Error from controller when performing authorize-session on a session against target:
and
Error from controller when performing read on target:
i dont know what happen. im already create new roles with administrator role id=;type=;actions=*
then create user, account attach all of them . but when im login using username and password and try to connect target host always show forbidden. but when im try dev environment admin/password its success.
thannks
Can you share the resources you’re creating? My guess is that the role you’re creating with that grant that you showed is not in the right scope (or has the wrong grant_scope_id) so it’s not applying to your target.
im already follow this tutorial
liitle update roles like this id=*;type=*;actions=*
but always response forbidden for new project or create new target with default project p_12345678910 . i dunno where my mistakes.
i dont understand for login get token. but for next step for get session always 403.
If you’re following that tutorial exactly, then the role being created on that page applies grants to the organization scope, not the project scope. It’s pretty hard without you sharing your roles and targets to understand what the issue may be.
If you’re running CLI commands, sending the set of commands you’re running would help with reproducing.
I just gave this a try against a dev instance:
$ boundary roles list -scope-id p_1234567890
Role information:
ID: r_gzpaqKGh3A
Version: 1
Name: Administration
Description: Role created for administration of scope p_1234567890 by user u_1234567890
at its creation time
$ boundary roles read -id r_gzpaqKGh3A
Role information:
Created Time: Thu, 22 Oct 2020 11:06:36 EDT
Description: Role created for administration of scope p_1234567890 by user
u_1234567890 at its creation time
Grant Scope ID: p_1234567890
ID: r_gzpaqKGh3A
Name: Administration
Updated Time: Thu, 22 Oct 2020 11:06:36 EDT
Version: 1
Scope:
ID: p_1234567890
Name: Generated project scope
Parent Scope ID: o_1234567890
Type: project
Principals:
ID: u_1234567890
Type: user
Scope ID: global
Canonical Grants:
id=*;type=*;actions=*
$ boundary roles set-grants -id r_gzpaqKGh3A -grant "id=*;type=role;actions=*"
Role information:
Created Time: Thu, 22 Oct 2020 11:06:36 EDT
Description: Role created for administration of scope p_1234567890 by user
u_1234567890 at its creation time
Grant Scope ID: p_1234567890
ID: r_gzpaqKGh3A
Name: Administration
Updated Time: Thu, 22 Oct 2020 11:08:26 EDT
Version: 3
Scope:
ID: p_1234567890
Name: Generated project scope
Parent Scope ID: o_1234567890
Type: project
Principals:
ID: u_1234567890
Type: user
Scope ID: global
Canonical Grants:
id=*;type=role;actions=*
$ boundary connect -target-id ttcp_1234567890
Error from controller when performing authorize-session against target:
Error information:
Code:
Message: Forbidden
Status: 403
$ boundary roles add-grants -id r_gzpaqKGh3A -grant "id=ttcp_1234567890;actions=authorize-session"
Role information:
Created Time: Thu, 22 Oct 2020 11:06:36 EDT
Description: Role created for administration of scope p_1234567890 by user
u_1234567890 at its creation time
Grant Scope ID: p_1234567890
ID: r_gzpaqKGh3A
Name: Administration
Updated Time: Thu, 22 Oct 2020 11:08:59 EDT
Version: 4
Scope:
ID: p_1234567890
Name: Generated project scope
Parent Scope ID: o_1234567890
Type: project
Principals:
ID: u_1234567890
Type: user
Scope ID: global
Canonical Grants:
id=*;type=role;actions=*
id=ttcp_1234567890;actions=authorize-session
$ boundary connect -target-id ttcp_1234567890
Proxy listening information:
Address: 127.0.0.1
Connection Limit: 1
Expiration: Thu, 22 Oct 2020 19:09:01 EDT
Port: 33323
Protocol: tcp
Session ID: s_J7ceLqYg0Y
I am having a very similar issue. However, none of the admin users i create via terraform can do anything other than log in. For instance, i add the ssh boundary_account (refer to terraform) i made to a user via admin, i do a log in,
boundary authenticate password \
-login-name=ssh \
-password supersecure \
-auth-method-id=ampw_9pfeAr7tbi
with the response
Authentication information:
Account ID: apw_Eqf0TfRWAx
Auth Method ID: ampw_sQTelGNy1o
Expiration Time: Sat, 31 Oct 2020 10:56:24 -03
Token: at_4nip202bP7_s13B9hbMfw5mwoqrkcPyE4T5FFnM6yfDMDJ4MX1aBK8oFnYsnDpbJA6QgVnrnBEV197JXzdKY9XoXaBt6m3UEVVSa2LzypgUBDYAEuiZyt5yoigjJR
User ID: u_yMSDoLsY4Q
and i want to do boundary roles list -scope-id p_MGQYbBzG1W
where is the scope-id is the project that terraform created within the organization that the user exists
i get a
Error information:
Code:
Message: Forbidden
Status: 403
Terraform:
provider "boundary" {
addr = "http://127.0.0.1:9200"
auth_method_id = "ampw_NLkkHNcQoP"
password_auth_method_login_name = "admin"
password_auth_method_password = "pnB7j6d0FuLIEUGCe1tb"
}
variable "users" {
type = set(string)
default = [
"Jim",
"Mike",
"Todd",
"Jeff",
"Randy",
"Susmitha"
]
}
variable "readonly_users" {
type = set(string)
default = [
"Pete",
"JT"
]
}
variable "backend_server_ips" {
type = set(string)
default = [
"192.168.1.120",
"10.1.0.2",
]
}
resource "boundary_scope" "global" {
global_scope = true
scope_id = "global"
}
resource "boundary_scope" "corp" {
scope_id = boundary_scope.global.id
auto_create_admin_role = true
auto_create_default_role = true
name = "Corp"
description = "Corp"
}
resource "boundary_auth_method" "password" {
name = "org_auth_method"
description = "Password auth method for org"
type = "password"
scope_id = boundary_scope.corp.id
}
resource "boundary_account" "ssh_users" {
// for_each = var.users
name = "ssh"
description = "Login account for ssh"
type = "password"
login_name = "ssh"
password = "supersecure"
auth_method_id = boundary_auth_method.password.id
}
//locals {
// users = {for s in var.users: index(var.users, s) => s}
//}
resource "boundary_user" "users" {
for_each = var.users
name = each.key
description = "User resource for ${each.key}"
// account_ids = [ boundary_account.ssh_users[index(var.users, each.value) + 1].id ]
scope_id = boundary_scope.corp.id
}
resource "boundary_user" "readonly_users" {
for_each = var.readonly_users
name = each.key
description = "User resource for ${each.key}"
scope_id = boundary_scope.corp.id
}
// organiation level group for readonly users
resource "boundary_group" "readonly_users" {
name = "readonly"
description = "Organization group for readonly users"
member_ids = [for user in boundary_user.readonly_users : user.id]
scope_id = boundary_scope.corp.id
}
// add org-level role for readonly access
resource "boundary_role" "organization_readonly" {
name = "readonly"
description = "Read-only role"
principal_ids = [boundary_group.readonly_users.id]
grant_strings = ["id=*;type=*;actions=read"]
scope_id = boundary_scope.corp.id
}
// add org-level role for administration access
resource "boundary_role" "organization_admin" {
name = "admin"
description = "Administrator role"
principal_ids = concat(
[for user in boundary_user.users: user.id]
)
grant_strings = ["id=*;type=*;actions=create,read,update,delete"]
scope_id = boundary_scope.corp.id
}
// create a project for core infrastructure
resource "boundary_scope" "core_infra" {
description = "Core infrastrcture"
scope_id = boundary_scope.corp.id
auto_create_admin_role = true
}
resource "boundary_host_catalog" "backend_servers" {
name = "backend_servers"
description = "Backend servers host catalog"
type = "static"
scope_id = boundary_scope.core_infra.id
}
resource "boundary_host" "backend_servers" {
for_each = var.backend_server_ips
type = "static"
name = "backend_server_service_${each.value}"
description = "Backend server host"
address = each.key
host_catalog_id = boundary_host_catalog.backend_servers.id
}
resource "boundary_host_set" "backend_servers_ssh" {
type = "static"
name = "backend_servers_ssh"
description = "Host set for backend servers"
host_catalog_id = boundary_host_catalog.backend_servers.id
host_ids = [for host in boundary_host.backend_servers : host.id]
}
// create target for accessing backend servers on port :8000
resource "boundary_target" "backend_servers_service" {
type = "tcp"
name = "backend_servers_service"
description = "Backend service target"
scope_id = boundary_scope.core_infra.id
default_port = "8080"
host_set_ids = [
boundary_host_set.backend_servers_ssh.id
]
}
// create target for accessing backend servers on port :22
resource "boundary_target" "backend_servers_ssh" {
type = "tcp"
name = "backend_servers_ssh"
description = "Backend SSH target"
scope_id = boundary_scope.core_infra.id
default_port = "22"
host_set_ids = [
boundary_host_set.backend_servers_ssh.id
]
}
PS I am not USING DEV. this is the single instance server config i use:
disable_mlock = true
controller {
name = "demo-controller-1"
description = "A controller for a demo!"
database {
url = "postgresql://boundary:ohv5Tex2zei7bahbiekooqu6eingeesh@localhost:5432/boundary?sslmode=disable"
}
}
worker {
name = "demo-worker-1"
description = "A default worker created demonstration"
controllers = [
"127.0.0.1",
]
// public_addr = "myhost.mycompany.com"
}
listener "tcp" {
address = "0.0.0.0"
purpose = "api"
tls_disable = true
// cors_enabled = true
// cors_allowed_origins = ["yourcorp.yourdomain.com"]
}
listener "tcp" {
address = "127.0.0.1"
purpose = "cluster"
tls_disable = true
}
listener "tcp" {
purpose = "proxy"
tls_disable = true
}
# Root KMS configuration block: this is the root key for Boundary
# Use a production KMS such as AWS KMS in production installs
kms "aead" {
purpose = "root"
aead_type = "aes-gcm"
key = "sP1fnF5Xz85RrXyELHFeZg9Ad2qt4Z4bgNHVGtD6ung="
key_id = "global_root"
}
# Worker authorization KMS
# Use a production KMS such as AWS KMS for production installs
# This key is the same key used in the worker configuration
kms "aead" {
purpose = "worker-auth"
aead_type = "aes-gcm"
key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
key_id = "global_worker-auth"
}
# Recovery KMS block: configures the recovery key for Boundary
# Use a production KMS such as AWS KMS for production installs
kms "aead" {
purpose = "recovery"
aead_type = "aes-gcm"
key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
key_id = "global_recovery"
}
i havent worked it out quite with terraform but i think you have the same issue as me
you need to grant a role to a project scope
see
Does not that seem just broken? In addition, that command doesnt seem to work for me.
[demo_boundary] boundary roles update -grant-scope-id=p_MGQYbBzG1W -id=r_cDYvfmisfF develop âś âś±
Role information:
Created Time: Sat, 24 Oct 2020 12:35:31 -03
Description: Administrator role
Grant Scope ID: p_MGQYbBzG1W
ID: r_cDYvfmisfF
Name: admin
Updated Time: Sat, 24 Oct 2020 12:38:42 -03
Version: 4
Scope:
ID: o_nTgTfDCwhZ
Name: Corp
Parent Scope ID: global
Type: org
Principals:
ID: u_cvRAAjHr9V
Type: user
Scope ID: o_nTgTfDCwhZ
ID: u_FQVKmG3f8t
Type: user
Scope ID: o_nTgTfDCwhZ
ID: u_NIfvFcUxjn
Type: user
Scope ID: o_nTgTfDCwhZ
ID: u_ljhtfX4dVv
Type: user
Scope ID: o_nTgTfDCwhZ
ID: u_igPIiIjDNn
Type: user
Scope ID: o_nTgTfDCwhZ
ID: u_IOkrpYQZRi
Type: user
Scope ID: o_nTgTfDCwhZ
Canonical Grants:
id=*;type=*;actions=create,delete,read,update
the output doesnt contain that role
[demo_boundary] boundary roles list -scope-id p_MGQYbBzG1W develop âś âś±
Role information:
ID: r_xF0ileZlLU
Version: 1
Name: Administration
Description: Role created for administration of scope p_MGQYbBzG1W by user u_CA0KxwdmJl at its creation time
the only way i can get a role in the project is you change the scope in the terraform. However, this role then will not show in the admin site. As i said, this seems completely broken. If we are creating projects through the admin console how can we configure roles etc for that project specifically?
nvm, that command ended up working but this process still seems broken. I guess you cannot control everything from the admin console.
The grant scope id is a way of delegation. It doesn’t move the role into the project scope; you’re simply saying that the grants in that role should apply to the child project. That’s why when you list roles in the project scope it doesn’t show up; it still lives in the org.
terraform:
resource "boundary_role" "organization_admin" {
name = "admin"
description = "Administrator role"
principal_ids = concat(
[for user in boundary_user.users: user.id]
)
grant_strings = ["id=*;type=*;actions=*"]
grant_scope_id = boundary_scope.core_infra.id
scope_id = boundary_scope.corp.id
}
this solved the issue for me.
however, Jeff, I get that, but how can i do this from the admin console? grant a scope.
I believe that field is not in the UI yet; we don’t have 100% API coverage in the admin UI currently.
hi @jeff thank you for attention for helping me.
i have question. i create new project, then create new roles,new user, user auth method then add host catalog and host target on DEV environment . it always return same 403 forbidden. i think on DEV enironment we can’t create new project right? should be create on PROD environment then can create new project etc its works.
There is no functional difference between dev mode and non-dev mode other than dev setting up a database/config for you and creating resources with known suffixes.
okay @jeff thanks for the confirmation what im concern. maybe i will try another way for test like using terraform.
You may want to try granting a wide swath of permissions to your users (e.g. id=*;type=*;actions=* and seeing if you stop getting the 403. If so, then it means that there is something missing in the existing grants. If not, then it suggests that the grants you’re giving are not in the scope that you think.