boundary-ui
boundary-ui copied to clipboard
hashicorp
`recursive` parameter in `scopesCheck` breaks with strict rbac
Another issue has been created in the main Boundary repo that I think is related to the recursive parameter in scopesCheck below
https://github.com/hashicorp/boundary-ui/blob/0902e42cb05ecbab9bd6549eba1f705c17541541/ui/desktop/app/routes/scopes.js#L26
When recursive is true, at least one of your orgs must allow unauthenticated scopes list, otherwise the Boundary API will respond with a 500 status code, which makes the check fail and Boundary Desktop show the modal (thinking that it's actually talking to an older version of the API).
Originally posted by @macmiranda in https://github.com/hashicorp/boundary/issues/4370#issuecomment-1999332273
Hi @macmiranda,
Thanks for letting us know about this issue. I have been trying to replicate this in relation to the other issue you mentioned.
To properly replicate this issue, would you be able to share the grant string for your scopes that was causing the Boundary API to response with a 500?
Hi @cameronperera
To reproduce:
- Start Boundary server in dev mode
- Log in as admin
- Modify the Global role Login Grants, Edit form, make sure Global is selected as the Grant Scope
(this is intentional. I don't want unauthenticated users to be able to see which scopes exist under the Global one. Since my auth method is global, users are able to authenticate themselves and then have access to other scopes)
- On the CLI
export BOUNDARY_ADDR=http://localhost:9200
boundary scopes list -recursive
Error from controller when performing list on scopes
Error information:
Kind: Internal
Message: output fields not found when building scope proto
Status: 500
context: Error from controller when performing list on scopes
but without -recursive
boundary scopes list
Scope information:
ID: o_1234567890
Name: Generated org scope
Description: Provides an initial org scope in Boundary
Authorized Actions:
no-op