Web UI sessions unauthorized but cli / desktop can list correctly

[elct9620]

trafficstars

Describe the bug

In the Web UI (:9200) can't see the session list and it shows 403 unauthorized.

To Reproduce Steps to reproduce the behavior

1. Manual create a role with grant id=*;type=*;actions=* and login a user which have this permission
2. Run boundary connect ssh -target-id xxxxx
3. Open the web UI navigate to the sessions list and see the error.

Expected behavior

The user can see the session list.

Additional context

Use docker compose up -d to run the server and use all -skip-auth-method-creation option when init database.

[xingluw]

Hi @elct9620, the new user you have created needs a role in every scope, so if they are trying to access something in a project, the user will need a distinct role in global, org, and project.

You can refer to a similar thread: https://github.com/hashicorp/boundary/issues/2782

[elct9620]

@xingluw thanks, I will check it for more details.

This behavior is making me confused because some of the resources is project level but can grant permission but the session cannot.

[xingluw]

If you navigate to the specific Project (using the base admin account), and click on the Roles tab, you will likely see the default role. You need to add the new user to that project-role, or create a new role and include the new user, with the grants of id=*;type=*;actions=*

Like this:

[elct9620]

My UI not shows the role in the project. I think I have to add the role to each level first 🤔

That means I only have a global scope role, I still can list or edit the project's target but not have full functions.

[xingluw]

That is correct, I would use the original admin account to create roles on each scope level, and add the relevant users to each new role

[elct9620]

After setup the scope/project role and grants I can see the session. But I still do not see the "Roles" tab at the project level does it related to my current version 0.9.0?

[xingluw]

Could you send me the output for boundary roles read -id <project-role-id> ? (Using the admin account)

The version should not be an issue

[elct9620]

Role information:
  Created Time:        Fri, 13 Jan 2023 10:19:48 UTC
  Grant Scope ID:      p_iWO0mv8z1G
  ID:                  r_lg0LrZ7GTX
  Name:                Project Admin
  Updated Time:        Fri, 13 Jan 2023 10:20:24 UTC
  Version:             3

  Scope:
    ID:                p_iWO0mv8z1G
    Name:              Nomad
    Parent Scope ID:   o_iTBk9lui6v
    Type:              project

  Authorized Actions:
    no-op
    read
    update
    delete
    add-principals
    set-principals
    remove-principals
    add-grants
    set-grants
    remove-grants

  Principals:
    ID:             mgoidc_pPgnFOgiXW
      Type:         managed group
      Scope ID:     global

  Canonical Grants:
    id=*;type=*;actions=*

[xingluw]

I tried reproducing your issue but could not get it. My users and managed groups exist at the global level and I have added them to the project role, and after I log out and log in, the project shows up as expected (same image as above). Does this work for you if you just use a standard global user, adding that user to r_lg0LrZ7GTX?

You could also try this in the latest version of Boundary

[elct9620]

I tried to log out and log in but not work. Does relate to the user is logged in via OIDC?

[xingluw]

It may be related to the user being from OIDC auth. Could you try the following?

• Create a new password-auth user in the global scope
• Add the user to r_lg0LrZ7GTX and no other role

Does this new user see the project as expected?