Restrict Access to Hosts in Targets

In Boundary, if I have the read and authorize-session action grants on a target then I can connect to any of the hosts in the assigned host sets provided I can guess the host’s id. I falsely believed I need explicit read/list grants on the referenced host sets, their catalog or the hosts in order to successfully connect. Is there any way in Boundary to restrict connections to some host sets of a target?

The way came up with was to create separate targets for each group of host set and then explicitly allow acces to selected targets. However, it feels wrong to me having to do grant modelling on the target level, doing so on the host set level would feel more natural to me.

The purpose of the host sets are to pull together hosts that can be considered equivalent (an example might be if you want to connect to any machine in a database cluster, but you don’t care which). A target is a mapping of a host or hosts to a credential(s) and a set of restrictions. So you do have to make different targets.

This keeps hosts composable…the aggregate is the target.

Thanks that helps! I will abandon the host sets then. My target hosts are not the same in the sense that it is irrelevant which host is chosen. So I will create a target for each host and then group them permissionwise by creating roles which explicitly list the targets in their grants. I can then use the roles to allow users and groups to access the host by assigning them to the appropriate roles.

That will work. Also if you want a single host per target, you could simply put the address directly onto each of the individual targets rather than creating hosts and assigning them.