we should remove direct DB access for clients
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
juju-core |
Fix Released
|
High
|
Unassigned |
Bug Description
similar to bug #1253651 for Agent access. Once we have the CLI going only via the API (should happen in 1.18), then we no longer need the CLI to have direct DB access.
For Agents we took the approach that in 1.16 the new agents would go via the API, and for new Agents we create they would not get DB access (and then in 1.18 we revoke access for any agent that might have had grandfathered access).
For Clients we do it slightly differently. In 1.18 we change the client to use the API but don't revoke DB access (so that a 1.16 client can issue status against a 1.18 server). In 1.20 we can completely remove access for all clients (because we don't support a 1.16 client talking to a 1.20 server).
Changed in juju-core: | |
milestone: | 1.19.0 → 2.0 |
Changed in juju-core: | |
status: | Triaged → In Progress |
Changed in juju-core: | |
milestone: | none → 1.21-alpha1 |
Changed in juju-core: | |
status: | Fix Committed → Fix Released |
Port 37017 is no longer opened on machines. An upgrade step that closes it on existing systems may be needed. (Only *may* because the firewaller might already handle this for us, but this needs checking.)