Can't read scopes

Luethi · January 28, 2022, 3:04pm

Hi, I have a problem with the permissions in my Boundary environment.
Even though I’ve done the basic Administration course twice, the permissions don’t work.

For tests, I configured a production environment with two Hosts and an external DB.

These are the resources I created:

Scopes

 $ boundary scopes list                                                                                                  
Scope information:
  ID:                    o_OLb35tpVHi
    Version:             1
    Name:                Generated org scope
    Description:         Provides an initial org scope in Boundary
    Authorized Actions:
      no-op
      read
      update
      delete

  ID:                    o_UKSkyQcoEn
    Version:             1
    Name:                IT_Support
    Description:         IT Support Team
    Authorized Actions:
      no-op
      read
      update
      delete

Projects

$ boundary scopes list -scope-id=o_UKSkyQcoEn

Scope information:
  ID:                    p_fWuFBTZ3XP
    Version:             1
    Name:                QA_Tests
    Description:         Manage QA machines
    Authorized Actions:
      no-op
      read
      update
      delete

Users

 $ boundary users list -scope-id=o_UKSkyQcoEn

User information:
  ID:                    u_wcKH6CmPJq
    Version:             2
    Name:                tester01
    Description:         A test user
    Authorized Actions:
      no-op
      read
      update
      delete
      add-accounts
      set-accounts
      remove-accounts

$ boundary groups list -scope-id=o_UKSkyQcoEn

Group information:
  ID:                    g_0qTWAuSaaX
    Version:             2
    Name:                group01
    Description:         A test group
    Authorized Actions:
      no-op
      read
      update
      delete
      add-members
      set-members
      remove-members

Auth-methods

$ boundary auth-methods list -scope-id=o_UKSkyQcoEn

Auth Method information:
  ID:                     ampw_l0zXxTY4XA
    Version:              1
    Type:                 password
    Name:                 org_auth_method
    Description:          Org auth method
    Authorized Actions:
      no-op
      read
      update
      delete
      authenticate

Roles

$ boundary roles list -scope-id=o_UKSkyQcoEn

Role information:
  ID:                    r_B8LUtEfDkj
    Version:             3
    Name:                read-only
    Description:         Role with read-only permission
    Authorized Actions:
      no-op
      read
      update
      delete
      add-principals
      set-principals
      remove-principals
      add-grants
      set-grants
      remove-grants

  ID:                    r_yESHwGOT6S
    Version:             1
    Name:                Administration
    Description:         Role created for administration of scope o_UKSkyQcoEn by user u_aaSmIWuNoe at its creation time
    Authorized Actions:
      no-op
      read
      update
      delete
      add-principals
      set-principals
      remove-principals
      add-grants
      set-grants
      remove-grants

  ID:                    r_PdteEzlVZt
    Version:             1
    Name:                Login and Default Grants
    Description:         Role created for login capability, account self-management, and other default grants for users of scope o_UKSkyQcoEn at its creation
    time
    Authorized Actions:
      no-op
      read
      update
      delete
      add-principals
      set-principals
      remove-principals
      add-grants
      set-grants
      remove-grants

Read-only role

$ boundary roles read -id=r_B8LUtEfDkj

Role information:
  Created Time:        Mon, 24 Jan 2022 14:01:26 CET
  Description:         Role with read-only permission
  Grant Scope ID:      o_UKSkyQcoEn
  ID:                  r_B8LUtEfDkj
  Name:                read-only
  Updated Time:        Mon, 24 Jan 2022 14:02:19 CET
  Version:             3

  Scope:
    ID:                o_UKSkyQcoEn
    Name:              IT_Support
    Parent Scope ID:   global
    Type:              org

  Authorized Actions:
    no-op
    read
    update
    delete
    add-principals
    set-principals
    remove-principals
    add-grants
    set-grants
    remove-grants

  Principals:
    ID:             g_0qTWAuSaaX
      Type:         group
      Scope ID:     o_UKSkyQcoEn

  Canonical Grants:
    id=*;type=*;actions=list,read

Group01 group

 $ boundary groups read -id=g_0qTWAuSaaX

Group information:
  Created Time:        Mon, 24 Jan 2022 13:57:50 CET
  Description:         A test group
  ID:                  g_0qTWAuSaaX
  Name:                group01
  Updated Time:        Mon, 24 Jan 2022 13:58:13 CET
  Version:             2

  Scope:
    ID:                o_UKSkyQcoEn
    Name:              IT_Support
    Parent Scope ID:   global
    Type:              org

  Authorized Actions:
    no-op
    read
    update
    delete
    add-members
    set-members
    remove-members

  Members:
    ID:                u_wcKH6CmPJq
    Scope ID:          o_UKSkyQcoEn

Now, when I try to read the scopes with the tester01 user:

$ boundary scopes read -id=o_UKSkyQcoEn
Error from controller when performing read on scope

Error information:
  Kind:                PermissionDenied
  Message:             Forbidden.
  Status:              403
  context:             Error from controller when performing read on scope

Thanks for your help

jorhett · January 28, 2022, 8:20pm

I don’t see any grants with scope read above? Try running this with the appropriate role

boundary roles add-grants -grant 'id=*;type=scope;actions=list,read,no-op' ...

EtA: oh, I see you gave it a global read-only. Did you re-authenticate after making the changes? The rights are assigned to the token at creation, and don’t shift underneath if you make changes after your token exists.

Luethi · January 29, 2022, 8:22pm

yes i re-authenticated several times. The result is always the same

Luethi · January 31, 2022, 10:44am

Update: I updated boundary to the newest version and ran some tests. The Problem is still present, but I have new findings.
The problem doesn’t seem to be the role. Even if I add the user to the Administrator role or add administrator grants to the read-only role, he can’t read the scope.

Administrator

$ boundary roles read -id=r_yESHwGOT6S

Role information:
  Created Time:        Mon, 24 Jan 2022 13:48:37 CET
  Description:         Role created for administration of scope o_UKSkyQcoEn by user u_aaSmIWuNoe at its creation time
  Grant Scope ID:      o_UKSkyQcoEn
  ID:                  r_yESHwGOT6S
  Name:                Administration
  Updated Time:        Mon, 31 Jan 2022 10:45:19 CET
  Version:             2

  Scope:
    ID:                o_UKSkyQcoEn
    Name:              IT_Support
    Parent Scope ID:   global
    Type:              org

  Authorized Actions:
    no-op
    read
    update
    delete
    add-principals
    set-principals
    remove-principals
    add-grants
    set-grants
    remove-grants

  Principals:
    ID:             u_aaSmIWuNoe
      Type:         user
      Scope ID:     global
    ID:             u_wcKH6CmPJq
      Type:         user
      Scope ID:     o_UKSkyQcoEn

  Canonical Grants:
    id=*;type=*;actions=*

Read-only

$ boundary roles read -id=r_B8LUtEfDkj 

Role information:
  Created Time:        Mon, 24 Jan 2022 14:01:26 CET
  Description:         Role with read-only permission
  Grant Scope ID:      o_UKSkyQcoEn
  ID:                  r_B8LUtEfDkj
  Name:                read-only
  Updated Time:        Mon, 31 Jan 2022 10:50:29 CET
  Version:             6

  Scope:
    ID:                o_UKSkyQcoEn
    Name:              IT_Support
    Parent Scope ID:   global
    Type:              org

  Authorized Actions:
    no-op
    read
    update
    delete
    add-principals
    set-principals
    remove-principals
    add-grants
    set-grants
    remove-grants

  Principals:
    ID:             g_0qTWAuSaaX
      Type:         group
      Scope ID:     o_UKSkyQcoEn

  Canonical Grants:
    id=*;type=*;actions=list,read
    id=*;type=*;actions=*

Result:

$ boundary scopes read -id=o_UKSkyQcoEn

Error from controller when performing read on scope

Error information:
  Kind:                PermissionDenied
  Message:             Forbidden.
  Status:              403
  context:             Error from controller when performing read on scope

Do you have any ideas?

jeff · January 31, 2022, 3:46pm

This is incorrect. A token identifies a user, nothing more. The user’s set of permissions are evaluated at request time from the roles in which the user is either a direct principal or a member of a group that is a principal.

jeff · January 31, 2022, 3:56pm

The issue is that resources “live” in their enclosing scope. For an auth method in an organization, as an example, the auth method resource lives in that organization scope.

This is true for scopes as well. You’ve granted permissions in o_UKSkyQcoEn to read and list any resource – but the scope o_UKSkyQcoEn itself doesn’t live in itself! It lives in the global scope.

Luethi · February 1, 2022, 9:31am

Thanks for your explanation. I didn’t know that.
It solved the problem.

jeff · February 4, 2022, 6:53pm

Awesome! Glad it’s fixed!