Rick Harding
2018-05-11 12:25:09 UTC
I worked with Tom on this in IRC and got to the bottom of it. We hit a
corner case of the superuser. The folks that own the controller themselves
are a bit special. While technically they're the boss and can juju status
any model in the controller, they don't see all the models by default in
juju models and the like. It'd make being the controller admins a real
pain.
Likewise, we don't auto add the ssh key of every superuser to every machine
in every model regardless of the owner. We take the tact that supserusers
can sudo around and do anything, but by default commands only allow them to
do things on models they've been given model level access to directly.
Tom was setting up a controller, adding a user, and granting them superuser
on the controller. However, as the user had no direct share/access to the
model in question it could not ssh to the machines in the model.
I think we can be more clear here around the error messaging as we know the
user is a superuser and why the request failed.
corner case of the superuser. The folks that own the controller themselves
are a bit special. While technically they're the boss and can juju status
any model in the controller, they don't see all the models by default in
juju models and the like. It'd make being the controller admins a real
pain.
Likewise, we don't auto add the ssh key of every superuser to every machine
in every model regardless of the owner. We take the tact that supserusers
can sudo around and do anything, but by default commands only allow them to
do things on models they've been given model level access to directly.
Tom was setting up a controller, adding a user, and granting them superuser
on the controller. However, as the user had no direct share/access to the
model in question it could not ssh to the machines in the model.
I think we can be more clear here around the error messaging as we know the
user is a superuser and why the request failed.
Hello folks
IRC has failed me so lets try the wider world.
We have a multinode manual cloud deployed. We have juju add-user 2 new
users and also juju add-ssh-key for those users.
We know the ssh key works because
works fine and we can sudo -i etc and do stuff.
But
juju ssh <machine number>
ERROR permission denied (unauthorized access)
permission denied (unauthorized access)
I've looked at the code and it claims we can
that fails with the same error.
If I tail the target servers auth.log there isn't even a failed login
attempt which strikes me as a little weird considering it says
permission denied (unauthorized access)
Which does make me question... what permission is denied?
--
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements
are subject to Spicule Terms and Conditions of Business. This email and
its
contents are intended solely for the individual to whom it is addressed
and
may contain information that is confidential, privileged or otherwise
protected from disclosure, distributing or copying. Any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Spicule Limited. The company accepts no
liability for any damage caused by any virus transmitted by this email. If
you have received this message in error, please notify us immediately by
reply email before deleting it from your system. Service of legal notice
cannot be effected on Spicule Limited by email.
--
Juju mailing list
https://lists.ubuntu.com/mailman/listinfo/juju
IRC has failed me so lets try the wider world.
We have a multinode manual cloud deployed. We have juju add-user 2 new
users and also juju add-ssh-key for those users.
We know the ssh key works because
works fine and we can sudo -i etc and do stuff.
But
juju ssh <machine number>
ERROR permission denied (unauthorized access)
permission denied (unauthorized access)
I've looked at the code and it claims we can
that fails with the same error.
If I tail the target servers auth.log there isn't even a failed login
attempt which strikes me as a little weird considering it says
permission denied (unauthorized access)
Which does make me question... what permission is denied?
--
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements
are subject to Spicule Terms and Conditions of Business. This email and
its
contents are intended solely for the individual to whom it is addressed
and
may contain information that is confidential, privileged or otherwise
protected from disclosure, distributing or copying. Any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Spicule Limited. The company accepts no
liability for any damage caused by any virus transmitted by this email. If
you have received this message in error, please notify us immediately by
reply email before deleting it from your system. Service of legal notice
cannot be effected on Spicule Limited by email.
--
Juju mailing list
https://lists.ubuntu.com/mailman/listinfo/juju