Hi, I have a problem with the permissions in my Boundary environment.
Even though I’ve done the basic Administration course twice, the permissions don’t work.
For tests, I configured a production environment with two Hosts and an external DB.
These are the resources I created:
Scopes
$ boundary scopes list
Scope information:
ID: o_OLb35tpVHi
Version: 1
Name: Generated org scope
Description: Provides an initial org scope in Boundary
Authorized Actions:
no-op
read
update
delete
ID: o_UKSkyQcoEn
Version: 1
Name: IT_Support
Description: IT Support Team
Authorized Actions:
no-op
read
update
delete
Projects
$ boundary scopes list -scope-id=o_UKSkyQcoEn
Scope information:
ID: p_fWuFBTZ3XP
Version: 1
Name: QA_Tests
Description: Manage QA machines
Authorized Actions:
no-op
read
update
delete
Users
$ boundary users list -scope-id=o_UKSkyQcoEn
User information:
ID: u_wcKH6CmPJq
Version: 2
Name: tester01
Description: A test user
Authorized Actions:
no-op
read
update
delete
add-accounts
set-accounts
remove-accounts
$ boundary groups list -scope-id=o_UKSkyQcoEn
Group information:
ID: g_0qTWAuSaaX
Version: 2
Name: group01
Description: A test group
Authorized Actions:
no-op
read
update
delete
add-members
set-members
remove-members
Auth-methods
$ boundary auth-methods list -scope-id=o_UKSkyQcoEn
Auth Method information:
ID: ampw_l0zXxTY4XA
Version: 1
Type: password
Name: org_auth_method
Description: Org auth method
Authorized Actions:
no-op
read
update
delete
authenticate
Roles
$ boundary roles list -scope-id=o_UKSkyQcoEn
Role information:
ID: r_B8LUtEfDkj
Version: 3
Name: read-only
Description: Role with read-only permission
Authorized Actions:
no-op
read
update
delete
add-principals
set-principals
remove-principals
add-grants
set-grants
remove-grants
ID: r_yESHwGOT6S
Version: 1
Name: Administration
Description: Role created for administration of scope o_UKSkyQcoEn by user u_aaSmIWuNoe at its creation time
Authorized Actions:
no-op
read
update
delete
add-principals
set-principals
remove-principals
add-grants
set-grants
remove-grants
ID: r_PdteEzlVZt
Version: 1
Name: Login and Default Grants
Description: Role created for login capability, account self-management, and other default grants for users of scope o_UKSkyQcoEn at its creation
time
Authorized Actions:
no-op
read
update
delete
add-principals
set-principals
remove-principals
add-grants
set-grants
remove-grants
Read-only role
$ boundary roles read -id=r_B8LUtEfDkj
Role information:
Created Time: Mon, 24 Jan 2022 14:01:26 CET
Description: Role with read-only permission
Grant Scope ID: o_UKSkyQcoEn
ID: r_B8LUtEfDkj
Name: read-only
Updated Time: Mon, 24 Jan 2022 14:02:19 CET
Version: 3
Scope:
ID: o_UKSkyQcoEn
Name: IT_Support
Parent Scope ID: global
Type: org
Authorized Actions:
no-op
read
update
delete
add-principals
set-principals
remove-principals
add-grants
set-grants
remove-grants
Principals:
ID: g_0qTWAuSaaX
Type: group
Scope ID: o_UKSkyQcoEn
Canonical Grants:
id=*;type=*;actions=list,read
Group01 group
$ boundary groups read -id=g_0qTWAuSaaX
Group information:
Created Time: Mon, 24 Jan 2022 13:57:50 CET
Description: A test group
ID: g_0qTWAuSaaX
Name: group01
Updated Time: Mon, 24 Jan 2022 13:58:13 CET
Version: 2
Scope:
ID: o_UKSkyQcoEn
Name: IT_Support
Parent Scope ID: global
Type: org
Authorized Actions:
no-op
read
update
delete
add-members
set-members
remove-members
Members:
ID: u_wcKH6CmPJq
Scope ID: o_UKSkyQcoEn
Now, when I try to read the scopes with the tester01 user:
$ boundary scopes read -id=o_UKSkyQcoEn
Error from controller when performing read on scope
Error information:
Kind: PermissionDenied
Message: Forbidden.
Status: 403
context: Error from controller when performing read on scope
Thanks for your help