Canonical Juju

Addmodel ACL does not allow to grant access to other users

Bug #1616167 reported by Uros Jovanovic
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical Juju
Fix Released
Critical
Horacio Durán
Canonical Juju 2.0-beta17

Bug Description

Even though show-model states that users are model admins, they are not able to share the models with other users.

urulama@ubuntu:~/go/src/github.com/juju/juju$ juju logout
Logged out. You are still logged into 10 controllers.
urulama@ubuntu:~/go/src/github.com/juju/juju$ juju add-model test --credential aws
uploading credential 'aws/uros-jovanovic@external/aws' to controller
Added 'test' model on aws/eu-central-1 with credential 'aws' for user 'uros-jovanovic'

urulama@ubuntu:~/go/src/github.com/juju/juju$ juju models
CONTROLLER: everyone2

MODEL OWNER STATUS ACCESS LAST CONNECTION
test* uros-jovanovic@external available admin never connected

urulama@ubuntu:~/go/src/github.com/juju/juju$ juju grant martin-hilton@external write test
ERROR permission denied (unauthorized access)
urulama@ubuntu:~/go/src/github.com/juju/juju$ juju show-model
test:
  name: test
  model-uuid: 5e7bc44c-3119-4243-819e-f548b012715a
  controller-uuid: 236dfb1c-3d76-467c-83eb-690e4b0515a1
  controller-name: everyone2
  owner: uros-jovanovic@external
  cloud: aws
  region: eu-central-1
  type: ec2
  life: alive
  status:
    current: available
    since: 1 minute ago
  users:
    uros-jovanovic@external:
      display-name: uros-jovanovic
      access: admin
      last-connection: never connected

Same for local users

urulama@ubuntu:~/go/src/github.com/juju/juju$ juju grant bob addmodel
urulama@ubuntu:~/go/src/github.com/juju/juju$ juju grant alice addmodel
urulama@ubuntu:~/go/src/github.com/juju/juju$ juju logout
Logged out. You are still logged into 10 controllers.
urulama@ubuntu:~/go/src/github.com/juju/juju$ juju login bob
password:
You are now logged in to "everyone2" as "bob@local".
urulama@ubuntu:~/go/src/github.com/juju/juju$ juju add-model test --credential aws
uploading credential 'aws/bob@local/aws' to controller
Added 'test' model on aws/eu-central-1 with credential 'aws' for user 'bob'
urulama@ubuntu:~/go/src/github.com/juju/juju$ juju grant alice read test
ERROR permission denied
urulama@ubuntu:~/go/src/github.com/juju/juju$ juju show-model test
test:
  name: test
  model-uuid: 2c156109-f316-498b-8ae3-990b0ec1da94
  controller-uuid: 236dfb1c-3d76-467c-83eb-690e4b0515a1
  controller-name: everyone2
  owner: bob@local
  cloud: aws
  region: eu-central-1
  type: ec2
  life: alive
  status:
    current: available
    since: 2 minutes ago
  users:
    bob@local:
      display-name: bob
      access: admin
      last-connection: never connected

Revision history for this message
Uros Jovanovic (uros-jovanovic) wrote :

BTW, this is with "juju grant everyone@external addmodel" enabled.

Ian Booth (wallyworld)
Changed in juju:
milestone: none → 2.0-beta16
assignee: nobody → Horacio Durán (hduran-8)
importance: Undecided → Critical
status: New → Triaged
Revision history for this message
Horacio Durán (hduran-8) wrote :

This seems to be an issue with modelusersC not being a global collection.

Curtis Hovey (sinzui)
Changed in juju:
milestone: 2.0-beta16 → 2.0-beta17
Revision history for this message
Horacio Durán (hduran-8) wrote :

I proposed a solution in http://reviews.vapour.ws/r/5542/

Changed in juju:
status: Triaged → In Progress
Horacio Durán (hduran-8)
Changed in juju:
status: In Progress → Fix Committed
Curtis Hovey (sinzui)
Changed in juju:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.