Authorize session to a single target not working

I’m trying to give some users access to a specific target in a project.
So at project scope, I have configured the following permission for those users: id=ttcp_Iy5NBZUphs;actions=authorize-session

But they are unable to connect:

$ boundary connect ssh -target-id ttcp_Iy5NBZUphs
Error from controller when performing authorize-session against target: 
Error information:
  Code:
  Message:             Forbidden
  Status:              403

If I change the permission to id=*;type=target;actions=authorize-session, then they are able to connect, but of course to all targets in the project, which I would like to avoid.

Is this perhaps a bug? Or am I missing something?

Kind regards,
Johan

Thanks for trying out Boundary @jsiebens !

It looks like your original grant was missing type, can you verify with this grant? id=ttcp_Iy5NBZUphs;type=target;actions=authorize-session

Hi @malnick!

I have just given it a try by updating my Terraform manifest, but when applying them, I’m having to following error:

Error: error updating grant strings on role: {"status":400, "code":"InvalidArgument", "message":"Errors in provided fields.", "details":{"request_fields":[{"name":"grant_strings", "description":"Improperly formatted grant \"id=ttcp_Iy5NBZUphs;type=target;actions=authorize-session\"."}]}}

@jsiebens Can you share your TF config for this resource as well as your provider configuration?

@malnick I’m still testing things out with the dev server, here is the complete Terraform setup I’m applying.

provider "boundary" {
  addr                            = "http://localhost:9200"
  auth_method_id                  = "ampw_1234567890"
  password_auth_method_login_name = "admin"
  password_auth_method_password   = "password"
}

variable "backend_server_ips" {
  type = set(string)
  default = [
    "192.168.0.51",
    "192.168.0.52",
    "192.168.0.53",
    "192.168.0.54",
  ]
}

resource "boundary_scope" "global" {
  global_scope = true
  scope_id     = "global"
}

resource "boundary_scope" "orion_org" {
  name                   = "Orion Org"
  description            = "A prominent constellation located on the celestial equator and visible throughout the world"
  scope_id               = boundary_scope.global.id
  auto_create_admin_role = true
}

resource "boundary_scope" "orion_project" {
  name                   = "Orion Project"
  scope_id               = boundary_scope.orion_org.id
  auto_create_admin_role = true
}

resource "boundary_host_catalog" "orion_catalog" {
  name     = "Orion Catalog"
  type     = "static"
  scope_id = boundary_scope.orion_project.id
}

resource "boundary_host" "orion_servers" {
  for_each        = var.backend_server_ips
  type            = "static"
  name            = "Orion Server ${each.value}"
  address         = each.key
  host_catalog_id = boundary_host_catalog.orion_catalog.id
}

resource "boundary_host_set" "orion_ssh_servers" {
  type            = "static"
  name            = "Orion SSH Servers"
  host_catalog_id = boundary_host_catalog.orion_catalog.id
  host_ids        = [for host in boundary_host.orion_servers : host.id]
}

resource "boundary_target" "orion_ssh_target" {
  type         = "tcp"
  name         = "Orion SSH"
  scope_id     = boundary_scope.orion_project.id
  default_port = "22"

  host_set_ids = [
    boundary_host_set.orion_ssh_servers.id
  ]
}

resource "boundary_host_set" "orion_redis_servers" {
  type            = "static"
  name            = "Orion Redis Servers"
  host_catalog_id = boundary_host_catalog.orion_catalog.id
  host_ids = [
    boundary_host.orion_servers["192.168.0.52"].id
  ]
}

resource "boundary_target" "orion_redis_servers" {
  type         = "tcp"
  name         = "Orion Redis"
  scope_id     = boundary_scope.orion_project.id
  default_port = "6379"

  host_set_ids = [
    boundary_host_set.orion_redis_servers.id
  ]
}

resource "boundary_auth_method" "orion_passwords" {
  name     = "Orion Passwords"
  scope_id = boundary_scope.orion_org.id
  type     = "password"
}

resource "boundary_account" "johan_siebens" {
  name           = "Johan Siebens"
  type           = "password"
  login_name     = "jsiebens"
  auth_method_id = boundary_auth_method.orion_passwords.id
}

resource "boundary_user" "johan_siebens" {
  name     = "Johan Siebens"
  scope_id = boundary_scope.orion_org.id
  account_ids = [
    boundary_account.johan_siebens.id
  ]
}

resource "boundary_role" "login_and_default_grants" {
  name = "Login and Default Grants"
  principal_ids = [
    boundary_user.johan_siebens.id
  ]
  grant_strings = [
    "type=scope;actions=list",
    "id=*;type=auth-method;actions=authenticate,list",
    "id={{account.id}};actions=read,change-password"
  ]
  scope_id = boundary_scope.orion_org.id
}

resource "boundary_role" "redis_operator" {
  name        = "Redis Operator"
  principal_ids = [
    boundary_user.johan_siebens.id
  ]
  grant_strings   = [
    "id=${boundary_target.orion_redis_servers.id};type=target;actions=authorize-session"
  ]
  scope_id = boundary_scope.orion_project.id
}

I am facing the same issue when assigning a single target to the user

When i add this grant id=ttcp_Iy5NBZUphs;type=target;actions=authorize-session

i get this error Grant “id=ttcp_j0cELv3UI5;type=target;actions=authorize-session” could not be parsed successfully: parsed grant string would not result in any action being authorized

Any suggestions what can be done to resolve this?

Thanks!

See https://www.boundaryproject.io/docs/concepts/security/permissions#permission-grant-formats ; it’s not valid to specify both id and type in a non-wildcard scenario.

Or when pinning, but targets are not a valid type for pinning :slight_smile:

Ok, I understand now :slight_smile:

Then the grant id=ttcp_Iy5NBZUphs;actions=authorize-session should do the trick, right?
But by doing so, the users are still not able to connect, getting a 403 error.

okay, got it!

Even though i tried using grant “id=ttcp_j0cELv3UI5;actions=authorize-session”,
still getting 403(Error from controller when performing authorize-session against target)

This is the role i am using for accessing target for a user

Role information:
Created Time: Sat, 24 Oct 2020 20:39:37 IST
Description: My first role
Grant Scope ID: p_CjaO7Xs3SA
ID: r_ajOpLRTzib
Name: my_role
Updated Time: Sun, 25 Oct 2020 11:47:23 IST
Version: 13

Scope:
ID: p_CjaO7Xs3SA
Name: One Infra
Parent Scope ID: o_EdzZTT1rjA
Type: project

Principals:
ID: u_M5ZUUSvuti
Type: user
Scope ID: o_EdzZTT1rjA

Canonical Grants:
id=*;type=role;actions=read,list
id=ttcp_j0celv3ui5;actions=authorize-session

Do you think i am missing some thing here?

My guess is that the user you’re using to access the target it not actually the one specified in the grants. Can you verify that you are in fact logging in as that user?

Going through a login and connect session on the CLI and pasting the commands/output would be helpful.

Sure Jeff!

This is the one when i login using user abcdefg

BOUNDARY_ADDR=‘https://abc.com’ boundary authenticate password -login-name abcdefg -password **** -auth-method-id ampw_kmbNM94SV8

Authentication information:
Account ID: apw_2Fbb8dfseh
Auth Method ID: ampw_kmbNM94SV8
Expiration Time: Tue, 03 Nov 2020 22:22:50 IST
Token:
at_0Vt3uLqJVh_s14u8DbSGEzrSZGN329Kpmp6r2sL8wCRkRwreLWqeaUeup3jGE8mq6ru86xAoXd3DfeASFRswsUn2ybHhQgaDPmEcF4XPGBkaoK5F6PLM8RisUiupzNU7MZDJHcbgtuziCNkJbWH2v8DgZmYLCk7
User ID: u_fotr4Yn0IN

export BOUNDARY_TOKEN=at_0Vt3uLqJVh_s14u8DbSGEzrSZGN329Kpmp6r2sL8wCRkRwreLWqeaUeup3jGE8mq6ru86xAoXd3DfeASFRswsUn2ybHhQgaDPmEcF4XPGBkaoK5F6PLM8RisUiupzNU7MZDJHcbgtuziCNkJbWH2v8DgZmYLCk7

When i try to ssh into ec2 in AWS

BOUNDARY_ADDR=‘https://abc.com’ boundary connect ssh -username ubuntu -target-id ttcp_j0cELv3UI5 – -i web.pem
Error from controller when performing authorize-session against target:
Error information:
Code:
Message: Forbidden
Status: 403

This is when i try to view the target

BOUNDARY_ADDR=‘https://abc.com’ boundary targets list -scope-id=p_CjaO7Xs3SA

Target information:
ID: ttcp_j0cELv3UI5
Version: 2
Type: tcp
Name: Backend servers
Description: Backend SSH target

Its only when i use grant-id=*;type=target;actions=authorize-session, I can ssh into the targets.

Also i verified that i am using the same user, also i have created the grant in project scope

Please suggest what am i missing here

Thanks!

Your capitalization differs between the role grant with the ID of the target and the target’s actual ID. That’s likely the problem.

Nope…Boundary automatically converts the target ID to lower case

This is actually a bug in the boundary client, as it converts the id to lower case before storing it, which causes the grant to not succeed. See as follows:

$ boundary roles add-grants -id=r_8qZLxfoobar -grant="id=hcst_9kF4FooBar;type=*;actions=create,delete,list,update"

  Created Time:        Wed, 18 Nov 2020 23:56:32 UTC
[..snip...]
  
  Canonical Grants:
    id=hcst_9kf4foobar;type=*;actions=create,delete,list,update

I’ve tested and confirmed that any grants targeting a specific ID don’t work due to this lowercasing. This is using the boundary server and client v0.1.1 downloaded from the Ubuntu/Debian package listed here https://learn.hashicorp.com/tutorials/boundary/getting-started-install

Reported as https://github.com/hashicorp/boundary/issues/794