search

hashicorp / boundary

Boundary enables identity-based access management for dynamic infrastructure.
https://boundaryproject.io
Other
3.83k stars 281 forks source link

Specific Target Role errors #1665

Open ichasco-heytrade opened 2 years ago

ichasco-heytrade commented 2 years ago

Hi, I am having issues with the role grants. I'm not being able to grant access to only one target from one project to a user.

Terraform code:

resource "boundary_role" "org-dev-developers" {
  name          = "Developers"
  description   = "Developers role"
  principal_ids = [
    boundary_group.orf-developers.id
  ]
  grant_strings = [
    "id=${module.mongodb-dev.target_id};actions=*"
  ]
  scope_id      = boundary_scope.project.id
}

I have tested:

 "id=${module.mongodb-dev.target_id};actions=*"
 "id=${module.mongodb-dev.target_id};type=*;actions=*"

I always get a 403 :(

It only works if I add * in the id:

"id=*;type=*;actions=authorize-session,list"

Thanks!

ichasco-heytrade commented 2 years ago

I have seen that in the CLI works with this:

"id=${module.mongodb-dev.target_id};actions=authorize-session",
"id=*;type=target;actions=list",

I can list and I can authorize a session, but with desktop application I get a 403 :(

covetocove commented 2 years ago

Hi @ichasco-heytrade, are you still experiencing this issue in the latest Boundary version (currently 0.7.6) and Boundary desktop version (1.4.2)?

japneet-sahni commented 1 year ago

@PPacent : I have a similar problem and this is blocking us from having a great customer experience (Boundary Desktop is any day more friendly for users rather than using CLI. FYI @randallmorey Reference : https://github.com/hashicorp/boundary/issues/1495 Boundary Version : 0.10.3 Boundary Desktop Version : 1.4.5

BrandonIngalls commented 1 year ago

I am also running into this issue on Boundary 0.11.0.

I'm trying to grant find-grained access to a specific target with a grant of

id=ttcp_lmhDHjOLmR;actions=read,authorize-session

This one does not work, even though I would assume that it should after reading the documentation on https://www.boundaryproject.io/docs/concepts/security/permissions/resource-table.

I am able to get Boundary to function if I modify the grant to this:

id=ttcp_lmhDHjOLmR;actions=authorize-session
id=ttcp_lmhDHjOLmR;type=*;actions=read

I do not understand why I have to add type=* when I haven't had to do so for any other resource in Boundary, it seems like a bug to me (or just a bad implementation)

japneet-sahni commented 1 year ago

@randallmorey @BrandonIngalls @PPacent : On checking the logs, I found out that the forbidden error is coming due to missing session permission when I use specific target permission _id=ttcp_ziWqhSoHjS;actions=read,authorize-session_

{"id":"qGMXmB65hy","source":"https://hashicorp.com/boundary/boundary-controller-6b7448b78d-sj7z4/controller","specversion":"1.0","type":"observation","data":{"latency-ms":176.356111,"request_info":{"id":"gtraceid_iKud8zifLKLP6QgfkacV","method":"POST","path":"/v1/targets/ttcp_ziWqhSoHjS:authorize-session","public_id":"at_cOvYlRE2Zw","client_ip":"10.151.236.67"},"start":"2022-10-11T21:31:25.603951601Z","status":200,"stop":"2022-10-11T21:31:25.780307812Z","version":"v0.1"},"datacontentype":"application/cloudevents","time":"2022-10-11T21:31:25.780338212Z"}
{"id":"tNRtx3Zxsv","source":"https://hashicorp.com/boundary/boundary-controller-6b7448b78d-sj7z4/controller","specversion":"1.0","type":"observation","data":{"latency-ms":0.084801,"request_info":{"id":"gtraceid_uSzxFKvD5DDNDuLDDMg9","method":"OPTIONS","path":"/v1/sessions/s_xpEGNWkWlg","client_ip":"10.151.236.37"},"start":"2022-10-11T21:31:25.816005779Z","status":204,"stop":"2022-10-11T21:31:25.81609058Z","version":"v0.1"},"datacontentype":"application/cloudevents","time":"2022-10-11T21:31:25.816101981Z"}
{"id":"tQv6WjtQyU","source":"https://hashicorp.com/boundary/boundary-controller-6b7448b78d-sj7z4/controller","specversion":"1.0","type":"observation","data":{"latency-ms":66.39417,"request_info":{"id":"gtraceid_QSyJffYtPPpMurTqDyAK","method":"GET","path":"/v1/sessions/s_xpEGNWkWlg","public_id":"at_cOvYlRE2Zw","client_ip":"10.151.236.37"},"start":"2022-10-11T21:31:25.822543965Z","status":403,"stop":"2022-10-11T21:31:25.888938235Z","version":"v0.1"},"datacontentype":"application/cloudevents","time":"2022-10-11T21:31:25.888978035Z"}

So, I added below permission which solved the issue for me: "id=*;type=session;actions=read:self,cancel:self"

reza-solaris commented 1 year ago

I'm facing an issue very similar to what's explained here. I can see the targets from the Desktop client, but not from the Web UI. The role grant that I assigned are similar to what @BrandonIngalls mentioned in the above comment:

"id=${boundary_target.target.id};actions=authorize-session,read",
"id=${boundary_target.target.id};type=*;actions=read",
"id=*;type=session;actions=read:self,cancel:self",
"type=scope;actions=list"

Am I missing any grant, or there is an issue with the Web UI not listing the targets?