/juju

controller: add allow-model-access flag #6427

Merged
merged 1 commit into from Oct 11, 2016

Conversation

Reviewers

@mhilton mhilton

@perrito666 perrito666

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@rogpeppe @jujubot @AlexisBruemmer @perrito666 @mhilton
@rogpeppe
Owner

rogpeppe commented Oct 11, 2016
Edited 1 time

This allows model users access to a model they've been granted
access to without the requirement for them to have access
to the controller too.

This required the ability for some apiserver tests to be able
to start the API server with a custom configuration, which
required some changes in the apiserver tests. Specifically
we consolidate the API server test starting code into
one place and use it throughout.

We also rename permission.UndefinedAccess to permission.NoAccess
because that's what it actually implies (note that although the
comment on UndefinedAccess states that it's an invalid
permission, Access.Validate begs to differ as do a fair number
of other places that rely on UndefinedAccess meaning
"no permissions").

Fixes https://bugs.launchpad.net/juju/+bug/1631449.

QA instructions

  • bootstrap a controller:

    juju bootstrap --config identity-url=https://api.jujucharms.com/identity --config allow-model-access=true

  • create a model and grant access to an external user on that model

  • check that that user can access the model and that they cannot list models in the controller or do anything else that requires a controller-level API connection.
@mhilton

mhilton reviewed Oct 11, 2016
View changes

👍 with a couple of small comments.

apiserver/admin_test.go
// If we have a remote user which has explict model access, but no
- // controller access, nor no 'everyone' access, the user has no access.
+ // controller access, nor no 'everyone' access, the user will have access
@mhilton

mhilton Oct 11, 2016

Member

I can't parse "nor no" could this possibly be re-worded?

@rogpeppe

rogpeppe Oct 11, 2016

Owner

fixed

controller/config.go
@@ -284,6 +298,7 @@ var configChecker = schema.FieldMap(schema.Fields{
SetNUMAControlPolicyKey: schema.Bool(),
AutocertURLKey: schema.String(),
AutocertDNSNameKey: schema.String(),
+ AllowModelAccessKey: schema.Bool(),
@mhilton

mhilton Oct 11, 2016

Member

This doesn't look formatted

@rogpeppe

rogpeppe Oct 11, 2016

Owner

done

@rogpeppe
controller: add allow-model-access flag 
This allows model users access to a model they've been granted
access to without the requirement for them to have access
to the controller too.

This required the ability for some apiserver tests to be able
to start the API server with a custom configuration, which
required some changes in the apiserver tests. Specifically
we consolidate the API server test starting code into
one place and use it throughout.

We also rename permission.UndefinedAccess to permission.NoAccess
because that's what it actually implies (note that although the
comment on UndefinedAccess states that it's an invalid
permission, Access.Validate begs to differ as do a fair number
of other places that rely on UndefinedAccess meaning
"no permissions").

Fixes https://bugs.launchpad.net/juju/+bug/1631449.
363ae82
@rogpeppe
Owner

rogpeppe commented Oct 11, 2016

QA OK

$$merge$$
@jujubot
Contributor

jujubot commented Oct 11, 2016

Status: merge request accepted. Url: http://juju-ci.vapour.ws:8080/job/github-merge-juju
@jujubot
Contributor

jujubot commented Oct 11, 2016

Build failed: Tests failed
build url: http://juju-ci.vapour.ws:8080/job/github-merge-juju/9477
@AlexisBruemmer

AlexisBruemmer commented Oct 11, 2016

$$merge$$
@jujubot
Contributor

jujubot commented Oct 11, 2016

Status: merge request accepted. Url: http://juju-ci.vapour.ws:8080/job/github-merge-juju

@jujubot jujubot merged commit 9e55fbb into juju:master Oct 11, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment