Canonical Juju

juju add-credential does not validate credentials, but bootstrap does

Bug #1732082 reported by Nobuto Murata
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Canonical Juju
Triaged
Low
Unassigned

Bug Description

How to reproduce:

$ juju version
2.3-beta3-xenial-amd64

$ juju add-cloud
Cloud Types
  maas
  manual
  openstack
  oracle
  vsphere

Select cloud type: maas

Enter a name for your maas cloud: my-maas

Enter the API endpoint url: http://10.0.8.158/MAAS

Cloud "my-maas" successfully added
You may bootstrap with 'juju bootstrap my-maas'

$ juju add-credential my-maas
Enter credential name: my-maas-credential

Using auth-type "oauth1".

Enter maas-oauth: <<<- enter invalid credential

Credentials added for cloud my-maas.

$ juju bootstrap my-maas
ERROR Authorization Error: Invalid API key.

So, it would be nice if Juju verified the credential at the end of `juju add-credential` similar with verifying endpoints at the end of `juju add-cloud`.

Nobuto Murata (nobuto)
tags: added: cpe-onsite
John A Meinel (jameinel)
Changed in juju:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Anastasia (anastasia-macmood) wrote :

'juju add-credential' operates on local cache only. It does not really matter to Juju if it is valid, besides there is no guarantee that Juju has access to the cloud to verify the credential before we have a bootstrapped system. There is no strict limitations on user - credential can be added locally before a cloud is, for example.

However, the validation will definitely take place when a credential will be in used. For ***local*** (client side) credentials, this will take place when a user either bootstraps or adds a new model with that credential. For ***remote** (server side) credential that will happen during the upload.

Anastasia (anastasia-macmood)
tags: added: credentials
Revision history for this message
Richard Harding (rharding) wrote :

I thought we do validate maas and openstack now when the credential is added with a test ping command. I'm not sure about the idea of a credential being added before the cloud is known as I think that currently errors since the cloud is require during add-credential?

Revision history for this message
Anastasia (anastasia-macmood) wrote :

MAAS and openstack endpoints are validated during cloud addition via Ping.

We could add validation to add-credential trying to connect to a desired cloud. At the moment, all validation of credential on the provider side is done via trying to list available, known instances. This logic will need to change to support validating functionality.

Another option is to add this validation to a FinalizeCredential() call that all providers that support authenticated requests provide. This method is called almost (if not always) everytime a credential is constructed.

tags: added: usability
Anastasia (anastasia-macmood)
Changed in juju:
assignee: nobody → Anastasia (anastasia-macmood)
status: Triaged → In Progress
Revision history for this message
Anastasia (anastasia-macmood) wrote :

Due to current priorities, I am not currently working on this bug, so I am un-assigning myself from it.

Changed in juju:
status: In Progress → Triaged
assignee: Anastasia (anastasia-macmood) → nobody
Ian Booth (wallyworld)
Changed in juju:
milestone: none → 2.8.1
Tim Penhey (thumper)
Changed in juju:
milestone: 2.8.1 → 2.8-next
Revision history for this message
Canonical Juju QA Bot (juju-qa-bot) wrote :

This bug has not been updated in 2 years, so we're marking it Low importance. If you believe this is incorrect, please update the importance.

Changed in juju:
importance: Medium → Low
tags: added: expirebugs-bot
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.