don't allow grants for non-existent users
Bug #1895545 reported by
james beedy
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Triaged
|
Low
|
Unassigned |
Bug Description
Just ran into a scenario where a user made a typo when granting another user access to a model. The juju command succeeded even though there is no actual user with the username that was the grant command was ran with. Possibly juju can return a simple error informing the granting user that there is no user with "<username>".
Thanks!
To post a comment you must log in.
@jamesbeedy: thank you for filing the bug! Are these local or external users?
For local users, you should get an error when the user does't exist. For example, if I create a user "foo" on my localhost controller, I can grant access to a model for that user, but not for a non-existent user "bar":
```
petevg@badjanet:~$ juju add-user foo
User "foo" added
Please send this command to foo:
juju register <hash redacted>
"foo" has not been granted access to any models. You can use "juju grant" to grant access.
petevg@badjanet:~$ juju models
Controller: raven
Model Cloud/Region Type Status Machines Units Access Last connection
controller localhost/localhost lxd available 1 - admin just now
test-run* localhost/localhost lxd available 1 1 admin 2020-09-15
1 petevg@badjanet:~$ juju grant foo read test-run
1 petevg@badjanet:~$ juju grant bar read test-run
ERROR could not grant model access: user "bar" does not exist locally: user "bar" not found
```
However, I can add access for the external user bar. The following succeeds, without an error message:
``
petevg@badjanet:~$ juju grant bar@external read test-run
```
This is intended behavior, as we don't really know what external users exist.
With JAAS, we do have a better shot at looking up whether a user is valid. This might be a feature request against JAAS, to add functionality to treat "external" users w/in JAAS in the same way that we treat internal users. I don't know off the top of my hand how complex this would be.