[HN Gopher] HashiCorp Boundary
___________________________________________________________________
HashiCorp Boundary
Author : yongshin
Score : 392 points
Date : 2020-10-14 15:55 UTC (7 hours ago)
(HTM) web link (www.hashicorp.com)
(TXT) w3m dump (www.hashicorp.com)
| rodgerd wrote:
| This looks wonderful. I spend a lot of time and energy trying to
| keep people from breaking modern infra with 1980s IP-based
| security models, and this could be another tool in the arsenal to
| help with that.
| fasteo wrote:
| Honest question: how is it different/better than setting up a
| OpenVPN server ?
| anderspitman wrote:
| Search terms "BeyondCorp" and "Zero trust" will get you
| started.
| GNOMES wrote:
| Interesting, seems similar to Cloudflare One that was announced
| the other day.
|
| https://news.ycombinator.com/item?id=24753940
| candiddevmike wrote:
| It looks like you still have to manage users on the hosts for
| PAM, including SSH keys (or use Vault I suppose). It's too bad
| that this can't perform all of that functionality--setup a
| server, install a boundary client, and manage all of the PAM
| things through Boundary.
| malnick wrote:
| We plan on integrating with Vault to perform transparent
| credentials injection in the not so to distant future. This is
| a 0.1 product after all, and we still have a lot to build!
| teknopaul wrote:
| This is great, I hope where I work never implementes it :)
| Getting access to everything in "one hop" is mighty convenient.
| Especially now that one hop involves 2fa and finding my phone
| down the back of the sofa while production has a sev one.
| nosequel wrote:
| I think you meant to write "boundaq".
| luminousbit wrote:
| Personally I've been a big fan of strongDM
| (https://www.strongdm.com/).
|
| Lightyears ahead of teleport or any of the other solutions out
| there. Built for great auditing and zero trust.
|
| Best of all it's multi-protocol. So you can do SSH, SQL, K8s,
| HTTP all with one access system.
|
| Had it in prod for almost two years. Gonna be a long time before
| hashicorp or anyone else can catch up with the level of depth.
| pferde wrote:
| StrongDM does indeed look interesting. Can it be completely
| self-hosted? I am asking because some of the architecture docs
| mentioned "app.strongdm.com" as a necessary element, which has
| a webpage behind a (customer?) login. This is an external
| dependency that is not acceptable for my use case.
|
| I haven't found a conclusive answer in their documentation yet.
| jmccarthy wrote:
| Justin here, co-founder and CTO of strongDM. The policy and
| audit functions of our product are hosted by us, but all the
| sensitive data transit - the proxies themselves - are hosted
| by you. Hope that helps!
| wyck wrote:
| With a name like HashiCorp I expected this to be a decentralized
| blockchain identity network similar to IBM's Sovrin, still really
| cool though, managing id's and permissions is such a pita.
| wmf wrote:
| HashiCorp predates most of the blockchain hype; it's named
| after founder Mitchell Hashimoto.
| latentpot wrote:
| Is this very similar to cyberark, but without the logging and
| recording of usage?
| cbb330 wrote:
| There are a few comparisons being introduced already in this
| thread, and I'm tempted to ask of more, so I'd love to see
| documentation on this vs. other solutions like is presented with
| Terraform:
|
| https://www.terraform.io/intro/vs/index.html
| hossi wrote:
| Since you asked, we have a commercial zero-trust product very
| similar to this. As a quick comparison: In our architecture,
| the worker node (extender) only needs outbound direct access to
| contact the master node. Unlike many of our competitors, we
| promote the usage of ephemeral certificates instead of secrets
| management or minting. We support a number of identity
| providers and dynamic host directories. Connections can be
| formed either with native clients or web browser (SSH, RDP,
| HTTPS) with session recording for auditing purposes. Check it
| out here https://www.ssh.com/products/privx/
| nokiasa1 wrote:
| Can anyone explain if this can be used to share a linux samba
| server shares? If yes, could you point me out to right direction.
| Thanks
| jon-wood wrote:
| I'm sure it can, given at its core it just tunnels traffic from
| one place to another, but to be brutally honest this is a 0.1
| release and if you can't work out how to do this from the
| documentation you're going to have a really bad time working
| out why it broke down the line.
| faitswulff wrote:
| > With Boundary, access is based on the trusted identity of the
| user, rather than their network location. The user connects and
| authenticates to Boundary, then based on their assigned roles
| they can connect to available hosts, services, or cloud
| resources.
|
| Is this the main idea behind BeyondCorp and CloudFlare One, as
| well? If so this is the clearest explanation I've seen of it.
| cratermoon wrote:
| It is and it's something I noted, too.
| jolux wrote:
| Seems like the BeyondCorp-ish "zero trust" remote access space is
| heating up. This looks similar in some ways to Cloudflare One
| which was announced Monday:
| https://blog.cloudflare.com/introducing-cloudflare-one/
| cavisne wrote:
| Not surprising when corporate VPNs have gone from a handful of
| the company working from home to the entire company working
| from home.
| basch wrote:
| It's already pretty crowded. https://telegra.ph/ZeroTrust-
| Vendors-04-23
|
| Expect consolidation. That or it becomes a commodity
| expectation of any other purchase, and not a selling point.
| jolux wrote:
| I'm expecting both. Probably a standard AWS/IAM feature
| eventually.
| lizhang wrote:
| I'm guessing the Cloudflare One announcement forced Hashicorp
| to announce this so they wouldn't lose a lot of potential
| customers due to vendor lock-in.
| warkdarrior wrote:
| This looks like an authenticated proxy. I assume you would need
| to locally reconfigure your clients (ssh, browser, whatever) to
| use the Boundary server as a proxy.
| parliament32 wrote:
| Other way around, boundary needs to exec your client
| application. They're more clear about how it works here:
| https://www.boundaryproject.io/docs/getting-started/connect-...
|
| Boundary comes with built-in wrappers for ssh, rdp, and
| postgres, but you can "boundary exec" to run some other
| application inside the TCP-wrapped transport, apparently.
| zokier wrote:
| Some sort of LD_PRELOAD style trickery? Or are they
| intercepting syscalls?
|
| edit: seems nothing that complicated, more like ssh-style
| tunnel where Boundary has a local listening socket which you
| need to point the client to. That is if I'm understanding it
| correctly.
| armon wrote:
| That is correct! The local proxy has a listening socket and
| handles all the authentication, encapsulation, and
| forwarding transparently.
| parliament32 wrote:
| So does it intercept all connections on that port (from
| the client app) and pass them along? Or do I need to
| reconfigure my client application to talk to
| localhost:whatever? Your only example is that curl using
| a hostname, it's not really clear.
| armon wrote:
| You would point the application at the local port. It
| operates very similarly to SSH port forwarding. No fancy
| magic to intercept all traffic.
| philsnow wrote:
| mostly copy-pasta from an earlier comment[0] of mine:
|
| https://github.com/99designs/aws-vault/issues/578 was for
| an issue with remote servers accessing the localhost ec2
| metadata service that aws-vault can run, that worked
| exactly by using DNS rebinding. It was fixed only months
| ago, so it seems like this is a developing area and if I
| were on a red team or pen testing, I would play around
| with more.
|
| I visualize the "localhost hole" problem of blindly
| trusting localhost as an air gap in a pipe (like [0]);
| anybody could come along and either drop poison in the
| pipe, or redirect the water coming from the top to their
| own bucket, or both.
|
| I appreciate that Boundary gives completely generic
| identity-aware-authenticated TCP sockets, but I don't
| know of a way, today, to make those not accessible to
| browsers through dns rebinding attacks.
|
| This is probably much much too far in the weeds and this
| is unlikely to contribute to a major breach (unlike the
| aws-vault one where of course attackers would try to
| access the fake metadata service on the default port,
| because it's high-value and on a well-known port), but
| I'm interested in the space.
|
| [0] https://news.ycombinator.com/item?id=23265509 [1]
| https://districtsales.ca/wp-content/uploads/2019/07/tru-
| gap-...
| bluu00 wrote:
| https://web.archive.org/web/20201014160020/https://www.hashi...
|
| link wasn't working for me, so.
| marmaduke wrote:
| This looks like an interesting alternative to k8s ingress, even
| if the goal is similar, especially when the default ingress
| controllers don't support e.g. SSH.
|
| Way too much ceremony for scientific compute sites tho
| PaulWaldman wrote:
| I want to give a shout out to Tailscale. It relies on Wireguard
| and has been dead simple to setup and configure. Stability has
| been great as well.
| arcticfox wrote:
| I am also a big Tailscale fan, is anyone able to do a quick
| comparison on how Boundary relates?
| basch wrote:
| Tailscale isnt a deny first, allow based on role/condition
| type product. Tailscale creates the equivalent of a wide open
| lan (it has other isolation options but that kind of control
| based on the identity of the person on the network, isnt its
| intended goal) where everyone connected can see everyone
| else.
| philsnow wrote:
| From what little I know of both, Tailscale provides L2
| access into a network that you might not otherwise have
| access and once you're in you can get anywhere from there,
| but Boundary hands out individual, already-connected TCP
| sockets directly to services running on endpoints.
|
| If you're looking for something like a VPN and you're just
| going to SSH over it, either would probably work for you,
| but while Boundary can allow users to only connect to port
| 22 on certain hosts, I think if you wanted to do similar
| with Tailscale you'd be in iptables/ufw and "tagging /
| authz-ing traffic with unix uids" territory.
| lifty wrote:
| Tailscale is based on wireguard, so only does L3.
| t3rabytes wrote:
| > When a user establishes a TCP session through Boundary, a
| Boundary worker node seamlessly proxies the connection.
|
| Boundary sounds like the perfect mash-up of Google's bastion-less
| SSH access to GCE instances and actual IAM. Exciting!
| 0xFFFE wrote:
| Looks like Yahoo's Athenz https://github.com/yahoo/athenz
| yegle wrote:
| Looks like Google's BeyondCorp:
| https://cloud.google.com/beyondcorp. If you are on GCP, you can
| already use it https://cloud.google.com/iap to protect your HTTP
| and TCP backend.
|
| This is not something new. The earliest open source project that
| I can recall is https://github.com/bitly/oauth2_proxy (albeit it
| might be missing the part where proxy passing identity to the
| backend).
|
| Pomerium is another open source project that's actively
| maintained. I've been using it as a reverse proxy to all my
| homelab websites (grafana, miniflux etc). I can now safely access
| all of these internal resources from outside of my home WiFi with
| automated SSL certificate configuration and renewal.
|
| You can theoretically protect your SSH connection via these IAP
| proxies, using the Chrome SSH extension and open source SSH relay
| implementation like https://github.com/zyclonite/nassh-relay (but
| I personally haven't tried that).
|
| Disclaimer: I work for Google and am a casual contributor to the
| Pomerium project.
| windexh8er wrote:
| Also looks very much like Gravitational Teleport [0], which has
| been amazing to use. Teleport has a lot of advantages over
| Boundary right now based on it's architecture. But Hashi does a
| good job of iterating quickly, so I'd guess as with most of
| their products, it evolves quickly.
|
| [0] https://gravitational.com/teleport/
|
| Disclaimer: I have no affiliation with any of these companies.
| francislavoie wrote:
| Looks like RBAC and SSO are paid features with Teleport (but
| I may be misunderstanding)
| windexh8er wrote:
| RBAC is paid for, but "Enterprise SSO" is different than
| the SSO supported in the Community Edition - it's described
| on their site as: "SSO with Enterprise Identity". They
| list: Okta, Sailpoint, Active Directory, OneLogin, G Suite,
| and Auth0 as examples. But, you still get SSO in Community
| Edition.
| francislavoie wrote:
| My company self-hosts LDAP, so that's essentially a
| dealbreaker for us.
| res0nat0r wrote:
| Also similar to Cloudflare One which was just announced:
| https://blog.cloudflare.com/introducing-cloudflare-one/
|
| I think moving away from VPN's is gaining more adoption and a
| good thing overall.
| cratermoon wrote:
| I immediately thought of BeyondCorp as well, and I have only
| read the papers about it. At my employer, which isn't even that
| large, we have on-prem hardware running VMs and k8s, some stuff
| in AWS, some stuff in Azure, and employees all over the world
| with various devices coming in through a VPN.
|
| The old distinction of "internal network" and "external
| network" doesn't make much sense.
| sshahone wrote:
| Since you mentioned you're a contributor to a similar project,
| I invite you to check our recently released zero trust service
| access control solution: https://github.com/seknox/trasa
|
| It's a BeyondCorp like a user identity and layer 7 aware access
| proxy for RDP, SSH, Web, and Database protocols with privileged
| access management, native two-factor auth agents, and device
| trust policies.
|
| Disclaimer: I am a core maintainer of this project.
| aprdm wrote:
| Even if they were the same a big difference is that Hashicorp
| tools usually work on prems and are OSS.
|
| By default I expect google to try to lock me in the GCP and do
| not trust their OSS tools
| look_lookatme wrote:
| You can use https://github.com/cloudflare/nginx-google-oauth to
| do this with nginx too.
| tehalex wrote:
| I've used this before & it was great - however both this and
| the bitly oauth2 proxy linked about are archived.
|
| https://github.com/oauth2-proxy/oauth2-proxy is a maintained
| fork.
| throwaway873993 wrote:
| I'd rather use https://userify.com/
| buzzdenver wrote:
| How does your system compare to Appgate?
| mitchellh wrote:
| Hello HN! I'm the founder of HashiCorp.
|
| I'm excited to see Boundary here! I want to note a few things
| about Boundary, why we made it, why it is different than other
| solutions in the space, etc.
|
| * Boundary is free and open source. Similar to when we built
| Vault, we feel like the solution-space for identity-based
| security is too commercialized. We want to provide access to this
| type of security to a broader set of people because we feel it's
| the right way to think about access control. Note: of course as
| as a company we plan on commercializing Boundary at some point,
| but we'll do this similarly to Vault, the major featureset of
| Boundary will remain free and open source forever.
|
| * Dynamic resource catalogs. Other tools in this space usually
| require manually maintaining a catalog of servers, databases,
| applications, etc. We're integrating Boundary closely with
| Terraform, AWS/GCP/Azure, Kubernetes, etc. to give you live auto-
| updating catalogs based on tags. (Note: this feature is coming in
| 0.2, and not in this initial release, but is well planned at this
| point)
|
| * Dynamic credentials. Existing tools often require static
| credentials. Boundary 0.1 uses static credentials, too, but we're
| already working on integrating Boundary with Vault and other
| systems to provide full end-to-end dynamic credentials. You
| authenticate with your identity, and instead of reusing the same
| credentials on the backend, we pull dynamic per-session
| credentials.
|
| And more! Remember this is a 0.1 release. We have a lot of vision
| and roadmap laid out for this project and we are hard at work on
| that now. We're really excited about what's to come here.
|
| Specifically, as a 0.1, Boundary focuses in on layer 3
| connections (TCP) with minimal layer 7 awareness for protocols
| such as SSH. This will be expanded dramatically to support
| multiple DB protocols, Microsoft Remote Desktop, and more.
|
| Also, we're releasing another new product tomorrow that is more
| developer-focused, if security is not your cup of tea. Stay
| tuned.
|
| The Boundary team and I will be around the comments to answer any
| questions.
| candiddevmike wrote:
| > * Boundary is free and open source. Similar to when we built
| Vault, we feel like the solution-space for identity-based
| security is too commercialized. We want to provide access to
| this type of security to a broader set of people because we
| feel it's the right way to think about access control. Note: of
| course as as a company we plan on commercializing Boundary at
| some point, but we'll do this similarly to Vault, the major
| featureset of Boundary will remain free and open source
| forever.
|
| I hate this corporate speak. You're breaking into the space by
| giving away (basic, as you will commercialize any advanced)
| features under the guise of open source altruism. The products
| HashiCorp sells are open core, and you should be more honest
| about it (GitLab is!). I wish you operated more like other,
| real, open source companies that use subscriptions or managed
| service offerings and don't lock features behind various
| obscure pricing tiers. This is Shareware 2.0.
|
| The difference between what HashiCorp does and what a real open
| source company like Rancher does is stark: HashiCorp has
| products, Rancher builds communities. Contributors to
| HashiCorps stuff have to play in a very specific sandbox, lest
| they implement lucrative features. Contributors to Rancher help
| the community at large and have full visibility into the
| codebase, empowering them to fix or add functionality without
| restrictions.
| nexuist wrote:
| How is this corporate speak? If an indie dev said his/her
| project is going to be open source initially and then newer
| features would get monetized, would your first thought be
| that this dev is "breaking into the space under the guise of
| open source altruism"?
| a1369209993 wrote:
| If they started out by misleadingly[0] describing it as
| "$THING is free and open source."? Yes!
|
| Edit: 0: It's (presumably) technically not false _now_ ,
| but the implication is that $THING is honestly intended to
| be FOSS, immediately followed by admiting that their actual
| intent is to sabotage that embrace-extend-extinguish-style
| as soon as it's commercially expedient to do so.
| save_ferris wrote:
| > their actual intent is to sabotage that as soon as it's
| commercially expedient to do so.
|
| Sabotage??? Wow, that's quite an accusation for a company
| that's, you know, a company. You might have an argument
| if they kept quiet about plans to monetize the product
| later, but that allegation is laughable.
|
| If you're not comfortable with the terms, don't use the
| product. They're being upfront about their plans. This
| anti-commercial position is hypocritical.
| zymhan wrote:
| There are folks who would loathe subscriptions or managed
| services just as equally, I hope you realize that.
| taxcoder wrote:
| Username checks out.
| fallat wrote:
| It's understandable the issue brought up, but the history of
| the company we are talking about (and not just generalize!)
| must be considered.
|
| Is HashiCorp known to do this?
|
| All I've heard are good things about HashiCorp from people
| who use HashiCorp products.
|
| Second, it can't be forgotten these are companies. A company
| exists to create value for itself in some way.
|
| It's the natural behavior of any company.
|
| However in my opinion, "open core" design seems to be very
| very preferable amongst technologists (myself included).
| Essentially we are paying for additional features which
| normally we'd wait years from a sole contributor.
| wmf wrote:
| Some people felt burned by Vault where it looked like the
| free version could be used in production but it couldn't
| and then the enterprise version is very expensive.
| gen220 wrote:
| > it looks like the free version can be used in
| production
|
| I think you might be confusing vault with another
| product?
|
| We self-host vault in production, and it doesn't cost us
| a dime.
|
| (other than the engineers we pay internally to operate
| it, of course)
| atonse wrote:
| Err what? Vault can absolutely be used in production for
| free. If you want the enterprise features, then you pay.
| Diederich wrote:
| Why can't the free version of Vault be used in
| production?
| wmf wrote:
| I think the problem was that auto-unseal wasn't free (it
| is now, so kudos to HashiCorp for listening).
| modderation wrote:
| Production-worthiness depends on your needs. The free
| edition is perfectly good for most people, however there
| are several features and modules that are only available
| in the Enterprise Edition. Notably, some of the disaster
| recovery, scaleout, and multifactor authentication
| features cost extra.
|
| ref: https://www.hashicorp.com/products/vault/pricing
| save_ferris wrote:
| > I wish you operated more like other, real, open source
| companies that use subscriptions or managed service offerings
| and don't lock features behind various obscure pricing tiers.
|
| "I want all of the functionality I want without having to pay
| for it." I hate how discussions around software businesses so
| often descend into purity tests around how much a company
| chooses to give away. Software is indeed eating the world,
| but the eternal battle of who has to pay for the underlying
| tools of said software continues.
| fishnchips wrote:
| I think it's not a fair thing to say. HashiCorp's projects
| are using MPL 2.0, and please correct me if I'm wrong
| (IANAL!) it would allow you to create an open source fork of
| say consul, call it OpenConsul and continue development
| there. That this hasn't happened yet (or if it did, it never
| gained any traction) is a testament to HashiCorp being a
| responsible custodian of its projects and their respective
| communities.
| kodah wrote:
| Man, this really represents the rift in Open Source and
| Corporate development right now. It seems like there are
| developers who contribute to Open Source because they like
| the mission, the impact, and the values. In contrast, there
| are others who contribute to open source because their job
| requires or mandates it. Then there's people who have a mix
| of both.
|
| All three have wildly different values and historically
| corporations aren't very good at listening to anyone that
| isn't waving a check. They use reasoning like "priorities" to
| close source formerly open source projects, bend project
| values to reflect their own values, and wedge projects with
| funding in exchange for representation or control. Corporate
| controlled and born projects are often used as marketing or
| for good PR, a cursory browsing of a company's Twitter page
| will show how they utilize it for this type of end.
|
| I don't really read Mitchell's speak as corporate or double
| speak, but I do think that referring to HashiCorp (and other)
| projects as "open source" is a half truth. The line that I
| draw here is that I don't think Mitchell is lying, rather, I
| think that open source is now an umbrella term that means
| very little and really terms like open core, free and open
| source software, etc are more concise. We owe that outcome to
| inviting our corporate friends into the fold of open source
| with not enough restrictions, tracking, and accountability
| but there's a piece of me that feels this outcome was largely
| intentional because it's become a means to an end as I
| described above. These could just be feelings but the
| situation is common enough that it's relatable.
|
| I'd encourage corporations to be more transparent in their
| verbiage, their investments, and their representation in
| these projects so that it doesn't continue to confuse people
| who participate in and enjoy the "free" side of open source.
| When I look at an open source project I'd love to know if a
| majority of the maintainers or funding comes from a
| corporation. If those things are true, then as someone who
| highly believes in the ideals of free software I may want to
| stay far away from people who are susceptible to corporate
| influence and values. On the other hand, that increased
| transparency may help clear the air and prevent issues from
| being perceived as non-transparent or outright
| misrepresentation.
| mitchellh wrote:
| I'm sorry, I'm not trying to use any doublespeak here.
|
| Boundary is free and open source. There is no corporate speak
| here. It is FOSS licensed (MPL2) and everything announced
| today is completely FOSS.
|
| We do sell open core software and if there is any place where
| you feel we aren't being honest about that please let me know
| and I'll work to address that. I added that "NOTE" at the end
| of the point specifically to ensure I was being honest and
| show I wasn't trying to hide anything.
|
| We are also starting to offer managed services for folks who
| prefer to consume our software that way. The managed service
| offerings do unlock the typically enterprise features.
| Example: https://www.hashicorp.com/blog/hcp-consul-public-
| beta
| A_No_Name_Mouse wrote:
| Is there a simple paper that explains how this works on a
| technical level? I have a hard time visualizing how a
| connection to a remote host would be set up if it runs through
| Boundary. Does "without requiring direct network access" mean
| Boundary works as a proxy? And how does Boundary enable the
| connection if the host does not have direct network access?
| armon wrote:
| We don't have a white paper on this yet, but we have a white
| board video that explains both how it works conceptually as
| well as at a more technical level of deployment architecture
| and data flow. https://www.youtube.com/watch?v=tUMe7EsXYBQ&fe
| ature=emb_titl...
| emddudley wrote:
| This is a really nice video. I appreciate the patient
| walkthrough of the concepts and motivation.
| A_No_Name_Mouse wrote:
| Wonderful video, really clear!
| jefferai wrote:
| By "direct network access" we mean between the client and the
| end host. The Boundary worker node (which proxies traffic)
| would need to be able to make a network connection to the end
| host, and the client in turn would need to be able to make a
| network connection to the worker node.
|
| This indirection provides a way to keep your public and
| private (or even private and private) networks distinct to
| remove "being on the same network" as a sufficient credential
| for access. At the same time, it ensures that the traffic is
| only proxied if that particular session is authenticated.
| A_No_Name_Mouse wrote:
| I can see how that works for an internal network. How does
| this work for SaaS solutions that would normally be
| directly on the internet? Would they have to be "shielded"
| to be on a private network and somehow be "Boundary
| enabled"?
|
| And could this be done in a way that is completely
| transparent to the user (without them having to start a
| connection to the worker first, and then make a connection
| to the desired service)?
| jefferai wrote:
| Generally speaking this is designed for accessing your
| own systems, not the systems of a third party being
| consumed as a SaaS. That said, any such provider that
| allows you to restrict the set of IPs allowed to make
| calls to the service would operate in a Boundary-friendly
| mode.
| pliu wrote:
| It would be interesting if the networking model for the
| end targets could also be inverted, so that an agent (or
| something) on the end target could make an outbound
| connection to establish a reverse tunnel to the proxy
| that user connections could then be sent over.
|
| The use case I'm thinking of is for IoT or robotics,
| where you have devices you want to manage being deployed
| into remote networks that you don't have much control
| over. It's really helpful in this situation if devices
| make outbound connections only, so that network operators
| don't have to configure their firewalls to port forward
| or set up a VPN.
|
| Edit: clearer language
| lifty wrote:
| Hey Mitchell, congrats on the new announcements, great stuff!
| Out of curiosity, how are you building and operate HCP? Are you
| running it on top of Kubernetes or Nomad, or you're doing some
| other custom stuff?
| mitchellh wrote:
| - Full HashiCorp stack (Nomad, Consul, Vault, Terraform)
| - Cadence (https://temporal.io/) - Microservice
| architecture over gRPC and Consul Connect - All
| services written in Go - Customer clusters are
| created/managed by programmatically running Terraform using
| just-in-time cloud credentials from Vault - All
| internal TLS certs for customer clusters dynamically created
| using Vault - All external TLS certs for customer
| clusters dynamically created using LetsEncrypt via Terraform
| - Frontend is Ember
| digitallogic wrote:
| > Customer clusters are created/managed by programmatically
| running Terraform
|
| I have soooo many questions about best practices doing
| this. I run a service that needs to dynamically provision
| AWS resources, and lacking a clear path to do this
| programmatically, I shell out to Terraform.
|
| * I assume you aren't shelling out :). Do you have any
| additional helper libraries on top of the Terraform code
| base to make it more of a a programmatically consumable
| API, as apposed to an end user application?
|
| * Are you still pointing at a directory with resources
| defined in HCL, or are the resources defined
| programmatically?
|
| * What are you using for state storage?
|
| * What is the execution environment for the programmatic
| Terraform process? Since Terraform uses external processes
| for plugins, I've hit some issues with resource constraints
| around the max number of process sysctl's in containerized
| environment where I have multiple Terraform processes
| running in the same container.
|
| edit: formatting
| zellyn wrote:
| Looks great! A couple of questions:
|
| Can you view logs of SSH sessions after the fact?
|
| Can you live-view a session?
|
| Can you require a pairing authorization like with
| https://github.com/square/sudo_pair?
| mitchellh wrote:
| All of the above is on the roadmap.
|
| Our initial focus is on making the connections easy. We have
| some work to do there still. We'll then move on to more
| management features like this. They're both super important
| but from an initial adoption perspective we feel the latter
| is moot if the former (connections) don't work easily.
| zellyn wrote:
| Makes sense. You should integrate TailScale too, so you
| don't need to shunt traffic through the boundary nodes
| mike-cardwell wrote:
| Argh. I already find it a nightmare to figure out how to
| combine hashicorp tools together. Now there's one more! ;)
|
| E.g, if I want a Consul backed Vault, whilst using Vault to
| generate TLS certs or other creds for Consul. Especially if I
| want to run either/both of those services using Nomad, backed
| by Consul. Hopefully I wont have the option of authenticating
| against any of these services using Boundary. Especially if
| Boundary is backed by Consul.
| mitchellh wrote:
| Indeed. Our recommendation with Vault now is to use the
| built-in storage[1] to break that dependency. If you must use
| Consul, we recommend separate clusters.
|
| One way we're simplifying this a lot for people is the
| introduction of our managed services[2][3]. We understand not
| everyone can use a managed service though!
|
| Boundary will integrate fairly deeply with Consul/Vault but
| these integrations will be optional.
|
| [1]:
| https://www.vaultproject.io/docs/configuration/storage/raft
| [2]: https://www.hashicorp.com/blog/hcp-consul-public-beta
| [3]: https://www.hashicorp.com/blog/vault-on-the-hashicorp-
| cloud-...
| mike-cardwell wrote:
| Thanks for the response. My comment was half in jest, but
| it _has_ been a pain point for me.
| jaquers wrote:
| This comment resonates with me so hard. Specifically TLS
| certs, private certificate authorities and Consul. Like I
| wanna run my PCA out of Vault (right?), but if using Consul
| as the backend how do I bootstrap? Sounds like the reply from
| Michael seems to suggest running the integrated backend,
| which I can get behind.
| chucky_z wrote:
| So I actually do this today, and I use Vault. This sounds
| weird, but I spin up a "bootstrap PKI" Vault that is local-
| only, and produces, e.g.: "consul.service.dc.consul" certs
| with the issuer labeled as "bootstrap PKI intermediate" or
| some such. I generate a full suite of these for everything
| in a space, get it all up and running, then there's a 2nd
| layer of automation where self-certs are issued.
|
| That said, I'm moving to a central distributed Vault that
| is mostly going to exist as a PKI so I'll only really need
| to repeat this process once more! Going to be using the
| raft internal engine for this one, and spread it physically
| across the globe so performance is going to be pretty
| terrible by design, but it should be quite resilient!
| mrweasel wrote:
| Maybe you're not using Terraform. I suspect that your problem
| is an insufficient usage of HCL.
| ETHisso2017 wrote:
| All hail Hashi-stack!
| [deleted]
| time0ut wrote:
| Do you think there will be any synergy or potential interaction
| with consul connect at some point?
| mitchellh wrote:
| Absolutely, 100%. This is already well discussed internally.
| :)
| jcims wrote:
| Thinking of this as a means for privileged access management,
| would it be possible for Boundary to gather artifacts (e.g.
| keystroke logs and/or screen shots) from the session?
|
| This might trigger some folks but have you explored any options
| for delivering some or all of the Boundary infrastructure
| through serverless/faas?
| mitchellh wrote:
| Yes this is on the roadmap!
| dabeeeenster wrote:
| Looks interesting! Couple of things:
|
| 1. It's not clear to me how you actually secure the targets? Do
| you just enable access to the IP address of the controller
| proxy? In the video you mention a gateway but there's no
| description of that in the docs?
|
| 2. Is it possible to proxy a web browser session? Or is it
| limited to individual requests via something like curl at the
| moment?
| NovemberWhiskey wrote:
| Hi Mitchell: what's your competitive landscape with Boundary?
|
| When I first looked at the product description, I thought I
| might be looking at a "zero-trust identity-aware-proxy" sort of
| thing, but as I read more I got more of the "privileged access
| management" vibe with more of a focus on controlling access to
| infrastructure for developers vs. applications for end users.
| newman314 wrote:
| So I've been casually doing some research into this in the
| past and was just updating my list so here's what I have so
| far. If I have missed any, please let me know.
|
| * Azure App Proxy
|
| * Google IAP
|
| * Amazon WorkLink
|
| * Cloudflare Access
|
| * Zscaler Private Access
|
| * Duo Beyond
|
| * Hashicorp Beyond
| hossi wrote:
| * PrivX by SSH.COM
|
| We provide a lean PAM solution for multi-cloud
| infrastructure access.
| nielsole wrote:
| * Teleport https://gravitational.com/teleport/
| all_usernames wrote:
| Google BeyondCorp?
| [deleted]
| jaquers wrote:
| https://smallstep.com/
|
| One example. I have been testing smallstep, which puts IDP
| around ssh (with group management), and also includes a
| dynamic host catalog (hosts run an agent that phones home to
| your identity provider).
|
| However, I am very excited about Boundary as it seems to be a
| much more comprehensive solution.
| TheGuyWhoCodes wrote:
| Are there any plans or a way to use existing tools? By existing
| tools I mean winscp or any other tools that use a normal ssh
| client? RDP etc. I guess for shh and rdp you can just run the
| Boundary cli with a the predefined target in a terminal
| embedded into the UI (MremoteNG, MobaXterm etc) but tools like
| winscp are very much used for sftp file transfers.
|
| A desktop client with a list of services/targets would also be
| great. Especially for the less technologically inclined
| individuals.
|
| I know that people have their own opinions on port knocking but
| I find it as a good tool to remove a lot of noise, some pre
| built tool for that would be nice but could always just use
| fwknop-2
| mitchellh wrote:
| You can do this already, The `boundary connect ssh` stuff is
| just a convenience. You can spin up a local boundary proxy to
| anything and just connect anything that speaks TCP over it.
| This allows you to use all the tools you just named.
|
| A desktop client is on the way, we already have an internal
| build of parts of it but it requires more work and didn't
| make it for 0.1.
| lstamour wrote:
| Given dynamic resource catalogs and dynamic credentials, any
| plans to integrate dynamic policy engines, such as Open Policy
| Agent? https://www.openpolicyagent.org
| mitchellh wrote:
| Yep. This is a little bit further out on the roadmap but yes,
| we plan on integrating dynamic policy engines.
| LinuxBender wrote:
| Do you have a video showing a demo of managing a fleet of
| servers? Does this also address machine-to-machine ssh key
| trusts? Do you have a contrib repo with existing ansible, chef,
| puppet scripts to build your cluster and also for deploying
| agents to machines?
| cratermoon wrote:
| Over in another thread this was compared to Google's
| BeyondCorp. Can you comment and compare/contrast Boundary with
| the concepts of BeyondCorp?
| mitchellh wrote:
| Boundary can be viewed as an implementation of some of these
| ideas!
| jolux wrote:
| I hope this isn't too big of a question but what do you see as
| the migration path towards these newer "zero trust" access
| control technologies for organizations that are all in on VPNs
| and are in a hybrid cloud position?
| jefferai wrote:
| As you say, it's a big question. But one way to start is by
| integrating this _within your VPN_ such that network access +
| credentials alone are not enough. With Boundary you could do
| this by setting up firewalls on the end hosts to only allow
| ingress from Boundary worker nodes.
|
| Eventually you can migrate towards Boundary nodes (or similar
| technologies) being the public ingress instead of a VPN
| endpoint.
|
| (Edit: clarified that I meant firewalls on the end hosts, not
| on the VPN or elsewhere in the network.)
| talawahtech wrote:
| What is used to secure/encrypt the connection between the
| clients and the workers?
|
| I did a quick search in the GitHub repo for WireGuard and
| didn't get any results so I guess you aren't using it.
| sytse wrote:
| This is awesome, thanks for making this. Boundary seems like
| the missing open source building block to achieve Zero Trust.
|
| Zero Trust means authenticating per application instead of per
| network. For more context see
| https://about.gitlab.com/blog/2019/04/01/evolution-of-zero-t...
|
| Proxying connections as Boundary does seems like the most
| elegant solution to achieve this in a way that doesn't require
| modifying the application.
___________________________________________________________________
(page generated 2020-10-14 23:00 UTC)