Invalid Juju Credentials allow users to remove applications
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
This just happened to me:
```
$ juju add-model test vsphere/
ERROR cannot create model: failed to create environ: dialing client: ServerFaultCode: Cannot complete login due to an incorrect user name or password.
```
But I successfully `juju remove-application foo` in a model in this `vsphere/
In Juju Status, i constantly see the message "suspended since cloud credential is not valid".
I can issue some commands to try to understand what is going on, but the output of these juju commands are cryptic:
```
$ juju update-credentials vsphere
This operation can be applied to both a copy on this client and to the one on a controller.
Do you want to update credential "" on cloud "vsphere" on:
1. client only (--client)
2. controller "jimm.foo.com" only (--controller jimm.foo.com)
3. both (--client --controller jimm.foo.com)
Enter your choice, or type Q|q to quit: 2
Controller credential "user-vsphere" for user "user" for cloud "vsphere" on controller "jimm.foo.com" updated.
For more information, see 'juju show-credential vsphere user-vsphere'.
$ juju show-credential vsphere user-vsphere
WARNING removing secrets from credentials for cloud user-vsphere: cloud vsphere not valid
no registered provider for "vsphere"
No credentials from this client or from a controller to display.
```
I don't know what is going on.
Changed in juju: | |
milestone: | 2.9-next → 3.2-beta1 |
Changed in juju: | |
milestone: | 3.2-beta1 → 3.2-rc1 |
Changed in juju: | |
milestone: | 3.2-rc1 → 3.2.0 |
Changed in juju: | |
milestone: | 3.2.0 → 3.2.1 |
Changed in juju: | |
milestone: | 3.2.1 → 3.2.2 |
Changed in juju: | |
milestone: | 3.2.2 → 3.2.3 |
Changed in juju: | |
milestone: | 3.2.3 → 3.2.4 |
Changed in juju: | |
milestone: | 3.2.4 → 3.2.5 |
tags: | added: community-feedback remove-application usability |
Changed in juju: | |
milestone: | 3.2.5 → none |
importance: | High → Wishlist |
When adding a model, Juju checks that the credential used by the model is valid - it makes a cheap API call to the cloud and reports any error encountered.
The juju remove-application CLI command doesn't talk to the cloud - it updates the Juju model to mark the application as "to be removed" and this is probably what you saw as being a successful run. Juju will then act on this and attempt to destroy any machines and other resources provisioned for that application. If the model credential is invalid, this cleanup will not be able to be done and juju status --formay yaml or even juju show-model should indicate that the model is suspended due to the bad cedential.
Updating the credential on the controller to unblock the model was indeed the right thing to do - when ever the controller sees a model's credential is updated, and the model is suspended, it will attempt to again see if the credential is valid and id so, will unsuspend the model.
The fact that juju show-credential did not work does indeed appear to be a bug that needs to be fixed.