Boundary
Boundary Admin Console
Boundary's Admin Console provides an easy way to manage resources. This tutorial introduces the Boundary Admin Console by exploring the resources in the Global and Generated org scope scopes created by 'boundary dev'.
Explore the Admin Console
Select the Global scope and then Roles.
Select Admin and then click the Principals tab.
Notice that
admin
user. User, group, and project are types of principals that can be assigned to roles.Click on the Grants tab to view the permissions allowed for this role.
Grants represent strings of actions on resources:
ids=<resource_id>;type=<resource_type>;action=<actions>
The grant for the Administration role indicates that all actions (
actions=*
) on all resources (ids=*;type=*
) are permitted. Refer to the permissions documentation for more details.Return to the Roles list and select Login Grants role.
Click the Grants to view its permissions.
A role can have multiple grants defined. Deleting the role deletes its associated grants. A grant is also deleted if its associated resource is deleted.
Select Orgs from the sidebar, then click on the Generated org scope.
Notice a new sidebar item, Projects is available. Click on the Generated project scope.
Notice the additional sidebar items available in the project scope, including Sessions, Targets and Host Catalogs.
Select Host Catalogs.
Click Generated host catalog.
Click on the Host Sets tab and then Generated host set to view its details.
Click on the Hosts tab to view attached hosts.
Currently Generated host with ID
hst_1234567890
is the only host attached to this host set. You can add or delete hosts from the host set from the Manage menu.Select Generated host. Its Address is set to
localhost
.Select Targets from the left-pane. Select Generated target using host sources.
Examine the host details page. Notice the following attributes:
- Type:
TCP
- Default Port:
22
Note that the Target Address and Aliases fields are undefined, and marked as optional.
Click the Host Sources tab, and notice that it contains the Generated host set. This target uses the hosts within the Generated host set, which includes the Generated host from before.
Hosts provide the target address, and the target defines the protocol and port to use when connecting to that host. Using host sets allows for different targets to be configured for the same host, but connect using different ports or protocols.
- Type:
Select Targets from the left-pane. Select Generated localhost ssh target with an alias.
Examine the host details page. Notice the following attributes:
- Aliases:
ssh.boundary.dev
- Type:
TCP
- Target Address:
127.0.0.1
- Default Port:
22
Boundary recommends to use host catalogs, host sets, and hosts to organize resources at scale. But targets can still have addresses attached directly. A direct target address takes precedence over attached host sets.
Defining an alias makes connecting to the target easier. Boundary refers to targets in one of three ways:
- Target ID (
ttcp_YennSYsnwU
). - Target name and scope (
Generated localhost ssh target with an alias
andp_1234567890
) - Target alias (
ssh.boundary.dev
)
Target aliases are easier to track than target IDs, but are globally unique and user defined.
Using the Manage menu, you can add host sets to the target, or delete this target.
- Aliases:
Boundary resource summary
The relationships between hosts, host sets, and targets are as shown in the following diagram:
Host catalog contains host sets, and each host set has a list of hosts with its network address. Targets define zero or more host sets. Targets are what end user uses to connect through Boundary. For example, to create an ssh session to a host through Boundary, an administrator must first define a target. Admins can define targets by specifying a host set, which provide host addressing information, as well as the connection type, such as TCP.
Resource | Description |
---|---|
Scope | Abstract permission boundary modeled as a container. A scope can contain scopes forming a tree. |
Organization | Top-level container (scope) which owns zero or more projects and zero or more authentication methods. An organization inherits from scope allowing it to own zero or more groups, roles, policies, targets, host catalogs or credential stores. |
Project | Child scope of an organization. |
User | Any entity authorized to access Boundary using authentication credentials specific to one of the configured authentication methods. A user can belong to zero or more groups. |
Group | Collection of users used for access control. A group is owned by a single scope. |
Role | Collection of capabilities granted to any principal (user, group, or project) the role is assigned to. A role belongs to a single scope, and owns zero or more direct grants. |
Host | Computing element with a network address reachable from Boundary. |
Host catalog | Permission boundary modeled as a container containing scopes forming a tree. |
Host set | Subset of hosts from the set of hosts of the host catalog it belongs to. A host set belongs to a single host, and is deleted when its host catalog is deleted. |
Target | Networked service a user can connect to and interact with through Boundary. A target can contain zero or more host sets. |
Next steps
This tutorial explored the Boundary resources created by default when you deploy Boundary in dev mode.
Next, you are going to connect to a target using the generated configurations and view and manage the established sessions.