Describe the bug

When deleting old stale but still active sessions Boundary reports the following error from the controller

2021-03-31T22:21:52.261Z [ERROR] controller: error performing termination of completed sessions: error="session.(Repository).TerminateCompletedSessions: db.DoTx: session.(Repository).TerminateCompletedSessions: db.Exec: duplicate key value violates unique constraint "session_state_session_id_end_time_key": unique constraint violation: 

To Reproduce Steps to reproduce the behavior:

1. Open several sessions to the same target
2. I think let the session timeout due to OS sleep or similar - I left a session or two open and my Mac went to sleep
3. Session apparently remains active even though the terminal process is no long running but unable to be deleted from

Expected behavior

Sessions should be cancellable without a dependency violation

Additional context

I attempt to remove the session via the Boundary desktop application and CLI with same result

The session I tried to cancel has long since been closed from the client but has remained stuck here

From the CLI same error is presented

➜  ~ boundary sessions cancel -id s_tURbHPlAvP
Error from controller when performing cancel on session:
Error information:
  Kind:                InvalidArgument
  Message:             Invalid request.  Request attempted to make second resource with the same field value that must be unique.
  Status:              400
➜  ~

Boundary CLI version

Version information:
  Git Revision:        bc565922fbd3a18c9f6a22cd2e80a93df0d7cd45
  Version Number:      0.1.7

Boundary Server Version

/ $ boundary version

Version information:
  Git Revision:        c0f33f982c87c0eb4127cb16cf06b03a37b91dbd
  Version Number:      0.1.8

/ $

I am running Boundary server in Docker on Kubernetes backed by Postgres

Describe the bug Sessions are displayed as active in the webui and cli and stay active after cancelling the connection.

To Reproduce

1. Create a connection
2. Shutdown boundary with connection still active
3. Start boundary(usually the next day)
4. Connection is still displayed in the view way beyond it's TTL

Expected behavior For the connection to be closed when boundary is shut downed and no longer displayed as active. And be able to cancel the connecting without it popping back up.

Additional context The way we have boundary setup currently, it's shutdown at the end of day so my guess is this is what is causing the issues.

So I'm having this issue currently with multiple sessions and have seen the issue come back several times. Only way i've found to "fix" this is to reinitialize the db which i would like to avoid.

boundary sessions read -id s_0P4gIy6IG6

Session information:
  Auth Token ID:        at_7c30sq3trl
  Created Time:         Thu, 21 Jan 2021 16:03:07 CET
  Endpoint:             tcp://url
  Expiration Time:      Fri, 22 Jan 2021 00:03:07 CET
  Host ID:              hst_GojaoqThFC
  Host Set ID:          hsst_3snDcq1TsV
  ID:                   s_0P4gIy6IG6
  Status:               terminated
  Target ID:            ttcp_p2xUpl4ZHU
  Termination Reason:   canceled
  Type:                 tcp
  Updated Time:         Fri, 29 Jan 2021 12:14:40 CET
  User ID:              u_TWZ6052pWZ
  Version:              31

  Scope:
    ID:                 p_j3z93Fl705
    Name:               test
    Parent Scope ID:    o_c4HqJ42HzW
    Type:               project

  States:
    Start Time:         Thu, 21 Jan 2021 16:04:17 CET
    Status:             terminated

    End Time:           Thu, 21 Jan 2021 16:04:17 CET
    Start Time:         Thu, 21 Jan 2021 16:03:11 CET
    Status:             canceling

    End Time:           Thu, 21 Jan 2021 16:03:11 CET
    Start Time:         Thu, 21 Jan 2021 16:03:08 CET
    Status:             active

    End Time:           Thu, 21 Jan 2021 16:03:08 CET
    Start Time:         Thu, 21 Jan 2021 16:03:07 CET
    Status:             pending

And for a list in the scope i get the following output

boundary sessions list -scope-id p_j3z93Fl705 | grep -A 6 s_0P4gIy6IG6
  ID:                 s_0P4gIy6IG6
    Status:           canceling
    Created Time:     Thu, 21 Jan 2021 16:03:07 CET
    Expiration Time:  Fri, 22 Jan 2021 00:03:07 CET
    Updated Time:     Fri, 29 Jan 2021 12:14:40 CET
    User ID:          u_TWZ6052pWZ
    Target ID:        ttcp_p2xUpl4ZHU
--
  ID:                 s_0P4gIy6IG6
    Status:           terminated
    Created Time:     Thu, 21 Jan 2021 16:03:07 CET
    Expiration Time:  Fri, 22 Jan 2021 00:03:07 CET
    Updated Time:     Fri, 29 Jan 2021 12:14:40 CET
    User ID:          u_TWZ6052pWZ
    Target ID:        ttcp_p2xUpl4ZHU
--
  ID:                 s_0P4gIy6IG6
    Status:           pending
    Created Time:     Thu, 21 Jan 2021 16:03:07 CET
    Expiration Time:  Fri, 22 Jan 2021 00:03:07 CET
    Updated Time:     Fri, 29 Jan 2021 12:14:40 CET
    User ID:          u_TWZ6052pWZ
    Target ID:        ttcp_p2xUpl4ZHU
--
  ID:                 s_0P4gIy6IG6
    Status:           active
    Created Time:     Thu, 21 Jan 2021 16:03:07 CET
    Expiration Time:  Fri, 22 Jan 2021 00:03:07 CET
    Updated Time:     Fri, 29 Jan 2021 12:14:40 CET
    User ID:          u_TWZ6052pWZ
    Target ID:        ttcp_p2xUpl4ZHU

Cancelling the session has no effect in the cli or through the web ui and this is how it looks in the webui. When i press cancel all 4 close for a small second and pop right back up. There is still a username and target displayed in the image below

So i also went and checked in the db and saw the following while only 1 or 2 sessions at max should be active.

select count(*) from session_state where state = 'active';
 count 
-------
    98
(1 row)

Also saw this issue in version 0.1.2

boundary -version

Version information:
  Git Revision:        b5d84495a33b72a3139bd224d3cfcd4cbaad7b98
  Version Number:      0.1.3

@jefferai taking conversation here with Katakoda issue as well I am in process of writing a blog on neat installation steps for Ubuntu/Centos There are few things that do not seem to work and if I can get them resolved then we can have a neat install step which can be helpful for others in the community as well I believe

I am planning to tell on 3 environments bare centos 7 VM , Ubuntu 18.04 Vm and katakoda ubuntu playground

For Ubuntu I have bellow error s:

boundary authenticate password -auth-method-id=ampw_1234567890 \
>     -login-name=admin -password=password
Error reading auth token from system credential store: exec: "dbus-launch": executable file not found in $PATH

Authentication information:
  Account ID:      apw_EJK7s6DcCQ
  Auth Method ID:  ampw_1234567890
  Expiration Time: Thu, 22 Oct 2020 10:17:30 BST
  Token:
  at_h1qSNMdB1c_s125wLmVW7LgzNKf1TFeNrFDRUZNcR2qeWkNyjZ7Qd6E2DWGsyPT9KmPKZkxBaQps7JKkbeeoJEwt7xXMyR6YKjEkqbrFWcsCdXm8rYgqjsFJwUYS2WBFbNh2
  User ID:         u_1234567890
Error saving auth token to system credential store: exec: "dbus-launch": executable file not found in $PATH

Installed dbus

apt install dbus-x11

boundary authenticate password -auth-method-id=ampw_1234567890     -login-name=admin -password=password
Error reading auth token from system credential store: The name org.freedesktop.secrets was not provided by any .service files

Authentication information:
  Account ID:      apw_EJK7s6DcCQ
  Auth Method ID:  ampw_1234567890
  Expiration Time: Thu, 22 Oct 2020 10:19:18 BST
  Token:
  at_VqoR4tBhxy_s18pG3buSH7fMcBVL1YP14NXipTgeg4Jm9aVd3WXL2WCpUvqs8xnCwnNC7D41zejxUfRYhJPGMvCcp1mbN1q9cPyM5AAJRvakFGQUNLC5ZjiyyoTuic4ZpoQUmu9XXtC2YY2u9BTdJDg8
  User ID:         u_1234567890
Error saving auth token to system credential store: The name org.freedesktop.secrets was not provided by any .service files

Next installed

sudo apt-get install -y gnome-keyring

boundary authenticate password -auth-method-id=ampw_1234567890     -login-name=admin -password=password
Error reading auth token from system credential store: failed to unlock correct collection '/org/freedesktop/secrets/aliases/default'

Authentication information:
  Account ID:      apw_EJK7s6DcCQ
  Auth Method ID:  ampw_1234567890
  Expiration Time: Thu, 22 Oct 2020 10:21:00 BST
  Token:
  at_7y54bPBIDx_s13PefhTbtKamPce8iph3t8HMK85nJWEBh9n2JXCk6oiWQ9K9qusfJDx6TEJPLoGo8GPqbawpLAxtMgk9aS5wyzr3S6qVgMG7S939K93pUXLffE7a5KXdwAc464p42rV2
  User ID:         u_1234567890
Error saving auth token to system credential store: failed to unlock correct collection '/org/freedesktop/secrets/aliases/default'

ok Katakoda after the documentation steps

apt install dbus-x11

boundary authenticate password -auth-method-id=ampw_1234567890 \
>     -login-name=admin -password=password
panic: runtime error: slice bounds out of range [237:151]

goroutine 1 [running]:
github.com/godbus/dbus.getSessionBusPlatformAddress(0x17d1fc7, 0x18, 0x0, 0x0)
        /root/go/pkg/mod/github.com/godbus/[email protected]+incompatible/conn_other.go:30 +0x295
github.com/godbus/dbus.getSessionBusAddress(0x0, 0x0, 0x0, 0x0)
        /root/go/pkg/mod/github.com/godbus/[email protected]+incompatible/conn.go:96 +0xf8
github.com/godbus/dbus.SessionBusPrivate(0x0, 0x40d900, 0xc0003f5c80)
        /root/go/pkg/mod/github.com/godbus/[email protected]+incompatible/conn.go:101 +0x25
github.com/godbus/dbus.SessionBus(0x0, 0x0, 0x0)
        /root/go/pkg/mod/github.com/godbus/[email protected]+incompatible/conn.go:73 +0xb5
github.com/zalando/go-keyring/secret_service.NewSecretService(0x7, 0x1b, 0x7)
        /root/go/pkg/mod/github.com/zalando/[email protected]/secret_service/secret_service.go:50 +0x26
github.com/zalando/go-keyring.secretServiceProvider.Get(0x17dc55a, 0x1d, 0x17b78d7, 0x7, 0x0, 0x0, 0x0, 0x0)
        /root/go/pkg/mod/github.com/zalando/[email protected]/keyring_linux.go:78 +0x59
github.com/zalando/go-keyring.Get(...)
        /root/go/pkg/mod/github.com/zalando/[email protected]/keyring.go:32
github.com/hashicorp/boundary/internal/cmd/base.(*Command).ReadTokenFromKeyring(0xc0003cb080, 0x17b78d7, 0x7, 0x7)
        /go/internal/cmd/base/base.go:232 +0x77
github.com/hashicorp/boundary/internal/cmd/base.(*Command).Client(0xc0003cb080, 0xc0005dfbe8, 0x2, 0x2, 0x0, 0x0, 0x44aad5)
        /go/internal/cmd/base/base.go:217 +0x389
github.com/hashicorp/boundary/internal/cmd/commands/authenticate.(*PasswordCommand).Run(0xc000501440, 0xc00003a210, 0x3, 0x3, 0xc0000aae40)
        /go/internal/cmd/commands/authenticate/password.go:116 +0x136
github.com/mitchellh/cli.(*CLI).Run(0xc000498640, 0xc000498640, 0xc0000abce0, 0xc0000aada0)
        /root/go/pkg/mod/github.com/mitchellh/[email protected]/cli.go:262 +0x1cf
github.com/hashicorp/boundary/internal/cmd.RunCustom(0xc00003a1f0, 0x5, 0x5, 0xc0005dfe60, 0xc00007c058)
        /go/internal/cmd/main.go:186 +0x846
github.com/hashicorp/boundary/internal/cmd.Run(...)
        /go/internal/cmd/main.go:92
main.main()
        /go/cmd/boundary/main.go:13 +0xda

Not sure if anyone else has had this problem, but i haven't found the exact same one in here.

Describe the bug It seems like when trying to add managed-groups as principals in roles, it doesn't actually grant the users in said groups any rights. My guess is that it's because the managed-groups use the account objects and not the user objects.

To Reproduce Steps to reproduce the behavior:

1. setup boundary with an oidc
2. set the oidc to map users with managed-groups
3. add managed-groups as principals in roles
4. login with oidc and confirm that the user is actually in said managed group (probably with an admin user)
5. not being able to do anyting with the oidc-user

Expected behavior i would expect the user to have the grants from the role it's supposed to have and be able to do the things that it's allowed

Additional context if I explicitly add the user object or a normal group as a principle in the role, it works as expected. it's only a problem with managed groups

Describe the bug

In one of my use cases for boundary, I use it to allow terraform to connect to database servers to configure them, using

boundary connect -target-id $target_id -host-id "$host_id -listen-port=35567

When running terraform, there are many connections, and after a few seconds I start getting errors from the boundary agent

Proxy listening information:
  Address:             127.0.0.1
  Connection Limit:    -1
  Expiration:          Sat, 13 Aug 2022 16:58:49 CEST
  Port:                35567
  Protocol:            tcp
  Session ID:          s_vDI8YXc0xj
error reading handshake result: failed to read protobuf message: failed to get reader: received close frame: status = StatusInternalError and reason = "refusing to activate session"
error reading handshake result: failed to read protobuf message: failed to get reader: received close frame: status = StatusInternalError and reason = "refusing to activate session"
error reading handshake result: failed to read protobuf message: failed to get reader: received close frame: status = StatusInternalError and reason = "refusing to activate session"
error reading handshake result: failed to read protobuf message: failed to get reader: received close frame: status = StatusInternalError and reason = "refusing to activate session"
error reading handshake result: failed to read protobuf message: failed to get reader: received close frame: status = StatusInternalError and reason = "refusing to activate session"
error reading handshake result: failed to read protobuf message: failed to get reader: received close frame: status = StatusInternalError and reason = "refusing to activate session"
error reading handshake result: failed to read protobuf message: failed to get reader: received close frame: status = StatusInternalError and reason = "refusing to activate session"
error reading handshake result: failed to read protobuf message: failed to get reader: received close frame: status = StatusInternalError and reason = "refusing to activate session"
error reading handshake result: failed to read protobuf message: failed to get reader: received close frame: status = StatusInternalError and reason = "refusing to activate session"
error reading handshake result: failed to read protobuf message: failed to get reader: received close frame: status = StatusInternalError and reason = "refusing to activate session"
error reading handshake result: failed to read protobuf message: failed to get reader: received close frame: status = StatusInternalError and reason = "refusing to activate session"
error reading handshake result: failed to read protobuf message: failed to get reader: received close frame: status = StatusInternalError and reason = "refusing to activate session"
error reading handshake result: failed to read protobuf message: failed to get reader: received close frame: status = StatusInternalError and reason = "refusing to activate session"

Running single sessions works fine, and running terraform with parallism 1 can work together with target.

I've also tried to re-initialize the database, no change.

To Reproduce Steps to reproduce the behavior:

1. Run boundary connect -target-id $target_id -host-id "$host_id -listen-port=XX
2. Run many simultaneous connections against the listen port
3. See error

Expected behavior The boundary agent is able to serve the connections. This worked fine with 0.9.1.

Additional context worker.log controller.log

Hi i updated (0.10.0) via yum but am unable to start the service without a db migration which fails:

[root@bastion01 ~]# boundary database migrate -config /etc/boundary.hcl 
{"id":"2wDjWNR1F5","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"github.com/hashicorp/boundary/internal/observability/event.(*HclogLoggerAdapter).writeEvent","data":{"@original-log-level":"none","@original-log-name":"aws","msg":"configuring client automatic mTLS"}},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.01721969+02:00"}
{"id":"zmK1HzTdgk","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"github.com/hashicorp/boundary/internal/observability/event.(*HclogLoggerAdapter).writeEvent","data":{"@original-log-level":"none","@original-log-name":"aws","args":["/tmp/198135332/boundary-plugin-host-aws.gz"],"msg":"starting plugin","path":"/tmp/198135332/boundary-plugin-host-aws.gz"}},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.040366907+02:00"}
{"id":"CDl5AezqRk","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"github.com/hashicorp/boundary/internal/observability/event.(*HclogLoggerAdapter).writeEvent","data":{"@original-log-level":"none","@original-log-name":"aws","msg":"plugin started","path":"/tmp/198135332/boundary-plugin-host-aws.gz","pid":2843753}},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.041835792+02:00"}
{"id":"23Fd4tBi8l","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"github.com/hashicorp/boundary/internal/observability/event.(*HclogLoggerAdapter).writeEvent","data":{"@original-log-level":"none","@original-log-name":"aws","msg":"waiting for RPC address","path":"/tmp/198135332/boundary-plugin-host-aws.gz"}},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.041967976+02:00"}
{"id":"t2UtSbEwlT","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"github.com/hashicorp/boundary/internal/observability/event.(*HclogLoggerAdapter).writeEvent","data":{"@original-log-level":"none","@original-log-name":"aws.boundary-plugin-host-aws.gz","msg":"configuring server automatic mTLS","timestamp":"2022-08-11T12:12:27.048+0200"}},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.051652254+02:00"}
{"id":"oAFr5Fgykl","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"github.com/hashicorp/boundary/internal/observability/event.(*HclogLoggerAdapter).writeEvent","data":{"@original-log-level":"none","@original-log-name":"aws","msg":"using plugin","version":1}},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.071383708+02:00"}
{"id":"cPch05q4rO","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"github.com/hashicorp/boundary/internal/observability/event.(*HclogLoggerAdapter).writeEvent","data":{"@original-log-level":"none","@original-log-name":"aws.boundary-plugin-host-aws.gz","address":"/tmp/plugin4191081567","msg":"plugin address","network":"unix","timestamp":"2022-08-11T12:12:27.071+0200"}},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.071556204+02:00"}
{"id":"IQmjeYTzm2","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"github.com/hashicorp/boundary/internal/observability/event.(*HclogLoggerAdapter).writeEvent","data":{"@original-log-level":"none","@original-log-name":"aws.stdio","msg":"waiting for stdio data"}},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.101386232+02:00"}
{"id":"2wskOah8s5","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"github.com/hashicorp/boundary/internal/observability/event.(*HclogLoggerAdapter).writeEvent","data":{"@original-log-level":"none","@original-log-name":"aws.stdio","err":{},"msg":"received EOF, stopping recv loop"}},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.10232096+02:00"}
{"id":"ocWb3s6n5R","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"github.com/hashicorp/boundary/internal/observability/event.(*HclogLoggerAdapter).writeEvent","data":{"@original-log-level":"none","@original-log-name":"aws","msg":"plugin process exited","path":"/tmp/198135332/boundary-plugin-host-aws.gz","pid":2843753}},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.103074512+02:00"}
{"id":"s5swA4wAOW","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"github.com/hashicorp/boundary/internal/observability/event.(*HclogLoggerAdapter).writeEvent","data":{"@original-log-level":"none","@original-log-name":"aws","msg":"plugin exited"}},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.103160544+02:00"}
{"id":"Nno42OYF7f","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"error","data":{"error":"postgres.(Postgres).Run: migration failed, on line 0: -- drop constraint so we can migrate enm values\n  alter table credential_purpose_enm\n    drop constraint only_predefined_credential_purposes_allowed;\n\n  -- update egress to injected_application\n  update credential_purpose_enm\n     set name = 'injected_application'\n   where name = 'egress';\n\n  -- update application to brokered\n  update credential_purpose_enm\n     set name = 'brokered'\n   where name = 'application';\n\n  -- delete ingress as it will no longer be used\n  delete from credential_purpose_enm\n   where name = 'ingress';\n\n  -- Add new constraint that only allows 'brokered' and new 'injected_application'\n  -- This replaces the constraint defined in 10/03_credential.up.sql\n  alter table credential_purpose_enm\n    add constraint only_predefined_credential_purposes_allowed\n      check (\n        name in (\n          'brokered',\n          'injected_application'\n        )\n      );\n\n  -- update comment on table   \n  comment on table credential_purpose_enm is\n    'credential_purpose_enm is an enumeration table for credential purposes. '\n    'It contains rows for representing the brokered, and injected_application credential purposes.';: immutable column: target_credential_library.credential_purpose: integrity violation: error #1003","error_fields":{"Code":1003,"Msg":"migration failed, on line 0: -- drop constraint so we can migrate enm values\n  alter table credential_purpose_enm\n    drop constraint only_predefined_credential_purposes_allowed;\n\n  -- update egress to injected_application\n  update credential_purpose_enm\n     set name = 'injected_application'\n   where name = 'egress';\n\n  -- update application to brokered\n  update credential_purpose_enm\n     set name = 'brokered'\n   where name = 'application';\n\n  -- delete ingress as it will no longer be used\n  delete from credential_purpose_enm\n   where name = 'ingress';\n\n  -- Add new constraint that only allows 'brokered' and new 'injected_application'\n  -- This replaces the constraint defined in 10/03_credential.up.sql\n  alter table credential_purpose_enm\n    add constraint only_predefined_credential_purposes_allowed\n      check (\n        name in (\n          'brokered',\n          'injected_application'\n        )\n      );\n\n  -- update comment on table   \n  comment on table credential_purpose_enm is\n    'credential_purpose_enm is an enumeration table for credential purposes. '\n    'It contains rows for representing the brokered, and injected_application credential purposes.';","Op":"postgres.(Postgres).Run","Wrapped":{"Code":1003,"Msg":"immutable column: target_credential_library.credential_purpose","Op":"","Wrapped":null}},"id":"e_ITVsq4g33K","version":"v0.1","op":"postgres.(Postgres).Run"},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.25653352+02:00"}
{"id":"dduUrQgYgk","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"error","data":{"error":"postgres.(Postgres).setVersion: unknown, unknown: error #0: ERROR: current transaction is aborted, commands ignored until end of transaction block (SQLSTATE 25P02)","error_fields":{"Code":0,"Msg":"","Op":"postgres.(Postgres).setVersion","Wrapped":{"Severity":"ERROR","Code":"25P02","Message":"current transaction is aborted, commands ignored until end of transaction block","Detail":"","Hint":"","Position":0,"InternalPosition":0,"InternalQuery":"","Where":"","SchemaName":"","TableName":"","ColumnName":"","DataTypeName":"","ConstraintName":"","File":"postgres.c","Line":1682,"Routine":"exec_bind_message"}},"id":"e_OYx6YX3oBy","version":"v0.1","op":"postgres.(Postgres).setVersion"},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.257584522+02:00"}
{"id":"yFj9uY26zn","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"error","data":{"error":"postgres.(Postgres).Run: postgres.(Postgres).setVersion: unknown, unknown: error #0: ERROR: current transaction is aborted, commands ignored until end of transaction block (SQLSTATE 25P02)","error_fields":{"Code":0,"Msg":"","Op":"postgres.(Postgres).Run","Wrapped":{"Code":0,"Msg":"","Op":"postgres.(Postgres).setVersion","Wrapped":{"Severity":"ERROR","Code":"25P02","Message":"current transaction is aborted, commands ignored until end of transaction block","Detail":"","Hint":"","Position":0,"InternalPosition":0,"InternalQuery":"","Where":"","SchemaName":"","TableName":"","ColumnName":"","DataTypeName":"","ConstraintName":"","File":"postgres.c","Line":1682,"Routine":"exec_bind_message"}}},"id":"e_Oc5hNYhcUn","version":"v0.1","op":"postgres.(Postgres).Run"},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.257765962+02:00"}
{"id":"otuSOfK0Db","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"error","data":{"error":"postgres.(Postgres).setVersion: unknown, unknown: error #0: ERROR: current transaction is aborted, commands ignored until end of transaction block (SQLSTATE 25P02)","error_fields":{"Code":0,"Msg":"","Op":"postgres.(Postgres).setVersion","Wrapped":{"Severity":"ERROR","Code":"25P02","Message":"current transaction is aborted, commands ignored until end of transaction block","Detail":"","Hint":"","Position":0,"InternalPosition":0,"InternalQuery":"","Where":"","SchemaName":"","TableName":"","ColumnName":"","DataTypeName":"","ConstraintName":"","File":"postgres.c","Line":1682,"Routine":"exec_bind_message"}},"id":"e_itYS9l1kig","version":"v0.1","op":"postgres.(Postgres).setVersion"},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.26063903+02:00"}
{"id":"wetyQK73aN","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"error","data":{"error":"postgres.(Postgres).Run: postgres.(Postgres).setVersion: unknown, unknown: error #0: ERROR: current transaction is aborted, commands ignored until end of transaction block (SQLSTATE 25P02)","error_fields":{"Code":0,"Msg":"","Op":"postgres.(Postgres).Run","Wrapped":{"Code":0,"Msg":"","Op":"postgres.(Postgres).setVersion","Wrapped":{"Severity":"ERROR","Code":"25P02","Message":"current transaction is aborted, commands ignored until end of transaction block","Detail":"","Hint":"","Position":0,"InternalPosition":0,"InternalQuery":"","Where":"","SchemaName":"","TableName":"","ColumnName":"","DataTypeName":"","ConstraintName":"","File":"postgres.c","Line":1682,"Routine":"exec_bind_message"}}},"id":"e_QkJ8a49xcq","version":"v0.1","op":"postgres.(Postgres).Run"},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.260748373+02:00"}
{"id":"UESUdcMi6l","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"error","data":{"error":"postgres.(Postgres).setVersion: unknown, unknown: error #0: ERROR: current transaction is aborted, commands ignored until end of transaction block (SQLSTATE 25P02)","error_fields":{"Code":0,"Msg":"","Op":"postgres.(Postgres).setVersion","Wrapped":{"Severity":"ERROR","Code":"25P02","Message":"current transaction is aborted, commands ignored until end of transaction block","Detail":"","Hint":"","Position":0,"InternalPosition":0,"InternalQuery":"","Where":"","SchemaName":"","TableName":"","ColumnName":"","DataTypeName":"","ConstraintName":"","File":"postgres.c","Line":1682,"Routine":"exec_bind_message"}},"id":"e_aBY8cQsfUs","version":"v0.1","op":"postgres.(Postgres).setVersion"},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.261316739+02:00"}
{"id":"KvNQYjqHyf","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"error","data":{"error":"postgres.(Postgres).Run: postgres.(Postgres).setVersion: unknown, unknown: error #0: ERROR: current transaction is aborted, commands ignored until end of transaction block (SQLSTATE 25P02)","error_fields":{"Code":0,"Msg":"","Op":"postgres.(Postgres).Run","Wrapped":{"Code":0,"Msg":"","Op":"postgres.(Postgres).setVersion","Wrapped":{"Severity":"ERROR","Code":"25P02","Message":"current transaction is aborted, commands ignored until end of transaction block","Detail":"","Hint":"","Position":0,"InternalPosition":0,"InternalQuery":"","Where":"","SchemaName":"","TableName":"","ColumnName":"","DataTypeName":"","ConstraintName":"","File":"postgres.c","Line":1682,"Routine":"exec_bind_message"}}},"id":"e_bCTn5FgDB7","version":"v0.1","op":"postgres.(Postgres).Run"},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.261424296+02:00"}
{"id":"GahOotjFvq","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"error","data":{"error":"postgres.(Postgres).setVersion: unknown, unknown: error #0: ERROR: current transaction is aborted, commands ignored until end of transaction block (SQLSTATE 25P02)","error_fields":{"Code":0,"Msg":"","Op":"postgres.(Postgres).setVersion","Wrapped":{"Severity":"ERROR","Code":"25P02","Message":"current transaction is aborted, commands ignored until end of transaction block","Detail":"","Hint":"","Position":0,"InternalPosition":0,"InternalQuery":"","Where":"","SchemaName":"","TableName":"","ColumnName":"","DataTypeName":"","ConstraintName":"","File":"postgres.c","Line":1682,"Routine":"exec_bind_message"}},"id":"e_SEu1J9TTXn","version":"v0.1","op":"postgres.(Postgres).setVersion"},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.261976942+02:00"}
{"id":"8eAn8OrZ3r","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"error","data":{"error":"postgres.(Postgres).Run: postgres.(Postgres).setVersion: unknown, unknown: error #0: ERROR: current transaction is aborted, commands ignored until end of transaction block (SQLSTATE 25P02)","error_fields":{"Code":0,"Msg":"","Op":"postgres.(Postgres).Run","Wrapped":{"Code":0,"Msg":"","Op":"postgres.(Postgres).setVersion","Wrapped":{"Severity":"ERROR","Code":"25P02","Message":"current transaction is aborted, commands ignored until end of transaction block","Detail":"","Hint":"","Position":0,"InternalPosition":0,"InternalQuery":"","Where":"","SchemaName":"","TableName":"","ColumnName":"","DataTypeName":"","ConstraintName":"","File":"postgres.c","Line":1682,"Routine":"exec_bind_message"}}},"id":"e_lZfs3GrCCq","version":"v0.1","op":"postgres.(Postgres).Run"},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.262075142+02:00"}
{"id":"D6o4CefzYs","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"error","data":{"error":"postgres.(Postgres).CommitRun: unknown, unknown: error #0: commit unexpectedly resulted in rollback","error_fields":{"Code":0,"Msg":"","Op":"postgres.(Postgres).CommitRun","Wrapped":{}},"id":"e_o03IUjjptB","version":"v0.1","op":"postgres.(Postgres).CommitRun"},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.262512893+02:00"}
{"id":"USAzmI1SlQ","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"error","data":{"error":"schema.(Manager).runMigrations: postgres.(Postgres).CommitRun: unknown, unknown: error #0: commit unexpectedly resulted in rollback","error_fields":{"Code":0,"Msg":"","Op":"schema.(Manager).runMigrations","Wrapped":{"Code":0,"Msg":"","Op":"postgres.(Postgres).CommitRun","Wrapped":{}}},"id":"e_K49SmgeJg9","version":"v0.1","op":"schema.(Manager).runMigrations"},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.262633846+02:00"}
{"id":"s2nSM2tcpB","source":"https://hashicorp.com/boundary/bastion01.prd.TLD/boundary-database-migrate","specversion":"1.0","type":"error","data":{"error":"schema.(Manager).ApplyMigrations: schema.(Manager).runMigrations: postgres.(Postgres).CommitRun: unknown, unknown: error #0: commit unexpectedly resulted in rollback","error_fields":{"Code":0,"Msg":"","Op":"schema.(Manager).ApplyMigrations","Wrapped":{"Code":0,"Msg":"","Op":"schema.(Manager).runMigrations","Wrapped":{"Code":0,"Msg":"","Op":"postgres.(Postgres).CommitRun","Wrapped":{}}}},"id":"e_BePmsLN7N2","version":"v0.1","op":"schema.(Manager).ApplyMigrations"},"datacontentype":"application/cloudevents","time":"2022-08-11T12:12:27.262714839+02:00"}
Error running database migrations: schema.(Manager).ApplyMigrations: schema.(Manager).runMigrations: postgres.(Postgres).CommitRun: unknown, unknown: error #0: commit unexpectedly resulted in rollback

i am able to revert to 0.91 and start the service but then replacing the binary with 0.10 i get the above again

Is your feature request related to a problem? Please describe. Reaching targets that are in environments where a worker can't be deployed, or the target refuses all inbound connections (even SSH) and uses a reverse tunnel to allow connection.

Describe the solution you'd like Either the ability to connect to other client machines as a valid target or to configure target hosts to connect to the worker (instead of worker to target).

Explain any additional use-cases A very specific example is a host managed by a vendor that is deployed to a customer network. In order to manage the device the vendor must be able to connect to the host, but customer networks can change and tend to block inbound connections, especially if the host is placed behind a DMZ.

Describe the bug Using dynamic host sets (AWS specifically, haven't tried the Azure one yet) in a large environment results in the following error:

{"id":"<REDACTED>","source":"https://hashicorp.com/boundary/4466e4d3c372/controller","specversion":"1.0","type":"error","data":{"error":"rpc error: code = Unknown desc = error running DescribeInstances for host set id \"<REDACTED>\": SerializationError: failed decoding EC2 Query response\n\tstatus code: 200, request id: 55f65e01-476e-4b4d-93b0-9e38b419b445\ncaused by: context deadline exceeded (Client.Timeout or context cancellation while reading body)","error_fields":{},"id":"<REDACTED>","version":"v0.1","op":"plugin.(SetSyncJob).syncSets","info":{"catalog id":"<REDACTED>","msg":"listing hosts"}},"datacontentype":"application/cloudevents","time":"2022-06-21T08:40:33.258736566Z"}

We tried splitting it into multiple host sets with different filters, still some queries timed out. The biggest dynamic host sets we managed to produce were around 300 hosts. Some queries should've returned less hosts but timed out as well so host count might not be the only factor here.

To Reproduce

1. Create a dynamic host catalog and a host set with the instance-state-name=running filter to fetch all running EC2 instances within an environment containing 1000s of instances
2. Tail the controller log
3. See error mentioned above

Expected behavior All running EC2 instances should be populated under the host set / catalog.

Additional context Boundary version: 0.9 Setup: Docker on EC2 VMs

Looking at the AWS plugin code it seems the DescribeInstances call uses the default HTTP client with the default timeout config. We're suggesting exposing some config to control the timeout of such calls.

We opened a similar issue for the AWS plugin repo as it might require changes in both repos.

disclaimers:

• im on a mac
• im on a m1 mac
• i was actively developing with go but have taken 2-4 years off day to day go– i may be just outta tune with the "go way"

Is your feature request related to a problem? Please describe. current makefile has ~/.go/bin/go test which assumes my go is installed there...

the official golang.org instructions puts the go bin at /usr/local/go/bin/go. i have also used brew for go in the past which puts it somewhere else (where... i don't remember).

my guess is the main team on this repo uses a tool im not familiar with that installs go at ~/.go/bin/go. that makes me think ya'll have a tool with rbenv vibes... i'd be very into that. the go ecosystem in the past has forced me to use the whole GOPATH thing and that doesn't really fit my normal ~/code/... project structure.

something as simple as a list of tools/setup tips from the core team would be gr8.

Describe the solution you'd like md docs on how to get dev setup running for generic mac and linux. (personally i would love m1 mac specific section but thats a "me problem"...)

Describe alternatives you've considered installing/symlinking go at/to ~/.go/bin/go.

Explain any additional use-cases n/a

Additional context

• i tried to follow this repo's aws instructions on building a boundary binary: https://github.com/hashicorp/boundary-reference-architecture/tree/main/deployment/aws#deploy
• • i had to install gox using google fu and stackoverflow trolling (could very well be my fault on this one...)
• • UI step kept failing:

➜  boundary git:(main) XC_OSARCH=linux/amd64 make dev
==> UI assets found, use build-ui target to update
==> Building Boundary with dev and UI features enabled
==> Removing old directory...
==> Building...
Number of parallel builds: 7

-->     linux/amd64: github.com/hashicorp/boundary/cmd/boundary

1 errors occurred:
--> linux/amd64 error: exit status 1
Stderr: internal/ui/assets.go:15:12: pattern .tmp/boundary-ui/ui/admin/dist: no matching files found

make: *** [dev] Error 1

my goal with this issue is to dialog with core team and other looky-loo-would-be-contribs to enhance existing code contrib/dev guides.

This PR adds generated API documentation at the /api-docs route, using a component that leverages the Swagger file at internal/gen/controller.swagger.json.

make dev requires build-ui which executes a script that requires go-bindata binary that isn't installed without executing make tools. This pr ensures the tools make target is executed first.

Bumps json5 and tsconfig-paths. These dependencies needed to be updated together. Updates json5 from 2.2.0 to 2.2.3

Updates tsconfig-paths from 3.11.0 to 3.14.1

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

base branch needs to be updated to llb-vault-ssh-cert-injection (once created)

• refactor vault.(issueCredentialLibrary).retrieveCredential to no longer use session id
• remove dynamicCred's insertQuery and updateSessionQuery functions
• update TestRepository_IssueCredentials to perform db lookup for issued credentials

Hi @irenarindos, thanks for helping. I think i was able to find the root cause, it seems to be caused by Boundary-Desktop UI. When using the boundary.exe binary everything works as expected.

Should we track this bug in a new issue?

Steps to reproduce (working):

1. Extract boundary-desktop_1.5.0_windows_amd64
2. open powershell and switch to boundary-desktop_1.5.0_windows_amd64\Boundary\resources\app\cli
3. get a token .\boundary.exe authenticate password -login-name=user -auth-method-id=ampw_xxx -addr=https://boundary.domain.at/
4. connect to target .\boundary.exe connect -addr=https://boundary.domain.at -target-id=ttcp_xxx

Steps to reproduce (not working):

1. Open Boundary-Desktop
2. Login
3. Switch to Targets
4. Click Connect
5. Enter the connection string (localhost + random port) in your application (for example database management tool) & start the application
6. Boundary terminates the connection and application get a timeout

Originally posted by @tritonblaster in https://github.com/hashicorp/boundary/issues/2362#issuecomment-1363893528

Enable faster authentication workflows on the Boundary CLI. This PR allows short-hand usage of boundary authenticate with a primary auth method is set in the global scopes. This PR also modifies the password sub command to read in the login name. This is a requirement in order to get around flag rewriting between boundary authenticate and the password and oidc sub commands.

Here are a few examples:

Using the Primary Auth Method in Global Scope

boundary authenticate

Using the Primary Auth Method in a passed in scope:

boundary authenticate password -scope-id o_1234567890

Using flags to set the password login name and password (traditional)

boundary authenticate password -login-name foo -password $Up3r$3cure

Using a Specific Auth Method ID (traditional)

Password:

boundary authenticate password -login-name user -auth-method-id ampw_1234567890

OIDC:

boundary authenticate oidc -auth-method-id amoidc_1234567890

A few other notes:

• If both auth method and scope ID flags are used, the auth method is preferred.
• Flag usage is not allowed with boundary authenticate: if you prefer to pass your login name and/or password using flags for the password sub command, use boundary authenticate password ...
• These changes are compatible with existing CLI usage, there are no breaking changes to existing usage.