© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
TL;DR; seems there's a bug checking offer access for users who at not controller superusers but are model admins so for now explicit consume access needs to be granted for those users.
--
There's 2 postgresql offers in different models so it's not 100% clear to me which model is the stg-netbox one hosting the offer "admin/
The permissions for one of the postgresql offers shows
{
"_id" : "ao#f207d2fb-
"access" : "admin",
"txn-revno" : 2
}
{
"_id" : "ao#f207d2fb-
"access" : "read",
"txn-revno" : 2
}
{
"_id" : "ao#f207d2fb-
"access" : "consume",
"txn-revno" : 2
}
Hence the explicit consume permission granted to user "stg-netbox" would allow access.
The model hosting the offer is abd1188b-
{
"_id" : "e#abd1188b-
"access" : "admin",
"txn-revno" : 2
}
This should have been enough to allow access to the offer without needing to grant consume access explicitly. But it seems there's a bug here because looking at the code, I think the check for model admin access during macaroon discharge is done on the controller model, not the model hosting the offer. That might explain why explicit consume access is required even for model admin users.
In terms of the show-offer output, the list of users and their permissions is influenced by the logged in user who is running show-offer. The code looks at explicit offer grants and also includes "admin" access if the logged in user is a model admin. Thus
stg-netbox@
will show access of the stg-netbox logged in user based on them being a model admin
stg-netbox:
access: admin
juju-controller
will show
stg-netbox:
access: consume
since this is showing explicit access grants for users other than the logged in user.