Boundary is an identity-aware proxy that provides a simple, secure way to access hosts and critical systems on your network.
With Boundary you can:
Boundary is designed to be straightforward to understand, highly scalable, and resilient. It can run in clouds, on-prem, secure enclaves and more, and does not require an agent to be installed on every end host, making it suitable for access to managed/cloud services and container-based workflows in addition to traditional host systems and services.
For more information, refer to "What is Boundary?" on the Boundary website.
Boundary consists of two server components:
A real-world Boundary installation will likely consist of one or more controllers paired with one or more workers. A single Boundary binary can act in either, or both, of these two modes.
Additionally, Boundary provides a Desktop client and CLI for end-users to request and establish authorized sessions to resources across a network.
Boundary does not require software to be installed on your hosts and services.
Boundary has two external dependencies:
The database contains Boundary's configuration and session information. The controller nodes must be able to access the database.
Values that are secrets (e.g credentials) are encrypted in the database. Currently, PostgreSQL is supported as a database and has been tested with Postgres 12 and above.
Boundary uses only common extensions and both hosted and self-managed instances are supported. In most instances, all that you need is a database endpoint and the appropriate credentials.
Boundary uses KMS keys for various purposes, such as protecting secrets, authenticating workers, recovering data, encrypting values in Boundary’s configuration, and more. Boundary uses key derivation extensively to avoid key sprawl of these high-value keys.
You can use any cloud KMS or Vault's Transit Secrets Engine to satisfy the KMS requirement.
Running Boundary in a more permanent context requires a few more steps, such as writing some simple configuration files to tell the nodes how to reach their database and KMS. The steps below, along with the extra information needed for permanent installations, are detailed in our Installation Guide.
⚠️ Do not use the
main
branch except for dev or test cases. Boundary 0.10 introduced release branches which should be safe to track, however, migrations inmain
may be renumbered if needed. The Boundary team will not be able to provide assistance if runningmain
over the long term results in migration breakages or other bugs.
Download the latest release of the server binary and appropriate desktop client(s) from our downloads page
Boundary has a dev
mode that you can use for testing. In dev
mode, you can start both a
controller and worker with a single command, and they have the
following properties:
If you meet the following local requirements, you can quickly get up and running with Boundary:
Simply run:
make install
This will build Boundary. (The first time this is run it will fetch and compile
UI assets; which will take a few extra minutes.) Once complete, run Boundary in
dev
mode:
$GOPATH/bin/boundary dev
Please note that development may require other tools; to install the set of tools at the versions used by the Boundary team, run:
make tools
Without doing so, you may encounter errors while running make install
. It is important
to also note that using make tools
will install various tools used for Boundary
development to the normal Go binary directory; this may overwrite or take precedence
over tools that might already be installed on the system.
Start the server binary with:
boundary dev
This will start a Controller service listening on http://127.0.0.1:9200
for
incoming API requests and a Worker service listening on http://127.0.0.1:9202
for incoming session requests. It will also create various default resources and
display various useful pieces of information, such as a login name and password
that can be used to authenticate.
For a simple test of Boundary in dev
mode you don't generally need to
configure any resources at all! But it's useful to understand what dev
mode
did for you so you can then take further steps. By default, dev
mode will
create:
global
Scope for initial authentication, containing a Password-type
Auth Method, along with an Account for login.global
, and a project Scope inside the
organization.127.0.0.1
)22
(e.g. SSH)You can go into Boundary's web UI or use its API to change these default values, for instance if you want to connect to a different host or need to modify the port on which to connect.
Next, let's actually make a connection to your local SSH daemon via Boundary:
dev
values, this would be boundary authenticate password -auth-method-id ampw_1234567890 -login-name admin -password password
. (Note that if you do not include the password
flag you
will be prompted for it.)boundary connect ssh -target-id ttcp_1234567890
. If you want to adjust
the username, pass -username <name>
to the command.Check out the possibilities for target configuration to test out limiting (or increasing) the
number of connections per session or setting a maximum time limit; try canceling
an active session from the sessions page or via boundary sessions
, make your
own commands with boundary connect -exec
, and so on.
This example is a simple way to get started but omits several key steps that could be taken in a production context:
Please note: We take Boundary's security and our users' trust very seriously. If you believe you have found a security issue in Boundary, please responsibly disclose by contacting us at security@hashicorp.com.
Thank you for your interest in contributing! Please refer to CONTRIBUTING.md for guidance.
Вы можете оставить комментарий после Вход в систему
Неприемлемый контент может быть отображен здесь и не будет показан на странице. Вы можете проверить и изменить его с помощью соответствующей функции редактирования.
Если вы подтверждаете, что содержание не содержит непристойной лексики/перенаправления на рекламу/насилия/вульгарной порнографии/нарушений/пиратства/ложного/незначительного или незаконного контента, связанного с национальными законами и предписаниями, вы можете нажать «Отправить» для подачи апелляции, и мы обработаем ее как можно скорее.
Комментарии ( 0 )