From 89a050618669c5a0283946a8fb65e6acddbf8063 Mon Sep 17 00:00:00 2001
From: Dan Heath <76443935+Dan-Heath@users.noreply.github.com>
Date: Thu, 22 May 2025 11:32:59 -0400
Subject: [PATCH] docs: Add HCPb grants issue and fix (#5746) (#5760)
* docs: Add HCPb grants issue and fix
* docs: Add important change, revise alertbox
* docs: Updates based on review feedback
* docs: Updates based on review feedback
* docs: Rephrase reference to fix
* docs: Update date of fix
* docs: Update transparent sessions configuration topic
---
.../content/docs/api-clients/client-agent.mdx | 19 +++++++-
.../content/docs/commands/database/init.mdx | 2 +
.../target-aliases/transparent-sessions.mdx | 26 +++++++++--
.../content/docs/release-notes/v0_19_0.mdx | 43 +++++++++++++++++++
4 files changed, 85 insertions(+), 5 deletions(-)
diff --git a/website/content/docs/api-clients/client-agent.mdx b/website/content/docs/api-clients/client-agent.mdx
index a1c491d557..2beadecee7 100644
--- a/website/content/docs/api-clients/client-agent.mdx
+++ b/website/content/docs/api-clients/client-agent.mdx
@@ -58,8 +58,7 @@ $ boundary client-agent sessions
### Grants
-The default grants that Boundary creates for anonymous and authenticated users are sufficient to get started with the Client Agent for the public beta.
-However, in a production scenario, you may want to provide the least amount of privileges necessary for users.
+In a production environment, you may want to provide the least amount of privileges necessary for users.
For a Boundary user to be able to use the Client Agent to establish a transparent session, they must:
- be able to authenticate using an auth method.
@@ -76,12 +75,28 @@ type=auth-token;ids=*;actions=read:self
HashiCorp highly recommends that you also grant users the permission to list resolvable aliases, as the Client Agent periodically fetches a list of aliases to match incoming DNS requests against.
Without that permission, every DNS request on the system is sent to the Boundary controller, which can easily overwhelm it.
+
You can use the following grant string to grant the permission to list resolvable aliases:
```
type=user;ids=*;actions=list-resolvable-aliases
```
+
+
+A known issue regarding how grants were previously created in HCP Boundary may cause you to receive a 500 error when you attempt to list resolvable aliases.
+Clusters created before April 26, 2025 may be missing the following grants:
+
+ `ids={{.User.Id}};type=user;actions=list-resolvable-aliases`
+
+ `ids=*;type=target;actions=list,read`
+
+If your cluster is missing these grants, HashiCorp recommends adding them.
+
+For more information, refer to the [known issue](/boundary/docs/release-notes/v0_19_0#hcp-grants).
+
+
+
## Configuration
The default configuration included with the Boundary Client Agent upon installation will be suitable for most users. If you want to make changes to the configuration, the configuration file is located in the following directory:
diff --git a/website/content/docs/commands/database/init.mdx b/website/content/docs/commands/database/init.mdx
index e7cadfe1aa..f13fb1b003 100644
--- a/website/content/docs/commands/database/init.mdx
+++ b/website/content/docs/commands/database/init.mdx
@@ -115,6 +115,8 @@ The default value is `false`.
- `-skip-host-resources-creation` - If not set, skips the creation of host resources as part of the initialization, inlcuding host catalog, host set, and hosts.
The default value is `false`.
+- `-skip-initial-authenticated-user-role-creation` - If set, skips the creation of the role and grants that are provisioned by default for all authenticated users.
+
- `-skip-initial-login-role-creation` - If not set, skips the creation of a default role allowing necessary grants for logging in as part of initialization.
If you set this value, the recovery KMS is required to perform any actions.
The default value is `false`.
diff --git a/website/content/docs/configuration/target-aliases/transparent-sessions.mdx b/website/content/docs/configuration/target-aliases/transparent-sessions.mdx
index e50518ae99..7e0eeaa99f 100644
--- a/website/content/docs/configuration/target-aliases/transparent-sessions.mdx
+++ b/website/content/docs/configuration/target-aliases/transparent-sessions.mdx
@@ -19,6 +19,24 @@ Before you configure transparent sessions, you must:
- Download the appropriate Boundary installer for your Windows or MacOS environment from the [Install Boundary](/boundary/install#installer) page or the [releases](https://releases.hashicorp.com/boundary-installer) page.
- Ensure that both IPv4 and IPv6 protocols are enabled for your environment. The [Client Agent](/boundary/docs/api-clients/client-agent) requires both protocols to start and perform DNS lookups.
+Once Boundary is installed, you should make sure you have the appropriate grants configured so that you can resolve aliases and establish transparent sessions.
+For more information, refer to the [Grants](/boundary/docs/api-clients/client-agent#grants) section in the Client Agent documentation.
+
+
+
+ A known issue regarding how grants were previously created in HCP Boundary may cause you to receive a 500 error when you attempt to list resolvable aliases.
+ Clusters created before April 26, 2025 may be missing the following grants:
+
+ `ids={{.User.Id}};type=user;actions=list-resolvable-aliases`
+
+ `ids=*;type=target;actions=list,read`
+
+ If your cluster is missing these grants, HashiCorp recommends adding them.
+
+ For more information, refer to the [known issue](/boundary/docs/release-notes/v0_19_0#hcp-grants).
+
+
+
## Install the Boundary clients
Complete the following steps to install the Boundary Client Agent, CLI, and Desktop client:
@@ -41,11 +59,13 @@ The following section details how to configure targets and test the transparent
- If you use a cluster that was created earlier than release 0.16.0, you must add the grant `list-resolvable-aliases` so that the client agent can populate the local alias cache.
+If you use a cluster that was created earlier than release 0.16.0, you must add the grant `list-resolvable-aliases` so that the client agent can populate the local alias cache.
+
+As an example, you could add the grant:
- As an example, you could add the grant:
+`type=user;actions=list-resolvable-aliases;ids=*`.
- `type=user;actions=list-resolvable-aliases;ids=*`.
+For more information, refer to the [Grants](/boundary/docs/api-clients/client-agent#grants) section in the Client Agent documentation.
diff --git a/website/content/docs/release-notes/v0_19_0.mdx b/website/content/docs/release-notes/v0_19_0.mdx
index 086d73a867..08b77fb9df 100644
--- a/website/content/docs/release-notes/v0_19_0.mdx
+++ b/website/content/docs/release-notes/v0_19_0.mdx
@@ -53,6 +53,19 @@ description: >-
+
+ |
+ Error when sending requests to aliases using HCP Boundary
+ |
+
+ A known issue that was caused by the way default grants were previously configured in HCP Boundary could cause you to receive 500 errors when you attempted to list resolvable aliases. The issue has been resolved. Any clusters that you created on or after April 26, 2025 should not have the issue.
+
+ You can add grants to resolve the error for any older clusters that exhibit this behavior.
+
+ Learn more: Known issues and breaking changes
+ |
+
+
@@ -289,5 +302,35 @@ description: >-
+
+
+ 0.19.0
+
+ (Fixed in 0.19.2)
+ |
+
+ 500 error when attempting to list resolvable aliases
+ |
+
+ In HCP Boundary, you may receive a 500 error when you attempt to list resolvable aliases. This is a known issue that is caused by the way default grants were previously configured in HCP Boundary. The issue has been resolved, and any clusters that were created on or after April 26, 2025 should not have the issue.
+
+ For any clusters created before April 26, 2025, you can add grants to resolve the error:
+
+ - Create a role in the
global scope and assign it to the u_auth user.
+ - Configure the role to apply to all
descendants in the global scope. - Assign the following grants to the role:
+
+ ids={{.User.Id}};type=user;actions=list-resolvable-aliases
+ ids=*;type=target;actions=list,read
+
+ Learn more:
+
+ |
+
+
\ No newline at end of file