Canonical Juju

macaroon auth can fail to set username properly

Bug #1891422 reported by Ian Booth
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical Juju
Triaged
Low
Unassigned

Bug Description

Juju supports 3 ways of logging in:
- username / password
- username / macaroon
- interactive macaroon

In the first 2 cases, the user name is recorded locally in the accounts.yaml file and passed to the Login() request.

In the latter case, used for JAAS controllers with SSO, no username is needed up front - the macaroon obtained from SSO contains the necessary first party caveat. But Juju is not then passing this username to the final Login() request, so Juju interprets it as an anonymous login and access to models etc is restricted.

To reproduce, logout of all controllers and then:

juju status -m canonical-jimm.jujucharms.com:<model>

where <model> is a model you have access to.

The work around for now is to log in first:

juju login canonical-jimm.jujucharms.com

Ian Booth (wallyworld)
summary: - acaroon auth can fail to set username properly
+ macaroon auth can fail to set username properly
Revision history for this message
Ian Booth (wallyworld) wrote :

Looking into this further, I am not yet sure if there's a bug or not.

If the login macaroon has the username as a first party caveat, which it will do after SSO, then the Juju controller seems to extract the user name from there, rather than an explicit login arg.

I can't test fully against canonical-jimm.jujucharms.com until the jimm-admin utility is fixed to allow my user to be grant read access to a model. Testing without access to a model seems to result in a "no models for you" error which is expected.

Revision history for this message
Ian Booth (wallyworld) wrote :

This is looking like a JIMM bug. I tested with stand alone 2.8 controller like so:

1. bootstrap a controller using SSO as the identity manager

juju bootstrap lxd --config identity-url=https://api.jujucharms.com/identity --config identity-public-key=hmHaPgCC1UfuhYHUSX5+aihSAZesqpVdjRv0mgfIwjo= test

2. grant access to the model "admin/default" to wallyworld@external

juju grant everyone@external login
juju grant wallyworld@external read default

3. from a different machine, run status on hte model.
copy just the controller.yaml from the original bootstrap client and nothing else
(so no modes or account details are present)

juju status -m test:admin/default
Opening an authorization web page in your browser.
If it does not open, please open this URL:
https://api.jujucharms.com/identity/login?did=1b8d0da3614cd71fb1c66ebd80c448f99da6bc4d70e70940c8c08be22fc88016
Opening in existing browser session.

<snip>

---

So a single controller handles macaroon auth to an external identity provider starting from having no existing user details or model info cached locally.

The same workflow seems to fail on a JAAS controller where the Login() and model redirect goes via JIMM.

Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.8.2 → 2.8.3
Pen Gale (pengale)
Changed in juju:
milestone: 2.8.4 → 2.9-beta1
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9-beta1 → 2.9-rc1
Pen Gale (pengale)
Changed in juju:
importance: High → Medium
milestone: 2.9-rc1 → none
importance: Medium → Low
Revision history for this message
Canonical Juju QA Bot (juju-qa-bot) wrote :

This bug has not been updated in 2 years, so we're marking it Low importance. If you believe this is incorrect, please update the importance.

tags: added: expirebugs-bot
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.