Juju is missing support for candid/RBAC authentication in the LXD provider
Bug #1896838 reported by
Simon Fels
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Canonical Juju |
Triaged
|
Wishlist
|
Unassigned | ||
Bug Description
LXD can be configured to use candid/RBAC for authentication. Such LXD clusters are currently not usable by Juju as it cannot authenticate to LXD via candid.
| Changed in juju: | |
| importance: | Undecided → Wishlist |
| status: | New → Triaged |
| tags: | added: lxd-cloud |
| summary: |
- Juju is missing support for candid authentication in the LXD provider + Juju is missing support for candid/RBAC authentication in the LXD + provider |
| description: | updated |
Revision history for this message
| Stéphane Graber (stgraber) wrote | #1 |
To post a comment you must log in.
In discussions during the recent sprint, the plan sounded like:
- Juju CLI should make use of bakery to do the initial authentication dance with LXD
- Resulting cookie jar should be base64ed and sent to the controller
- Controller will then use the cookie jar for interactions with LXD
Properly configured Candid environments should provide both the macaroon cookie and a candid cookie, that latter allows obtaining a new macaroon without the need for interactive authentication from the user so long as the candid cookie itself doesn't expire. This also means that the candid admin can invalidate the session which in turn forces a new interactive authentication session by the user (useful in case revocation is needed).
So Juju needs to make sure to always use the cookie jar and to save changes to that jar after each use as it may have received a refreshed macaroon or candid cookie.
When the candid cookie expires or the candid admin revokes the session, Juju will be unable to interact with LXD and will get a 401 or 403 (not sure of the exact bakery behavior here) which should properly show up in "juju status" and have the user add new credentials to unblock.