roles/resources and doesn't have | ||
| the reason mode set to "required". Or in other words, if there are multiple roles allowing | ||
| requesting the same roles/search_as_roles with request mode set, "require" has a higher priority | ||
| than "optional". |
There was a problem hiding this comment.
Nit: A little shorter and still carries the point across.
| resource allowed by "root-node-access" they will be required to provide a reason. This is true even | |
| if they are assigned to another role which allows requesting those roles/resources and doesn't have | |
| the reason mode set to "required". Or in other words, if there are multiple roles allowing | |
| requesting the same roles/search_as_roles with request mode set, "require" has a higher priority | |
| than "optional". | |
| resource allowed by "root-node-access" they will be required to provide a reason. If | |
| a user's roleset includes multiple roles governing access requests to the same roles | |
| and resources, "require" mode takes precedence. |
|
|
||
| ```yaml | ||
| kind: role | ||
| version: v6 |
There was a problem hiding this comment.
| version: v6 | |
| version: v7 |
There was a problem hiding this comment.
Should I change it in all examples in on this page?
There was a problem hiding this comment.
Yeah role v7 is the latest, we should prefer using it.
| |Value|Meaning| | ||
| |---|---| | ||
| | `optional` | The default. The user does not need to provide a reason when making a request. | | ||
| | `required` | The user must provide a reason when making a request. | |
There was a problem hiding this comment.
| | `required` | The user must provide a reason when making a request. | | |
| | `required` | The user must provide a non-empty reason when making a request. | |
|
🤖 Vercel preview here: https://docs-dtgn2ddrw-goteleport.vercel.app/docs |
| ## Reason mode | ||
|
|
||
| Reason mode allows enforcing users to provide reason while making an Access Request. It only works | ||
| in allow rules and is set with `allow.request.reason.mode`. |
There was a problem hiding this comment.
nit: "Reason mode" feels weird written out in english, maybe this is better
| ## Reason mode | |
| Reason mode allows enforcing users to provide reason while making an Access Request. It only works | |
| in allow rules and is set with `allow.request.reason.mode`. | |
| ## Requiring request reasons | |
| The `allow.request.reason.mode` field controls whether a reason is required when users submit access requests. |
There was a problem hiding this comment.
I don't have a strong opinion here. @r0mant ?
There was a problem hiding this comment.
Nic's suggestion looks good to me.
kopiczko
force-pushed
the
kopiczko/add-docs-for-role.spec.allow.reason.mode
branch
from
cab0166
to
60382dd
Compare
|
🤖 Vercel preview here: https://docs-6ts77i7ro-goteleport.vercel.app/docs |
kopiczko
force-pushed
the
kopiczko/add-docs-for-role.spec.allow.reason.mode
branch
from
60382dd
to
d7fa1c2
Compare
|
|
||
| If a user with "node-requester" role assigned makes an Access Request for "node-access" role or any | ||
| resource allowed by "root-node-access" they will be required to provide a reason. If a user's | ||
| roleset includes multiple roles governing access requests to the same roles and resources, |
There was a problem hiding this comment.
| roleset includes multiple roles governing access requests to the same roles and resources, | |
| roleset includes multiple roles governing Access Requests to the same roles and resources, |
We're capitalizing "Access Requests" across the docs. Not sure why it's not capitalized here but it is earlier in the paragraph.
|
🤖 Vercel preview here: https://docs-mwizanfer-goteleport.vercel.app/docs |
No description provided.