fix: improve model import #1534
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Importing a model owned by a local Juju user requires the use of the --switch-owner CLI flag to change the model owner in jimm to a new external user. This change doesn't propagate to the Juju controller so there needs to be a lot of complex logic to ensure we replace all results containing the old user with the new one. That was not being done and as a result, things like listing application offers were not working. This change allows models created by local Juju users to keep their model owner tag in JIMM. Although JIMM normally deals with external users, there is no reason it can't also hold local users for cases of model imports. To handle the cloud-credential of an imported model where JIMM is not aware of the local user's credentials, we allow the value of the cloud-credential in JIMM to be nil. This works out because we fetch model info from the controller anyway.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR aims to fix issues recently noticed with imported models created by local users.
Importing a model into JIMM that is owned by a local Juju user requires the use of the
--switch-ownerCLI flag to change the model owner in jimm to a new external user. This change doesn't propagate to the Juju controller so extra logic needs to exist to ensure we alias the old user to the new one.That was not being done and as a result, things like listing application offers were not working. This change allows models created by local Juju users to keep their model owner tag in JIMM. Although JIMM normally deals with external users, there is no reason it can't also hold local users for cases of model imports.
To handle the cloud-credential of an imported model where JIMM is not aware of the local user's credentials, we allow the value of the cloud-credential in JIMM to be nil. This works out because we fetch model info from the controller anyway.
This change simultaneously fixes the same issue addressed in #1533 where application offers that have already been consumed in a Juju model are being authorized by checking JIMM through the use of the JAAS macaroon discharger. If we can combine this change with the idea in #1533 to store the permissions of existing consumers of an app offer (including local users) we can solve both challenges.
Engineering checklist
Test instructions