Controllers with "external" users

[Uros Jovanovic]

Most people are used to either using controllers as owners (you bootstrap a
controller, create models, destroy controller) or add users and then share
links to people so that they can reuse your controller. You may have
noticed the @local postfix for such users when using "juju status" or even
"juju whoami"

$ juju whoami
Controller:  aws-cdo-b18
Model:       default
User:        admin at local

However, Juju now also understands external users, the ones that are
defined by identity provider. These external users are thus not handled
within jujud or created with "juju add-user" commands, but rely on an
external identity manager, Ubuntu SSO in our case.

Why is this useful? Suppose you've got a model that you want to share with
a person to look at or try it out. Instead of the usual "add-user" dance,
all you need to do is just grant that person access using their USSO
username.

juju grant frankban at external read mymodel
juju grant cmars at external write mymodel

When the other user switches to the shared controller, all they need to do
is to "juju login", perform the SSO login in the browser and then act as a
SSO user on the controller.

Quick instructions on how to bootstrap such controller. Let's assume we
want to bring up a controller in GCE.

$ juju bootstrap gce google/europe-west1 --credential gce
--constraints="instance-type=n1-highcpu-4 root-disk=32G" --config
identity-url=https://api.jujucharms.com/identity

As you can see, we've provided the additional configuration option
"identity", pointing it to the identity manager for Ubuntu SSO for Juju.

Then, you can grant people to add models to the controller. For example

$juju grant martin-hilton at external addmodel

You can also allow anyone with USSO accout to create models on the
controller:

$juju grant everyone at external addmodel

The user having your controller information can on his own machine perform:

$ juju login
Opening an authorization web page in your browser.
If it does not open, please open this URL:
*****
You are now logged in to "gce" as "uros-jovanovic at external".

I've now logged int as Ubuntu SSO user.

urulama at ubuntu:~/go/src/github.com/juju/juju$ juju whoami
Controller:  gce
Model:       test
User:        uros-jovanovic at external

Creating a model:
$ juju add-model test --credential gce
Uploading credential 'google/uros-jovanovic at external/gce' to controller
Added 'test' model on google/europe-west1 with credential 'gce' for user
'uros-jovanovic'

$ juju models
CONTROLLER: gce
MODEL          OWNER                    STATUS     ACCESS  LAST CONNECTION
test*          uros-jovanovic at external  available  admin   never connected

As you can see, users are required to use their own credentials to create
models on your controller.

User experience wise there is still area for improvements: for instance,
sharing controller info can only be done by sharing the controller
information and storing it to the $HOME/.local/share/juju/controllers.yaml
At the time, this can only be done by sharing the information about the
controller via email or public site and manually adding this information to
controllers.yaml.

This functionality is available with current Juju tip and will be included
in the upcoming beta 18 release.

If you haven't done it yet, in order to be able to use Juju as an external
user, you are required to log in at jujucharms.com first. Logging into
jujucharms.com is only required once.

Cheers,
Uros
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju/attachments/20160908/598180d7/attachment.html>