Canonical Juju

Share cloud credentials on the controller

Bug #1630372 reported by George Kraft
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Canonical Juju
Triaged
Wishlist
Unassigned

Bug Description

Our original machine is configured with an openstack cloud and credentials, which we used to bootstrap the controller.

On the original machine, as the admin user, we ran:

$ juju add-user vpil-01
$ juju grant vpil-01 addmodel

On a different machine which does -not- have openstack cloud or credentials, we register the vpil-01 user and observe that we're not able to create models:

$ juju register MGsTB3ZwaWwtMD...
$ juju add-model test
ERROR no credential specified

However, if we logout and login as admin on that same machine, we can add models with no problem:

$ juju logout
$ juju login admin
$ juju add-model test2
Added 'test2' model on vpil-openstack/RegionOne with credential 'admin' for user 'admin'

Occurs using Juju 2.0 RC2.

Revision history for this message
Anastasia (anastasia-macmood) wrote :

This is working as expected.
Users need to be granted permissions to create models.
Admin users have this permission by default.

Changed in juju:
status: New → Invalid
Revision history for this message
Ian Booth (wallyworld) wrote :

The real issue here is that when you try and add a model, you need to supply credentials to use. If you are the admin user, your credentials will already be stored in the controller. If you are another user with add-model permission, you will need to specify what credential you want to use the first time a model is added. You may need to run juju add-credential first to make Juju aware of any credential you want to use.

Revision history for this message
Anastasia (anastasia-macmood) wrote :

We need to update helpdoc for add-model command.

Doc issue is here: https://github.com/juju/docs/issues/1433

Changed in juju:
status: Invalid → In Progress
importance: Undecided → Medium
assignee: nobody → Anastasia (anastasia-macmood)
milestone: none → 2.0.0
tags: added: usability
Revision history for this message
Anastasia (anastasia-macmood) wrote :

PR: https://github.com/juju/juju/pull/6422

Anastasia (anastasia-macmood)
Changed in juju:
milestone: 2.0.0 → 2.0.1
assignee: Anastasia (anastasia-macmood) → nobody
status: In Progress → Triaged
Curtis Hovey (sinzui)
Changed in juju:
milestone: 2.0.1 → none
Revision history for this message
Marco Ceppi (marcoceppi) wrote :

This is actually largely problematic. There is a clear path where I, as an admin of a controller, want users to not have credentials and simply use the admins credentials again. This worked in beta18 but was removed in rc1.

Anastasia (anastasia-macmood)
Changed in juju:
milestone: none → 2.1-beta2
Revision history for this message
Ian Booth (wallyworld) wrote :

To do the feature work required requires some thought about how credentials are managed in various scenarios, including management of credentials per user per cloud, sharing of credentials and associated permissions, setting default credentials, etc. The work here is more than just a bug fix. There's no way this can be done for 2.1-beta2. It is doubtful 2.1 is realistic (depending on timeframe of the release). However, there's some scope to do some work in the 2.2 cycle.

Changed in juju:
milestone: 2.1-beta2 → 2.2.0
Revision history for this message
Antonio Rosales (arosales) wrote :

This is also effects Charm CI where we would like to add a controller to the CI model and then have Jenkins create new models for testing under that shared controller without having to pass credentials.

Revision history for this message
Cory Johns (johnsca) wrote :

https://bugs.launchpad.net/juju/+bug/1652171 is also relevant to this, since I get this error even after having added the credential (though explicitly naming the credential via --credential does work).

Cory Johns (johnsca)
tags: added: cwr-ci matrix
Revision history for this message
Anastasia (anastasia-macmood) wrote :

Upgraded to 'High' based on comment #5 and comment # 7.

Changed in juju:
importance: Medium → High
Curtis Hovey (sinzui)
Changed in juju:
milestone: 2.2-beta1 → 2.2-beta2
Curtis Hovey (sinzui)
Changed in juju:
milestone: 2.2-beta2 → 2.2-beta3
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.2-beta3 → 2.2-beta4
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.2-beta4 → 2.2-rc1
Revision history for this message
Tim Penhey (thumper) wrote :

If the admin wants to share the credential with other users, then for now, the non-admin users will need to add-credential.

Changed in juju:
importance: High → Medium
milestone: 2.2-rc1 → none
Revision history for this message
Tim Penhey (thumper) wrote :

Other work is taking priority over this right now, so I'm going to stop pretending that this is going to be fixed in the next release.

Revision history for this message
Anastasia (anastasia-macmood) wrote :

There is 2 issues conflicted in this report:

1. New user needs to have 'add-model' permission granted and their credentials added locally and to the controller, before this user can add-model. This is tracked in a different bug # 1814395.

2. A user with cloud credential on the controller wants to share this credential with other controller users.

I'll rename this bug to be focused on 2 only.

summary: - "ERROR no credential specified" during add-model as non-admin user
+ Share cloud credentials on the controller
Changed in juju:
importance: Medium → Wishlist
tags: added: credentials
Caner Derici (cderici)
tags: removed: matrix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.