MAAS

multiple juju environments in maas

Bug #1123986 reported by Szilard Novaki on 2013-02-13

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
MAAS	Fix Released	High	Raphaël Badin
1.2	Fix Released	High	Raphaël Badin	MAAS 12.10-stabilization
pyjuju	Triaged	Low	Unassigned

Bug Description

It should be possible to create multiple juju environments in a MAAS. Each user has a different MAAS key, moreover the UI explicitly states that "You'll need a separate MAAS key for each Juju environment.". We found that this is not possible, only one environment is allowed on each MAAS.

To reproduce:
* create two users on MAAS
* create an environment.yml for the first user, execute juju bootstrap
* create an environment.yml for the second user, execute juju bootstrap
* wait for the bootstrap to finish for the first user
* execute juju status for the first environment. You will get an error message like:

$ juju status
2013-02-13 10:58:01,643 INFO Connecting to environment...
2013-02-13 10:58:01,761 ERROR juju environment not found: machines are not running (/MAAS/api/1.0/nodes/node-a5375926-75bd-11e2-bd72-5254007b377c/)

After tracking down the problem, I found that juju stores a file in MAAS (provider-state, in /var/lib/maas/media/storage dir on MAAS). This stores the id of zookeeper instance (the juju master host). This file is not created per user, so the second bootstrap overwrote it.

I don't know much about MAAS, but I think this is a MAAS problem, as users should not overwrite other user's files.

Related branches

lp:~rvb/maas/bug-1123986-hack-header

Merged into lp:~maas-committers/maas/trunk at revision 1443

Gavin Panella (community): Approve on 2013-02-25

lp:~rvb/maas/bug-1123986-key-api

Merged into lp:~maas-committers/maas/trunk at revision 1442

Gavin Panella (community): Approve on 2013-02-18

lp:~rvb/maas/bug-1123986-api-fix

Merged into lp:~maas-committers/maas/trunk at revision 1441

Gavin Panella (community): Approve on 2013-02-22

lp:~rvb/maas/bug-1123986-db-filestorage-key

Merged into lp:~maas-committers/maas/trunk at revision 1440

Gavin Panella (community): Approve on 2013-02-18

lp:~rvb/maas/bug-1123986

Merged into lp:~maas-committers/maas/trunk at revision 1439

Gavin Panella (community): Approve on 2013-02-18

lp:~rvb/maas/bug-1123986-1.2

Merged into lp:maas/1.2 at revision 1362

Raphaël Badin (community): Approve on 2013-02-26

lp:~allenap/maas/shared-to-per-tenant-storage-migration-1.2

Merged into lp:maas/1.2 at revision 1368

Gavin Panella (community): Approve on 2013-03-06

lp:~allenap/maas/shared-to-per-tenant-storage-1.2

Merged into lp:maas/1.2 at revision 1367

Gavin Panella (community): Approve on 2013-03-06

lp:~allenap/maas/shared-to-per-tenant-storage-migration

Merged into lp:~maas-committers/maas/trunk at revision 1450

Raphaël Badin (community): Approve on 2013-03-06

lp:~allenap/maas/shared-to-per-tenant-storage

Merged into lp:~maas-committers/maas/trunk at revision 1449

Raphaël Badin (community): Approve on 2013-03-06

lp:~jtv/pyjuju/maas-anon-urls

On hold for merging into lp:pyjuju

Gavin Panella (community): Approve on 2013-02-23

Kapil Thangavelu: Pending requested 2013-02-25

lp:~allenap/pyjuju/maas-anon-urls-2

Rejected for merging into lp:pyjuju

Kapil Thangavelu (community): Needs Fixing on 2013-02-27

Revision history for this message

Jeroen T. Vermeulen (jtv) wrote on 2013-02-13:

Thanks for reporting this. Oddly enough we had *just* figured out that there might be such a problem in theory, and now we know!

What we had in mind was to split the namespaces between environments, rather than users. After all the usual case will be that one "user" (may be a MAAS-internal actor rather than a human) uploads a file and another downloads it. But it's clearly the same problem.

Julian Edwards (julian-edwards) on 2013-02-14

Changed in maas:
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

Raphaël Badin (rvb) wrote on 2013-02-14:

I don't think this is a problem in MAAS. I think this should be fixed in the MAAS provider in Juju: the provider should derive a prefix from a unique ID that is has and use that prefix when it stores/retrieves files in/from MAAS?
Thoughts?

Revision history for this message

Gavin Panella (allenap) wrote on 2013-02-14: Re: [Bug 1123986] Re: multiple juju environments in maas

On 14 February 2013 12:45, Raphaël Badin <email address hidden> wrote:
> I don't think this is a problem in MAAS. I think this should be fixed in the MAAS provider in Juju: the provider should derive a prefix from a unique ID that is has and use that prefix when it stores/retrieves files in/from MAAS?
> Thoughts?

It's worrying that a second user was able to overwrite the file of the
first. My first instinct is to think that each user should have an
independent view of the file store that does not intersect with any
other user's view. But, perhaps this behaviour is intentional. What
restrictions are there around the file store? Are super and non-super
users treated differently? If we're not splitting up the namespace by
user, are we doing it in another way (I guess not, hence this bug)?

Fwiw, if we want to stick with a shared namespace then I think
Raphaël's suggestion makes sense.

Revision history for this message

Raphaël Badin (rvb) wrote on 2013-02-14:

Here is an extract from src/maasserver/api.py:

class AnonFilesHandler(AnonymousOperationsHandler):
"""Anonymous file operations.

This is needed for Juju. The story goes something like this:

- The Juju provider will upload a file using an "unguessable" name.

    - The name of this file (or its URL) will be shared with all the agents in
      the environment. They cannot modify the file, but they can access it
      without credentials.
    """

Revision history for this message

Raphaël Badin (rvb) wrote on 2013-02-14:

I think we need to clarify what kind of behavior Juju expects from the file store.

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2013-02-14:

On Thursday 14 Feb 2013 13:36:46 you wrote:
> On 14 February 2013 12:45, Raphaël Badin <email address hidden> wrote:
> > I don't think this is a problem in MAAS. I think this should be fixed in
> > the MAAS provider in Juju: the provider should derive a prefix from a
> > unique ID that is has and use that prefix when it stores/retrieves files
> > in/from MAAS? Thoughts?
>
> It's worrying that a second user was able to overwrite the file of the
> first. My first instinct is to think that each user should have an
> independent view of the file store that does not intersect with any
> other user's view. But, perhaps this behaviour is intentional. What
> restrictions are there around the file store? Are super and non-super
> users treated differently? If we're not splitting up the namespace by
> user, are we doing it in another way (I guess not, hence this bug)?
>
> Fwiw, if we want to stick with a shared namespace then I think
> Raphaël's suggestion makes sense.

We don't want a shared namespace - having different users see each other's
files is crazy.

Also bear in mind that we can't change the behaviour of already-release juju
code. This *has* to be fixed in MAAS. Then MAAS will work like all the other
providers Juju deals with.

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2013-02-14:

On Thursday 14 Feb 2013 13:51:43 you wrote:
> I think we need to clarify what kind of behavior Juju expects from the
> file store.

That is an excellent point.

Revision history for this message

Raphaël Badin (rvb) wrote on 2013-02-15:

Here is some context:

The 2 MPs in which we added support for this:
https://code.launchpad.net/~julian-edwards/maas/anon-get-file/+merge/98798
https://code.launchpad.net/~allenap/maas/anon-get-file-follow-up/+merge/98919

The record of what happens to the file storage API when an env is bootstrapped and mysql+mediawiki charms are deployed:
http://paste.ubuntu.com/1657528/

The names of the files stored in the store (same context as above):
http://paste.ubuntu.com/1657539/

Revision history for this message

Raphaël Badin (rvb) wrote on 2013-02-15:

> We don't want a shared namespace - having different users see each other's
> files is crazy.

You're definitely right. That's also how the other providers do it. Unfortunately, we've implemented this the wrong way: a shared namespace is what we have now :/.

We need to change the store so that each user has a independent view of the file store. Also, each file should have a random string attached to it so that it can be accessed (read-only) anonymously via the API with that key (i.e. /api/1.0/files/?get=filename&key=secret-key-specific-to-this-file).

That's rather easy to change but :

> Also bear in mind that we can't change the behaviour of already-release juju
> code. This *has* to be fixed in MAAS. Then MAAS will work like all the other
> providers Juju deals with.

Indeed, that's where the real problem is really. We need to think hard to fix this while still supporting the exiting provider's code.

Revision history for this message

Raphaël Badin (rvb) wrote on 2013-02-15:

#10

I think I have a solution for this. It will imply fixing the existing python provider (but there is no way around that, right now, the files are fetched using "GET /api/1.0/files/?filename=filename&op=get"; if every user has its own store, we need the provider to use an extra piece of information to distinguish the files named "filename" but owned by different users). But the good news is that I think this solution will ensure a smooth transition for all the existing users, i.e. the change we will make to MAAS won't break the existing installations but juju itself (the MAAS provider part) will have to be SRUed for this bug to be fixed.
I'll write down what I have in mind on Monday.

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2013-02-17:

#11

"use an extra piece of information to distinguish the files named "filename" but owned by different users"

This is the kind of thing I had in mind. It will sadly only work for new (or as you say, SRUed) Juju releases though, unless there's some existing piece of info that MAAS can grok about the requests that differentiates users?

Revision history for this message

Gavin Panella (allenap) wrote on 2013-03-08:

#12

lp:~allenap/juju/maas-anon-urls-2 builds on Jeroen's lp:~jtv/juju/maas-anon-urls.

maas-anon-urls-2 is *not* the right approach now, but it is linked here for reference.

Changed in juju:
status:	New → Triaged
status:	Triaged → Confirmed

Revision history for this message

Gavin Panella (allenap) wrote on 2013-03-08:

#13

Support for the new per-tenant namespace in MAAS needs to be added to the Python version of Juju. lp:~jtv/juju/maas-anon-urls will provide a starting point. The MAAS provider in the Go version of Juju will support per-tenant namespaces upon initial release.

Raphaël Badin (rvb) on 2013-03-08

Changed in maas:
assignee:	nobody → Raphaël Badin (rvb)
status:	Triaged → Fix Committed

Julian Edwards (julian-edwards) on 2013-05-24

Changed in maas:
status:	Fix Committed → Fix Released

Curtis Hovey (sinzui) on 2013-10-12

Changed in juju:
importance:	Undecided → Low
status:	Confirmed → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.