boundary icon indicating copy to clipboard operation
boundary copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Improve user experience: Simplified connection to a target with boundary

Open cfpadok opened this issue 2 years ago • 4 comments
trafficstars

Is your feature request related to a problem? Please describe.

Our feature request is not a technical problem. It aims to improve the user experience for a user that would like to connect to a database, a virtual machine or a Kubernetes cluster using boundary. The current user experience requires several commands to connect to a database (at least 6), as shown in the attached diagram. This can be difficult for users to get to grips with. The use of the CLI can be a bit improved.

Describe the solution you'd like

We're opening this issue to propose an improvement to Boundary's user interface to make the process of connecting to services simpler and more accessible. Here's our proposal to simplify authentication to a service using three maximum commands:

  • Authentication command: this first command would authenticate a user to an organization. It would list all organizations and their authentication methods. The user could choose the auth method to use. It would then authenticate the user by requesting his password according to the auth method requested. Both the organization name and the username could be assigned values in a separate configuration file.
  • Command to list targets: this second command would list all targets by executing, for example, boundary list targets. There would be no need to specify the boundary URL or project IDs.
  • Connection command: this command would be the same as the existing one. The only difference would be to implement a more user-friendly target name. To differentiate the targets among the projects, its name would appear under the scope name and a unique name which identifies the target.

This approach would reduce the number of commands required and improve the overall experience of connecting to services via Boundary.

Here is an example of the use of the commands and the output targeted :

$ boundary authenticate
# Output:
[1]: auth-method-1
[2]: auth-method-2
[3]: auth-method-3

Type your chosen auth-method [1/2/3]: 1

$ boundary targets list
# Output :
scope/target-name-1
scope/target-name-2
...

$ boundary connect scope/target-name-1

Describe alternatives you've considered

The alternative we considered is doing a wrapper around boundary to achieve this user experience.

Explain any additional use-cases

N/A

Additional context

Here is the schema of the current workflow compared to the one we target : image

cfpadok avatar Aug 17 '23 08:08 cfpadok

Thanks for this detailed and thoughtful feature request. Improving this experience is something we've been working on and will continue to work on in the next release. As it happens, we shipped an improvement to this workflow already in 0.13.0 - you no longer need to list auth methods when authenticating, the CLI will automatically choose the default auth method in the scope if it is omitted. For example:

$ boundary scopes list
...
$ boundary authenticate -scope-id <scope_id> # will automatically use the default auth method in the scope

Or, even simpler, if the user is authenticating to the global scope:

$ boundary authenticate # will automatically use the default auth method in the global scope

For more information, see the dev mode getting started docs.

This is pretty close to your suggested workflow! We'll continue to work on improving this and would value your feedback on this after trying it out.

johanbrandhorst avatar Aug 17 '23 17:08 johanbrandhorst

Another tip is that you can give scope-id/scope-name and target-name directly to boundary connect if you know them. That way, you can do:

$ boundary authenticate # automatically picks auth-method
$ boundary targets list -recursive # list all targets user can access
$ boundary connect -scope-id <scope_id> -target-name <target_name>

johanbrandhorst avatar Aug 21 '23 17:08 johanbrandhorst

Hello, thanks a lot for your answer. We were not aware of these different features. It is very interesting and can directly address our points. Thank you !

Yet, we are very interested in helping you to improve the user experience. The points you described solve the issue, but we could push the user experience a bit further. We thought about this (if it is not part of your roadmap) :

  • authenticate to a scope-id and be able to choose an authenticate method
  • create user-friendly target name and scope name to connect more easily. Also, we could improve the output of the boundary target list command to be more user-friendly
  • add a feature to not specify the token flag or addr flag each time

What do you think about it ? Maybe we can talk about it in private. My team and I really love Hashicorp products. We would be happy to help you on this project in return for your work for the devops & SRE ecosystem.

cfpadok avatar Sep 05 '23 17:09 cfpadok

Hey @cfpadok, appreciate the kind words, as well as your feedback here. We would love to chat, feel free to shoot me a message at [email protected].

AdamBouhmad avatar Sep 08 '23 20:09 AdamBouhmad