hashicorp
diff --git a/‎content/boundary/v0.1.x/content/docs/api-clients/api.mdx‎
Lines changed: 80 additions & 0 deletions b/‎content/boundary/v0.1.x/content/docs/api-clients/api.mdx‎
Lines changed: 80 additions & 0 deletions
diff --git a/‎content/boundary/v0.1.x/content/docs/api-clients/cli.mdx‎
Lines changed: 188 additions & 0 deletions b/‎content/boundary/v0.1.x/content/docs/api-clients/cli.mdx‎
Lines changed: 188 additions & 0 deletions
diff --git a/‎content/boundary/v0.1.x/content/docs/api-clients/desktop.mdx‎
Lines changed: 79 additions & 0 deletions b/‎content/boundary/v0.1.x/content/docs/api-clients/desktop.mdx‎
Lines changed: 79 additions & 0 deletions
@@ -0,0 +1,80 @@
+---
+layout: docs
+page_title: API
+sidebar_title: API
+description: |-
+  Boundary's HTTP API standards
+---
+
+# API
+
+Boundary's API is a a JSON-based HTTP API that adheres to a set of standards that are rigidly followed. At its core, it is a standards-compliant JSON API for both input and output.
+
+Before reading this page, it is useful to understand Boundary's [domain model](/docs/concepts/domain-model) to be aware of the terminology used here.
+
+Boundary's API is also described via OpenAPI v2; the version corresponding to any tag of Boundary's source code can be found in Boundary's [GitHub repository](https://github.com/hashicorp/boundary/blob/main/internal/gen/controller.swagger.json).
+
+Boundary's current API version is 1; all API paths begin with `/v1/`.
+
+## Status Codes
+
+- `2XX`: Boundary returns a code between `200` and `299` on success. Generally this is `200`, but implementations should be prepared to accept any `2XX` status code as indicating success. If a call returns a `2XX` code that is not `200`, it will follow well-understood semantics for those status codes.
+- `400`: Boundary returns `400` when a command cannot be completed due to invalid user input, except for a properly-formatted identifier that does not map to an existing resource, which will return a `404` as discussed below.
+- `401`: Boundary returns `401` if no authentication token is provided or if the provided token is invalid. A valid token that simply does not have permission for a resource will return a `403` instead. A token that is invalid or missing, but where the anonymous user (`u_anon`) is able to successfully perform the action, will not return a `401` but instead will return the result of the action.
+- `403`: Boundary returns `403` if a provided token was valid but does not have the grants required to perform the requested action.
+- `404`: Boundary returns `404` if a resource cannot be found. Note that this happens _prior_ to authentication/authorization checking in nearly all cases as the resource information (such as its scope, available actions, etc.) is a required part of that check. As a result, an action against a resource that does not exist will return a `404` instead of a `401` or `403`. While this could be considered an information leak, since IDs are randomly generated and this only discloses whether an ID is valid, it's tolerable as it allows for far simpler and more robust client implementation.
+- `405`: Boundary returns a `405` to indicate that the method (HTTP verb or custom action) is not implemented for the given resource.
+- `500`: Boundary returns `500` if an error occurred that is not (directly) tied to invalid user input. If a `500` is generated, information about the error will be logged to Boundary's server log but is not generally provided to the client.
+
+## Path Layout
+
+Boundary follows a predictable path layout. There are two fundamental types of URL paths, each supporting a different set of operations.
+
+### Collections
+
+Collections of resources are top level paths with plural English names for the resource, e.g. `/roles` and `/hosts`. Collections support the following operations:
+
+- Creation of new resources within that collection
+- Listing of resources within that collection
+
+All collection operations require supplying the enclosing resource. Depending on the collection type, this will be one of the following:
+
+- A scope, indicating the scope in which an operation should take place. For instance, a POST to `/roles` would need to indicate whether the role should be created within the `global` scope or an org-level scope like `o_1234567890`.
+- A parent resource of the appropriate type. For instance, hosts and host sets are child resources of host catalogs. When creating a new host set within a host catalog, a POST to `/host-sets` would need to indicate the host catalog ID with which the host-set should be associated.
+
+### Resources
+
+Resources themselves are defined by ID specifiers within a collection path, e.g. `/roles/r_1234567890`. Resources support the following operations:
+
+- Reading a resource's properties
+- Updating a resource's properties
+- Deleting a resource
+- Custom methods specific to a resource type
+
+Depending on the resource type, various parameters may be available. Some are common across all resource types (e.g. `name` and `description`); others are available only for specific types. Further, some concrete-types of abstract resources include an opaque `attributes` JSON object with type-specific values.
+
+For instance, an auth method is an abstract type; a `password` auth method is a concrete implementation of that type. When creating such an auth method, a `type` parameter will indicate that it should be the `password` type, while values specific to the `password` type auth method, such as minimum password length, will be contained within an `attributes` object.
+
+## Methods
+
+The following method conventions are used within Boundary's API:
+
+### GET
+
+`GET` is used for reading a resource or listing resources in a collection. The behavior depends on whether the `GET` is issued against a collection (`/roles`) or a singular resource (`/roles/r_1234567890`). In the former case it lists resources within the collection; in the latter it performs a read on that particular resource.
+
+### POST
+
+`POST` is used for creating a resource or performing custom actions against a resoruce. When creating a resource, `POST` is used against a collection (`/roles`). When performing a custom action, `POST` is used against a particular resource (`/roles/r_1234567890:set-principals`).
+
+### PATCH
+
+`PATCH` is used to update a resource's parameters. The following are behaviors to be aware of when using `PATCH`:
+
+- In nearly all cases, a `version` parameter is required. This is used for check-and-set, to ensure that the update operation is being performed against a known resource. The version parameter is returned from a `GET` operation on the resource so the current version, along with the resource's other current values, can be looked up at any time.
+- Passing a JSON `null` for a parameter has the effect of reverting that parameter to its default. For some parameters (e.g. `name`) this will simply clear the value (as the default `name` for a resource is empty); for other parameters this will revert to the current defaults within Boundary.
+- All parameters specified as part of a `PATCH` operation will be considered to be parameters that should be updated.
+
+### DELETE
+
+`DELETE` is used for deleting a specific resource, and is only used against a particular resource path.
@@ -0,0 +1,188 @@
+---
+layout: docs
+page_title: CLI
+sidebar_title: CLI
+description: |-
+  Boundary's CLI behavior
+---
+
+# CLI
+
+Boundary's CLI has predictable behavior throughout its various commands. This
+page details the common patterns in used in order to help users make better use
+of the CLI.
+
+## Completion
+
+Before detailing how parameters work, it's useful to note that Boundary's CLI
+supports autocompletion, which allows tab completion of commands, flags, and in
+some cases the parameters to those flags.
+
+This can be installed via the CLI itself:
+
+`boundary config autocomplete install`
+
+If you want to install it manually, for Bash, the following line in a
+`~/.bash_profile` or similar file will work:
+
+`complete -C /path/to/boundary boundary`
+
+## Keyring Token storage
+
+Boundary uses various mechanisms, depending on platform, to allow for secure
+storage of authentication tokens for later use. Each platform has a
+platform-specific option (which on Windows and macOS are the default);
+[pass](https://www.passwordstore.org/) is also available on all platforms. On
+all platforms, setting `-keyring-type` to `none` (or setting it via
+`BOUNDARY_KEYRING_TYPE`) disables storage and retrieval of the token.
+
+Additionally, more than one token can be stored or retrieved at once via the
+`-token-name` flag or `BOUNDARY_TOKEN_NAME` env var. This allows for storing
+tokens used by different Boundary installations, or other needs.
+
+### Windows
+
+On Windows, the Windows credential store (`wincred`) is used.
+
+Available keyring types:
+
+* `wincred` (default)
+* `pass`
+* `none`
+
+### macOS
+
+On macOS, Keychain is used via `/usr/bin/security`. (Using this binary allows us
+to keep the Boundary binary statically linked, which we prefer.)
+
+Available keyring types:
+
+* `keychain` (default)
+* `pass`
+* `none`
+
+### Other platforms
+
+On all other platforms, the default is `pass`. However, if an implementation of
+the [freedesktop.org secret
+service](https://specifications.freedesktop.org/secret-service/latest/) is
+available (via `gnome-keyring`, `kwallet`, or others) it can be used.
+
+Available keyring types:
+
+* `pass` (default)
+* `secret-service`
+* `none`
+
+## Mapping to Collections and Sub-Types
+
+Generally speaking, Boundary's CLI commands map to the collections they operate
+on. For instance, when operating on roles, the command will be `boundary roles
+...`.
+
+As a result, the patterns for reading, deleting, and listing are predictable:
+
+* `boundary <collection> read`
+* `boundary <collection> delete`
+* `boundary <collection> list`
+
+`read` and `delete` will always operate on a particular resource identifier, so
+will always take in an `-id` parameter. `list` operates on collections so will
+either take a `-scope-id` parameter or, depending on type, a higher level
+resource identifier, e.g. `-auth-method-id`.
+
+Creating and updating resources may take an extra parameter if the resource type
+is abstract, that is, if the type cannot be operated on directly but must be
+operated on through an implementation. As an example, a role is not an abstract
+type, and does not have various implementations of it. As a result, a role can
+be operated on directly:
+
+* `boundary roles create`
+* `boundary roles update`.
+
+However, a target can be one of many types of targets, and a concrete
+implementation of a target is a `tcp` type of target. Therefore an extra
+parameter is required when creating or updating a target:
+
+* `boundary targets tcp create`
+* `boundary targets tcp update`
+
+This allows the CLI to perform proper presentation and validation of parameters
+and functions for the given type.
+
+Similar to `read`, `update` operates on an existing target so will always take
+an `-id` parameter. Similar to `list`, `create` operates on a collection so will
+either take a `-scope-id` parameter or a parameter defining the parent resource.
+
+## Parameter Handling
+
+All parameters specified on the CLI are specified as a Go-style flag with a
+single dash, e.g. `-id`. The arguments to those flags can be specified via an
+equals sign, as in `-id=r_1234567890`, or a space, like `-id r_1234567890`.
+
+To see available parameters, pass the `-h` flag to any command.
+
+Flags are semi-position dependent. The flags must come _after_ the command
+definition, but are otherwise order independent.
+
+For instance, the following are equivalent:
+
+* `boundary roles create -scope-id global -name foo`
+* `boundary roles create -name foo -scope-id global`
+
+But the following results in an error:
+
+* `boundary roles -name foo -scope-id global create`
+
+This applies to `-h` as well!
+
+### Clearing/Defaulting Values
+
+On the CLI, you can use `null` as a value to indicate to Boundary that you want
+to unset a value, reverting to Boundary's default. In many cases this default
+will be empty (e.g. for a `name` or `description` parameter) but in other cases
+it's not. For instance, for a password auth method's minimum password length,
+the default is not `0` but rather `8`. Additionally, attempting to set string
+values to the empty string `""` is usually not an allowed operation, since when
+set to a specific value it must be non-empty. Using `null` to clear a value
+ensures you'll revert to Boundary's recommended default.
+
+~> `null` is used because of the fact that the API is JSON. Using `null` as the
+value causes the key for the parameter to be inserted into the eventual API
+call's JSON object but with the value set to the JSON `null`. This in turn
+informs the Controller that this value should be set to its default. Keep in
+mind that this is not a direct translation to database `NULL` semantics!
+
+### Connection Options
+
+Every command that results in an API call contains a set of flags that control
+connection options, which control TLS and other settings for the connection.
+
+### Client Options
+
+Every command that results in an API call contains a set of flags that control
+client options. Some notable options:
+
+* `output-curl-string`: This will format the command that would have been run as
+a string using `curl` that can be used directly on the command line. This is a
+great way to discover how CLI functions map to API calls.
+
+* `token-name`: When the CLI authenticates, it stores the token in the
+platform-specific OS credential store. By using the `token-name` parameter, more
+than one token can be stored at a time. Specifying this parameter at
+authentication time uses the given name as part of the key for storage;
+specifying it for any other command will cause the corresponding token to be
+used for that call.
+
+* `recovery-config`: This is used to specify a configuration file that contains
+the information necessary to access a KMS configured to be used for the recovery
+workflow within a Boundary controller.
+
+### Output Options
+
+Nearly every command supports having its success output be formatted as JSON via
+`-format json`. For commands that result in an API call, the JSON output will be
+the exact output from the controller. If using the output of the CLI in scripts
+or as parameters to other tools, _always_ use formatted output. The default text
+output is meant for human users and the formatting or the information included
+within that output from the original JSON may change at any time.
@@ -0,0 +1,79 @@
+---
+layout: docs
+page_title: Boundary Desktop
+sidebar_title: Desktop
+description: |-
+  Get up and running with Boundary Desktop
+---
+
+# Boundary Desktop
+
+-> Boundary Desktop is currently an Alpha release still undergoing final testing before its official release. Should you experience any bugs or lack of desired functionality, please let us know so that we can evaluate a fix. You can open an issue at https://github.com/hashicorp/boundary/issues/new/choose. Your help is greatly appreciated!
+
+Boundary Desktop is a standalone application that provides a simple interface
+for browsing and connecting to targets on your local computer (macOS currently
+supported). Launch a session in Boundary Desktop and then make a connection
+using your favorite tooling!
+
+## Getting Started
+
+-> If you're running Boundary for the first time, [download the latest binary](https://www.boundaryproject.io/downloads)
+and run it in `dev` mode locally so you can have a server to run against:
+
+```shell-session
+$ boundary dev
+```
+
+### Install Boundary Desktop
+
+1. Download the latest .dmg installer from our [releases page](https://releases.hashicorp.com/boundary-desktop). Alternatively, if you're a homebrew user, you can run `brew install hashicorp-boundary-desktop`
+1. Double-click the downloaded .dmg to run the installer
+1. Drag and drop Boundary into the applications folder
+   ![](/img/boundary-desktop-drag-to-install.png)
+
+### Run Boundary Desktop
+
+1. Open the Boundary Desktop application
+   ![](/img/boundary-desktop-open.png)
+1. You'll be prompted for the Boundary server origin, this is the URL for the client
+   to connect to the Boundary API. If you are running a local `dev` mode server, this
+   URL will be `http://localhost:9200`
+   ![](/img/boundary-desktop-origin.png)
+1. You can now login to Boundary. We're using a `dev` mode server in this example with the
+   username `admin` and the password `password`
+   ![](/img/boundary-desktop-login.png)
+1. After logging in, you should see the targets your user is authorized to connect to. Since
+   we are using a `dev` mode server we see the default generated target for `127.0.0.1:22`
+   ![](/img/boundary-desktop-landing.png)
+
+### Connect!
+
+-> The rest of this example assumes you're running Boundary in `dev` mode.
+
+1. Click on `connect` next to the default target. A pop-up window will display the local
+   address of the proxy and the ephemeral port for the session
+   ![](/img/boundary-desktop-connect.png)
+1. Navigate to the `Sessions` pane and you'll see this session is in `pending` state because we
+   haven't made a connection to it yet (but will!)
+   ![](/img/boundary-desktop-pending.png)
+
+-> The next step assumes you have a SSH server running that the default target will connect to.
+
+1. On the CLI, `ssh` to the target using the local ephemeral port created in the previous step
+
+```shell-session
+$ ssh -p 49250 127.0.0.1
+The authenticity of host '[127.0.0.1]:49250 ([127.0.0.1]:49250)' can't be established.
+ECDSA key fingerprint is SHA256:glO05n2iT8Roqak5G63gMKnW8qsE0lxy0MPWcWC7iqg.
+Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+Warning: Permanently added '[127.0.0.1]:49250' (ECDSA) to the list of known hosts.
+Password:
+Last login: Thu Feb 11 17:49:09 2021
+$
+```
+
+1. Navigate back to the sessions view and you'll see this session is now active
+   ![](/img/boundary-desktop-active.png)
+1. Click `Cancel` to cancel the session and you'll see the status go to `cancelling` briefly, then `terminated`
+   ![](/img/boundary-desktop-terminated.png)
+1. Navigate back to the CLI and you'll see your SSH session has closed