Message Forbidden 403 to target host with roles administraotr

Error from controller when performing authorize-session on a session against target:

and

Error from controller when performing read on target:

i dont know what happen. im already create new roles with administrator role id=;type=;actions=*

then create user, account attach all of them . but when im login using username and password and try to connect target host always show forbidden. but when im try dev environment admin/password its success.

thannks

Can you share the resources you’re creating? My guess is that the role you’re creating with that grant that you showed is not in the right scope (or has the wrong grant_scope_id) so it’s not applying to your target.

im already follow this tutorial

liitle update roles like this id=*;type=*;actions=*

but always response forbidden for new project or create new target with default project p_12345678910 . i dunno where my mistakes.

i dont understand for login get token. but for next step for get session always 403.

If you’re following that tutorial exactly, then the role being created on that page applies grants to the organization scope, not the project scope. It’s pretty hard without you sharing your roles and targets to understand what the issue may be.

If you’re running CLI commands, sending the set of commands you’re running would help with reproducing.

I just gave this a try against a dev instance:

$ boundary roles list -scope-id p_1234567890

Role information:
  ID:            r_gzpaqKGh3A
    Version:     1
    Name:        Administration
    Description: Role created for administration of scope p_1234567890 by user u_1234567890
    at its creation time
$ boundary roles read -id r_gzpaqKGh3A

Role information:
  Created Time:        Thu, 22 Oct 2020 11:06:36 EDT
  Description:         Role created for administration of scope p_1234567890 by user
  u_1234567890 at its creation time
  Grant Scope ID:      p_1234567890
  ID:                  r_gzpaqKGh3A
  Name:                Administration
  Updated Time:        Thu, 22 Oct 2020 11:06:36 EDT
  Version:             1

  Scope:
    ID:                p_1234567890
    Name:              Generated project scope
    Parent Scope ID:   o_1234567890
    Type:              project

  Principals:
    ID:             u_1234567890
      Type:         user
      Scope ID:     global

  Canonical Grants:
    id=*;type=*;actions=*
$ boundary roles set-grants -id r_gzpaqKGh3A -grant "id=*;type=role;actions=*"

Role information:
  Created Time:        Thu, 22 Oct 2020 11:06:36 EDT
  Description:         Role created for administration of scope p_1234567890 by user
  u_1234567890 at its creation time
  Grant Scope ID:      p_1234567890
  ID:                  r_gzpaqKGh3A
  Name:                Administration
  Updated Time:        Thu, 22 Oct 2020 11:08:26 EDT
  Version:             3

  Scope:
    ID:                p_1234567890
    Name:              Generated project scope
    Parent Scope ID:   o_1234567890
    Type:              project

  Principals:
    ID:             u_1234567890
      Type:         user
      Scope ID:     global

  Canonical Grants:
    id=*;type=role;actions=*
$ boundary connect -target-id ttcp_1234567890
Error from controller when performing authorize-session against target: 
Error information:
  Code:
  Message:             Forbidden
  Status:              403
$ boundary roles add-grants -id r_gzpaqKGh3A -grant "id=ttcp_1234567890;actions=authorize-session"

Role information:
  Created Time:        Thu, 22 Oct 2020 11:06:36 EDT
  Description:         Role created for administration of scope p_1234567890 by user
  u_1234567890 at its creation time
  Grant Scope ID:      p_1234567890
  ID:                  r_gzpaqKGh3A
  Name:                Administration
  Updated Time:        Thu, 22 Oct 2020 11:08:59 EDT
  Version:             4

  Scope:
    ID:                p_1234567890
    Name:              Generated project scope
    Parent Scope ID:   o_1234567890
    Type:              project

  Principals:
    ID:             u_1234567890
      Type:         user
      Scope ID:     global

  Canonical Grants:
    id=*;type=role;actions=*
    id=ttcp_1234567890;actions=authorize-session
$ boundary connect -target-id ttcp_1234567890
Proxy listening information:
  Address:             127.0.0.1
  Connection Limit:    1
  Expiration:          Thu, 22 Oct 2020 19:09:01 EDT
  Port:                33323
  Protocol:            tcp
  Session ID:          s_J7ceLqYg0Y

I am having a very similar issue. However, none of the admin users i create via terraform can do anything other than log in. For instance, i add the ssh boundary_account (refer to terraform) i made to a user via admin, i do a log in,

boundary authenticate password \
         -login-name=ssh \
         -password supersecure \
         -auth-method-id=ampw_9pfeAr7tbi

with the response

Authentication information:
  Account ID:      apw_Eqf0TfRWAx
  Auth Method ID:  ampw_sQTelGNy1o
  Expiration Time: Sat, 31 Oct 2020 10:56:24 -03
  Token:           at_4nip202bP7_s13B9hbMfw5mwoqrkcPyE4T5FFnM6yfDMDJ4MX1aBK8oFnYsnDpbJA6QgVnrnBEV197JXzdKY9XoXaBt6m3UEVVSa2LzypgUBDYAEuiZyt5yoigjJR
  User ID:         u_yMSDoLsY4Q

and i want to do boundary roles list -scope-id p_MGQYbBzG1W

where is the scope-id is the project that terraform created within the organization that the user exists

i get a

Error information:
  Code:
  Message:             Forbidden
  Status:              403

Terraform:

provider "boundary" {
  addr                            = "http://127.0.0.1:9200"
  auth_method_id                  = "ampw_NLkkHNcQoP"
  password_auth_method_login_name = "admin"
  password_auth_method_password   = "pnB7j6d0FuLIEUGCe1tb"
}

variable "users" {
  type    = set(string)
  default = [
    "Jim",
    "Mike",
    "Todd",
    "Jeff",
    "Randy",
    "Susmitha"
  ]
}

variable "readonly_users" {
  type    = set(string)
  default = [
    "Pete",
    "JT"
  ]
}

variable "backend_server_ips" {
  type    = set(string)
  default = [
    "192.168.1.120",
    "10.1.0.2",
  ]
}

resource "boundary_scope" "global" {
  global_scope = true
  scope_id     = "global"
}

resource "boundary_scope" "corp" {
  scope_id                 = boundary_scope.global.id
  auto_create_admin_role   = true
  auto_create_default_role = true
  name                     = "Corp"
  description              = "Corp"
}

resource "boundary_auth_method" "password" {
  name        = "org_auth_method"
  description = "Password auth method for org"
  type        = "password"
  scope_id    = boundary_scope.corp.id
}

resource "boundary_account" "ssh_users" {
//  for_each       = var.users
  name           = "ssh"
  description    = "Login account for ssh"
  type           = "password"
  login_name     = "ssh"
  password       = "supersecure"
  auth_method_id = boundary_auth_method.password.id
}

//locals {
//  users = {for s in var.users: index(var.users, s) => s}
//}

resource "boundary_user" "users" {
  for_each    = var.users
  name        = each.key
  description = "User resource for ${each.key}"
//  account_ids = [ boundary_account.ssh_users[index(var.users, each.value) + 1].id ]
  scope_id    = boundary_scope.corp.id
}

resource "boundary_user" "readonly_users" {
  for_each    = var.readonly_users
  name        = each.key
  description = "User resource for ${each.key}"
  scope_id    = boundary_scope.corp.id
}

// organiation level group for readonly users
resource "boundary_group" "readonly_users" {
  name        = "readonly"
  description = "Organization group for readonly users"
  member_ids  = [for user in boundary_user.readonly_users : user.id]
  scope_id    = boundary_scope.corp.id
}

// add org-level role for readonly access
resource "boundary_role" "organization_readonly" {
  name        = "readonly"
  description = "Read-only role"
  principal_ids = [boundary_group.readonly_users.id]
  grant_strings = ["id=*;type=*;actions=read"]
  scope_id    = boundary_scope.corp.id
}

// add org-level role for administration access
resource "boundary_role" "organization_admin" {
  name        = "admin"
  description = "Administrator role"
  principal_ids = concat(
  [for user in boundary_user.users: user.id]
  )
  grant_strings   = ["id=*;type=*;actions=create,read,update,delete"]
  scope_id = boundary_scope.corp.id
}

// create a project for core infrastructure
resource "boundary_scope" "core_infra" {
  description              = "Core infrastrcture"
  scope_id                 = boundary_scope.corp.id
  auto_create_admin_role   = true
}

resource "boundary_host_catalog" "backend_servers" {
  name        = "backend_servers"
  description = "Backend servers host catalog"
  type        = "static"
  scope_id    = boundary_scope.core_infra.id
}

resource "boundary_host" "backend_servers" {
  for_each        = var.backend_server_ips
  type            = "static"
  name            = "backend_server_service_${each.value}"
  description     = "Backend server host"
  address         = each.key
  host_catalog_id = boundary_host_catalog.backend_servers.id
}

resource "boundary_host_set" "backend_servers_ssh" {
  type            = "static"
  name            = "backend_servers_ssh"
  description     = "Host set for backend servers"
  host_catalog_id = boundary_host_catalog.backend_servers.id
  host_ids        = [for host in boundary_host.backend_servers : host.id]
}

// create target for accessing backend servers on port :8000
resource "boundary_target" "backend_servers_service" {
  type         = "tcp"
  name         = "backend_servers_service"
  description  = "Backend service target"
  scope_id     = boundary_scope.core_infra.id
  default_port = "8080"

  host_set_ids = [
    boundary_host_set.backend_servers_ssh.id
  ]
}

// create target for accessing backend servers on port :22
resource "boundary_target" "backend_servers_ssh" {
  type         = "tcp"
  name         = "backend_servers_ssh"
  description  = "Backend SSH target"
  scope_id     = boundary_scope.core_infra.id
  default_port = "22"

  host_set_ids = [
    boundary_host_set.backend_servers_ssh.id
  ]
}

PS I am not USING DEV. this is the single instance server config i use:

disable_mlock = true

controller {
  name = "demo-controller-1"
  description = "A controller for a demo!"

  database {
    url = "postgresql://boundary:ohv5Tex2zei7bahbiekooqu6eingeesh@localhost:5432/boundary?sslmode=disable"
  }
}

worker {
  name = "demo-worker-1"
  description = "A default worker created demonstration"
  controllers = [
    "127.0.0.1",
  ]
//  public_addr = "myhost.mycompany.com"
}

listener "tcp" {
  address = "0.0.0.0"
  purpose = "api"
  tls_disable = true
//  cors_enabled = true
//  cors_allowed_origins = ["yourcorp.yourdomain.com"]
}

listener "tcp" {
  address = "127.0.0.1"
  purpose = "cluster"
  tls_disable = true
}

listener "tcp" {
  purpose = "proxy"
  tls_disable = true
}

# Root KMS configuration block: this is the root key for Boundary
# Use a production KMS such as AWS KMS in production installs
kms "aead" {
  purpose = "root"
  aead_type = "aes-gcm"
  key = "sP1fnF5Xz85RrXyELHFeZg9Ad2qt4Z4bgNHVGtD6ung="
  key_id = "global_root"
}

# Worker authorization KMS
# Use a production KMS such as AWS KMS for production installs
# This key is the same key used in the worker configuration
kms "aead" {
  purpose = "worker-auth"
  aead_type = "aes-gcm"
  key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
  key_id = "global_worker-auth"
}

# Recovery KMS block: configures the recovery key for Boundary
# Use a production KMS such as AWS KMS for production installs
kms "aead" {
  purpose = "recovery"
  aead_type = "aes-gcm"
  key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
  key_id = "global_recovery"
}

i havent worked it out quite with terraform but i think you have the same issue as me

you need to grant a role to a project scope
see

Does not that seem just broken? In addition, that command doesnt seem to work for me.

[demo_boundary] boundary roles update -grant-scope-id=p_MGQYbBzG1W -id=r_cDYvfmisfF                                                                                                                                      develop  âś­ âś±

Role information:
  Created Time:        Sat, 24 Oct 2020 12:35:31 -03
  Description:         Administrator role
  Grant Scope ID:      p_MGQYbBzG1W
  ID:                  r_cDYvfmisfF
  Name:                admin
  Updated Time:        Sat, 24 Oct 2020 12:38:42 -03
  Version:             4

  Scope:
    ID:                o_nTgTfDCwhZ
    Name:              Corp
    Parent Scope ID:   global
    Type:              org

  Principals:
    ID:             u_cvRAAjHr9V
      Type:         user
      Scope ID:     o_nTgTfDCwhZ
    ID:             u_FQVKmG3f8t
      Type:         user
      Scope ID:     o_nTgTfDCwhZ
    ID:             u_NIfvFcUxjn
      Type:         user
      Scope ID:     o_nTgTfDCwhZ
    ID:             u_ljhtfX4dVv
      Type:         user
      Scope ID:     o_nTgTfDCwhZ
    ID:             u_igPIiIjDNn
      Type:         user
      Scope ID:     o_nTgTfDCwhZ
    ID:             u_IOkrpYQZRi
      Type:         user
      Scope ID:     o_nTgTfDCwhZ

  Canonical Grants:
    id=*;type=*;actions=create,delete,read,update

the output doesnt contain that role

[demo_boundary] boundary roles list -scope-id p_MGQYbBzG1W                                                                                                                                                               develop  âś­ âś±

Role information:
  ID:            r_xF0ileZlLU
    Version:     1
    Name:        Administration
    Description: Role created for administration of scope p_MGQYbBzG1W by user u_CA0KxwdmJl at its creation time

the only way i can get a role in the project is you change the scope in the terraform. However, this role then will not show in the admin site. As i said, this seems completely broken. If we are creating projects through the admin console how can we configure roles etc for that project specifically?

nvm, that command ended up working but this process still seems broken. I guess you cannot control everything from the admin console.

1 Like

The grant scope id is a way of delegation. It doesn’t move the role into the project scope; you’re simply saying that the grants in that role should apply to the child project. That’s why when you list roles in the project scope it doesn’t show up; it still lives in the org.

terraform:

resource "boundary_role" "organization_admin" {
  name           = "admin"
  description    = "Administrator role"
  principal_ids  = concat(
  [for user in boundary_user.users: user.id]
  )
  grant_strings  = ["id=*;type=*;actions=*"]
  grant_scope_id = boundary_scope.core_infra.id
  scope_id       = boundary_scope.corp.id
}

this solved the issue for me.

however, Jeff, I get that, but how can i do this from the admin console? grant a scope.

2 Likes

I believe that field is not in the UI yet; we don’t have 100% API coverage in the admin UI currently.

hi @jeff thank you for attention for helping me.

i have question. i create new project, then create new roles,new user, user auth method then add host catalog and host target on DEV environment . it always return same 403 forbidden. i think on DEV enironment we can’t create new project right? should be create on PROD environment then can create new project etc its works.

There is no functional difference between dev mode and non-dev mode other than dev setting up a database/config for you and creating resources with known suffixes.

okay @jeff thanks for the confirmation what im concern. maybe i will try another way for test like using terraform.

You may want to try granting a wide swath of permissions to your users (e.g. id=*;type=*;actions=* and seeing if you stop getting the 403. If so, then it means that there is something missing in the existing grants. If not, then it suggests that the grants you’re giving are not in the scope that you think.