juju asking to login to every controller

Bug #1804401 reported by Ondrej Kuchar on 2018-11-21
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
juju
High
Unassigned
2.4
High
Unassigned

Bug Description

we're creating juju users and trying to operate with those instead of super-admin user.
Problem is when juju runs in HA it is asking for password for every controller

for example when I run same command, without providing password (pressing Ctrl+c)
kucharo@ic-skbrat2-infra1:~$ juju show-user -c foundations-maas
please enter password for kucharo on foundations-maas:
kucharo@ic-skbrat2-infra1:~$ juju show-user -c foundations-maas kucharo
please enter password for kucharo on foundations-maas:
kucharo@ic-skbrat2-infra1:~$ juju show-user -c foundations-maas kucharo
please enter password for kucharo on foundations-maas:
kucharo@ic-skbrat2-infra1:~$ juju show-user -c foundations-maas kucharo
please enter password for kucharo on foundations-maas:
kucharo@ic-skbrat2-infra1:~$ juju show-user -c foundations-maas kucharo
please enter password for kucharo on foundations-maas:
kucharo@ic-skbrat2-infra1:~$ juju show-user -c foundations-maas kucharo
user-name: kucharo
access: login
date-created: 2018-11-12
last-connection: just now

with --debug is visible that one controller is logged in
https://pastebin.ubuntu.com/p/BKZ6myGpm5/

juju controllers:
https://pastebin.ubuntu.com/p/HJRy74jFKs/

juju show-model:
https://pastebin.ubuntu.com/p/MZCJ7BYCH3/

I'd say juju should share state of user authentication between controllers in HA mode

description: updated
John A Meinel (jameinel) wrote :

this seems like an issue with the underlying macaroon authentication. I'll add the Candid project.

John A Meinel (jameinel) wrote :
Changed in juju:
status: New → Triaged
importance: Undecided → High
Ante Karamatić (ivoks) wrote :

FWIW, candid is not being used here.

Richard Harding (rharding) wrote :

Thanks, we're investigating how we can make sure that the macaroons minted are good on each of the controllers. Typically we'd use a dns name to help with this, but understand that's not always part of the setup.

Tim Penhey (thumper) on 2019-01-08
Changed in juju:
milestone: none → 2.5.1

A possible workaround for this situation is to include the password in the accounts definition file. E.g.:

.local/share/juju/accounts.yaml
controllers:
  controller1:
    user: user1
    password: MySecurePassw0rd
    last-known-access: login

Which may not be optimal for some use cases, but for others it could be even better, as there will be no password prompted when the sessions expire.

Ian Booth (wallyworld) on 2019-01-28
Changed in juju:
milestone: 2.5.1 → 2.5.2
Changed in juju:
milestone: 2.5.2 → 2.5.3
Changed in juju:
milestone: 2.5.3 → 2.5.4
Changed in juju:
milestone: 2.5.4 → 2.5.5
Changed in juju:
milestone: 2.5.6 → 2.5.8
Changed in juju:
milestone: 2.5.8 → 2.5.9
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.