From IRC:
<justicefries> so if you do:
<justicefries> `juju add-model foo-bar --credential bam --owner admin` while logged in as justicefries
<justicefries> where justicefries is a superuser
<justicefries> doing a `juju grant justicefries admin admin/foo-bar` fails, you have to log in as the model owner.
<justicefries> i think the weird thing is I can create a model for someone else, but then not get access to it.
<marcoceppi> interesting, I'll file a bug see what shakes out from it
<marcoceppi> yeah, superuser seems to not inherit admin of models it controls
<justicefries> should be consistent between the two either way
<justicefries> if its intended, I'd expect add-model --owner shouldn't work for someone else
<marcoceppi> well, if that user does not have "addmodel" or "superuser" it wont
<justicefries> right
<justicefries> 2.0.2
<marcoceppi> yeah, I wonder if this is just an omission of the permission level of superuser
<marcoceppi> where if it doesn't own a model, it really can't see it, despite being the creator (and superuser)
Is this intended by design? If so is there a possibility to allow assignment of grants during add model:
`juju add-model <model> --owner 'someone-else' --admin 'me' --admin 'jon' --read 'foobar'`
The documentation says that "superuser grants a user the same permissions as an administrator and complete control over the deployed environment," and "an administrator can use the grant command to grant a user either read or write access to any model."
This doesn't appear to be true at all. Rather, the superuser is dependent on the model owner to explicitly grant them access. This is also an issue if a user with add-model permission creates a model; the controller superuser cannot even view, much less manage, that model. The model can even become orphaned if the model owner is removed. This also breaks `juju models --all` with the error:
ERROR "" is not a valid tag