juju controller caches credentials from bootstrap
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Triaged
|
High
|
Anastasia |
Bug Description
juju 2.2.2
I installed a controller via openstack, using a userpass credential about two weeks ago. Said credential was changed (as they do) and I noticed "something" locked my account with in a few minutes, So I figured that there was some nonsense that the controller might be doing on my behalf, so I updated my credentials on my juju client node, then issued `juju update-credential <cloud> <credential>` it was like OK, so I unlocked my account. Then I come to find that a few min later my account was locked again. This processes repeated through out the day, until I popped on IRC to determine if there was a way to rule out juju. The feeback was to add a new unit so I ran `juju deploy juju-gui` came back and the machine was still in a pending state, oh and my account is locked again.
Now I'm completely fed up with the controller and figure It's going to easier to delete it and start over, yes that's right its going to be less painful to start over. x.x so I `juju destroy-controller --destroy-
Problems
* juju update-credential doesn't appear to do anything it's described to do. It didn't ask me about the updates, so I just went straight to the file, and updated it and figured it did something useful.
* Can't validate the credential via the cli.
* There is 0% documentation about controllers caching credentials, or how to update them
* Controller cant be destroyed because a unit that was never created, is waited on infinitely.
* There isn't clear feedback about the failed credential. (Sure I didn't go pull the debug log, but I did look at juju status multiple times, and it didn't indicate the problem)
Credential management does need some attention.
All credential commands, bar 'update- credential' , only deal with client side cloud credentials. Consequently, "go to the file and updating it" would only change what your client know, not what your controller knows.
'update-credential' command allows you to update a credential cached on the controller. Note it is an update not a replace, so only the values of the credential may be changed not its name, for example. And, yes, we will soon validate whether newly supplied credential will work on the affected models. It's not happening yet.
We are working on making this area better from usability perspective. It will be more intuitive once we are done. Docs will be updated too.