Confused on roles and permission

niyog · July 21, 2022, 2:25pm

Hai, i am using boundary since 2 weeks and its good
I have a huge doubt regarding roles and permission
Lets say as a admin i created a project and in project i created a target
I have two users called pankaj and rahul
As a admin i give access to pankaj as read, write and rahul as only read
Either pankaj or rahul authenticate to boundary using auth id, username and password
While ssh to the target when i give username as pankaj it asks me for the password and when i enter the password it says permission denied
Instead of using username as pankaj i used root and it worked fine
My question is for user restrictions do we need to register the username pankaj and rahul to the target vm?

omkensey · July 21, 2022, 3:03pm

Boundary doesn’t manipulate the SSH connection to the target VM or create users on it, it just decides whether a given Boundary user is allowed to open the connection or not. If you want to SSH to a VM as a user other than the default user, you’ll need to create that user outside of Boundary. For some kinds of credentials Vault can do that dynamically, but the generated credential name won’t have any relation to the Boundary user’s name.

niyog · July 21, 2022, 3:18pm

So i need to register the username to the vm for accessing?
Then boundary checks whether the given username have access or not?

omkensey · July 21, 2022, 5:28pm

Usernames on VMs are separate from the username in Boundary and there’s no correlation between the two. Any Boundary user with permission to connect to a VM can use any valid username and password or SSH key for that target to connect to it, but local usernames on the VM have to already exist for the connection to succeed.

There’s an item related to this on the Boundary roadmap:

On the roadmap is support for SSH signed certificates, a more secure method of SSH authentication using certificates.

but that’s not something that exists in Boundary today.

What you can, at least in theory, do today is use LDAP auth on your VMs and then use the LDAP dynamic secrets engine with Vault to create an expiring LDAP credential on the fly that will be given to the Boundary user when they boundary connect to the VM.