-
Notifications
You must be signed in to change notification settings - Fork 284
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
boundary targets authorize-session command failed with runtime error #1488
Comments
I have a Similar issue using the SSH Vault engine. I followed the example which uses the DB engine here: https://learn.hashicorp.com/tutorials/boundary/vault-cred-brokering-quickstart For my test setup I ran Boundary and Vault in docker containers, setup the vault policies, created an ssh role with OTP and created a vault Token for it associated with both ssh and boundary-controller policies. On the Boundary side Also I could add the Credential-store and library to my scope and target without issues. But when trying to authorize-session:
Checking the Boundary logs I see almost the same output:
also via Curl:
|
Tested again with Vault running in systemd insted of as a docker container. Same issues. Problem lies with Boundary running in Docker |
For me is still not working. We have now tested with a Client library which uses a POST request and added in the body section the IP we want to create the OTP. When doing that we get the same error as @raylaijh has: $ boundary targets authorize-session -id ttcp_k1bEH0A9Kq -addr=http://192.168.33.10:9200
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x217b670]
goroutine 1 [running]:
github.com/hashicorp/boundary/internal/cmd/commands/targetscmd.printCustomActionOutputImpl(0xc0003600a0, 0x0, 0x0, 0x0)
/go/internal/cmd/commands/targetscmd/funcs.go:822 +0x970
github.com/hashicorp/boundary/internal/cmd/commands/targetscmd.(*Command).Run(0xc0003600a0, 0xc00003a270, 0x3, 0x3, 0xc00000c030)
/go/internal/cmd/commands/targetscmd/targets.gen.go:324 +0x806
github.com/mitchellh/cli.(*CLI).Run(0xc0005a2140, 0xc0005a2140, 0xc00000c630, 0xc00008a560)
/root/go/pkg/mod/github.com/mitchellh/cli@v1.1.2/cli.go:262 +0x41a
github.com/hashicorp/boundary/internal/cmd.RunCustom(0xc00003a250, 0x5, 0x5, 0xc00041fe60, 0xc000096058)
/go/internal/cmd/main.go:186 +0x846
github.com/hashicorp/boundary/internal/cmd.Run(...)
/go/internal/cmd/main.go:92
main.main()
/go/cmd/boundary/main.go:13 +0xda Doing also another tests, we found: https://stackoverflow.com/questions/41858635/segmentation-violation-with-golang-channels - this makes sense when we do a PUT, and testing using a invalid vault path we had: $ boundary targets authorize-session -id ttcp_k1bEH0A9Kq -addr=http://192.168.33.10:9200
Error from controller when performing authorize-session on a session against target
Error information:
Kind: Internal
Message: targets.(Service).AuthorizeSession: vault.(Repository).Issue: vault.(client).post: vault: http://192.168.33.13:8200: external system issue: error #3014: Error making API request.
URL: PUT http://192.168.33.13:8200/v1/v1/ssh/creds/onetime
Code: 403. Errors:
* 1 error occurred:
* permission denied
Status: 500
context: Error from controller when performing authorize-session on a session against target So it seems Boundary is doing a PUT request instead of POST. Using the
So the issue is definitively Boundary using the wrong method to talk to the vault API. We have tested with version 0.4.0 without errors. it seems since version 0.5.0 there is the issue which boundary uses the wrong HTTP method |
thanks @dcardozoo for the findings. I've verified as well with 0.4.0 and it worked without the errors. |
@raylaijh Do you know how to make boundary to login automatically via vault otc SSH? so far we have created a credential library as follows:
I expected that the ip and username will be used by boundary to login into the server. (without the body, the post method does not work at all with HTTP 500 response and again tries a PUT request) Trying to login:
the remote server says
The Scenario I was expecting from boundary is that we do not need even to put anything on the body request, so Boundary will be clever enough to send the Server IP and username to Vault, so it can create an OTP and once the OTP is created boundary will try to ssh automatically to the server without any prompts. |
Hello @raylaijh and @dcardozoo I have been able to repro the Re the |
@raylaijh and @dcardozoo, I have a PR up that should fix this issue, but in the mean time you can include the Example from my system:
Also @dcardozoo in your previous example where you were hitting a 403 I see the URL being used is |
Thank you!
Thanks! yes I was aware of that, I just used the wrong path to check what would happen :) |
When renaming credential libraries -> credential sources the target service added the credential library information to the SessionCredential response, while the target cmd was parsing the credential source. This prevents a panic like the following: boundary targets authorize-session -id ttcp_5PS2dktESb panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x1f99a31] goroutine 1 [running]: github.com/hashicorp/boundary/internal/cmd/commands/targetscmd.printCustomActionOutputImpl(0xc00046c0a0) /Users/louisruch/boundary/internal/cmd/commands/targetscmd/funcs.go:822 +0x9d1 github.com/hashicorp/boundary/internal/cmd/commands/targetscmd.(*Command).Run(0xc00046c0a0, {0xc000134030, 0x2, 0x2}) /Users/louisruch/boundary/internal/cmd/commands/targetscmd/targets.gen.go:324 +0x188b github.com/mitchellh/cli.(*CLI).Run(0xc0001c6500) /Users/louisruch/go/pkg/mod/github.com/mitchellh/cli@v1.1.2/cli.go:262 +0x5f8 github.com/hashicorp/boundary/internal/cmd.RunCustom({0xc000134010, 0x60, 0x0}, 0x0) /Users/louisruch/boundary/internal/cmd/main.go:186 +0x9d6 github.com/hashicorp/boundary/internal/cmd.Run(...) /Users/louisruch/boundary/internal/cmd/main.go:92 main.main() /Users/louisruch/boundary/cmd/boundary/main.go:13 +0xc9 Fixes #1488
When renaming credential libraries -> credential sources the target service added the credential library information to the SessionCredential response, while the target cmd was parsing the credential source. This prevents a panic like the following: boundary targets authorize-session -id ttcp_5PS2dktESb panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x1f99a31] goroutine 1 [running]: github.com/hashicorp/boundary/internal/cmd/commands/targetscmd.printCustomActionOutputImpl(0xc00046c0a0) /Users/louisruch/boundary/internal/cmd/commands/targetscmd/funcs.go:822 +0x9d1 github.com/hashicorp/boundary/internal/cmd/commands/targetscmd.(*Command).Run(0xc00046c0a0, {0xc000134030, 0x2, 0x2}) /Users/louisruch/boundary/internal/cmd/commands/targetscmd/targets.gen.go:324 +0x188b github.com/mitchellh/cli.(*CLI).Run(0xc0001c6500) /Users/louisruch/go/pkg/mod/github.com/mitchellh/cli@v1.1.2/cli.go:262 +0x5f8 github.com/hashicorp/boundary/internal/cmd.RunCustom({0xc000134010, 0x60, 0x0}, 0x0) /Users/louisruch/boundary/internal/cmd/main.go:186 +0x9d6 github.com/hashicorp/boundary/internal/cmd.Run(...) /Users/louisruch/boundary/internal/cmd/main.go:92 main.main() /Users/louisruch/boundary/cmd/boundary/main.go:13 +0xc9 Fixes #1488
Trying to login to boundary from vault ,could anyone help me out here boundary targets authorize-session -id ttcp_1234567890 -addr=http://172.26.5.104:9200 Error from controller when performing authorize-session on a session against target Error information: Code: 403. Errors:
Status: 500 |
Describe the bug
boundary targets authorize-session command failed with runtime error.
To Reproduce
Steps to reproduce the behavior:
boundary targets authorize-session -id ttcp_hOMcjCWSVa
and error occured as below.Expected behavior
Command to work and Vault is able broker credentials for Boundary user.
Additional context
Running Boundary 0.5.1 on docker container, and Vault as well. My setup is based in the zip archive below.
Archive.zip
The text was updated successfully, but these errors were encountered: