/juju

Implement local macaroon logins #4823

Merged
merged 4 commits into from Mar 22, 2016

Conversation

Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@axw @jujubot
@axw
Member

axw commented Mar 21, 2016

Reintroduce the "login" command, with a new approach
using macaroons. This is in addition to the existing
external-IdM macaroon support.

We now support macaroon logins for local users: if a
local user tag is specified in login, a macaroon may
be provided instead of a password.

We can now record a macaroon in accounts.yaml instead
of a password. When you run "juju login", you will be
prompted for your password, which will be used for the
login; a macaroon is requested from the server, which
is then written to disk and any existing password
wiped from accounts.yaml.

The change-user-password command is similarly updated
to manage macaroons.

TODO:

  • update "juju register" to generate and record macaroons
  • update juju/api.go code to prompt user to run "juju login"
    if the macaroon is expired
  • persist root keys in mongo, so logins work across
    controller machines
  • garbage collect root keys after macaroon expiry

(Review request: http://reviews.vapour.ws/r/4265/)

axw added some commits Mar 16, 2016

@axw
Implement local macaroon logins 
Reintroduce the "login" command, with a new approach
using macaroons. This is in addition to the existing
external-IdM macaroon support.

We now support macaroon logins for local users: if a
local user tag is specified in login, a macaroon may
be provided instead of a password.

We can now record a macaroon in accounts.yaml instead
of a password. When you run "juju login", you will be
prompted for your password, which will be used for the
login; a macaroon is requested from the server, which
is then written to disk and any existing password
wiped from accounts.yaml.

The change-user-password command is similarly updated
to manage macaroons.

TODO:
 - update "juju register" to generate and record macaroons
 - update juju/api.go code to prompt user to run "juju login"
   if the macaroon is expired
 - persist root keys in mongo, so logins work across
   controller machines
 - garbage collect root keys after macaroon expiry
35f9457
@axw
featuretests: add feature test for login 
Also change "change-user-password" to stop
implicitly enabling "--generate" when specifying
a user name.
ba5595d
@axw
Address review comments
fbc7556
@axw
Member

axw commented Mar 22, 2016

$$merge$$
@jujubot
Contributor

jujubot commented Mar 22, 2016

Status: merge request accepted. Url: http://juju-ci.vapour.ws:8080/job/github-merge-juju
@jujubot
Contributor

jujubot commented Mar 22, 2016

Build failed: Tests failed
build url: http://juju-ci.vapour.ws:8080/job/github-merge-juju/6986
@axw
Member

axw commented Mar 22, 2016

$$merge$$
@jujubot
Contributor

jujubot commented Mar 22, 2016

Status: merge request accepted. Url: http://juju-ci.vapour.ws:8080/job/github-merge-juju

jujubot added a commit that referenced this pull request Mar 22, 2016

@jujubot
Merge pull request #4823 from axw/client-macaroon-login 
Implement local macaroon logins

Reintroduce the "login" command, with a new approach
using macaroons. This is in addition to the existing
external-IdM macaroon support.

We now support macaroon logins for local users: if a
local user tag is specified in login, a macaroon may
be provided instead of a password.

We can now record a macaroon in accounts.yaml instead
of a password. When you run "juju login", you will be
prompted for your password, which will be used for the
login; a macaroon is requested from the server, which
is then written to disk and any existing password
wiped from accounts.yaml.

The change-user-password command is similarly updated
to manage macaroons.

TODO:
 - update "juju register" to generate and record macaroons
 - update juju/api.go code to prompt user to run "juju login"
   if the macaroon is expired
 - persist root keys in mongo, so logins work across
   controller machines
 - garbage collect root keys after macaroon expiry

(Review request: http://reviews.vapour.ws/r/4265/)
2b86478

@jujubot jujubot merged commit 2b86478 into juju:admin-controller-model Mar 22, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment