Password resolution in connector #1002
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
For both model and controller connections, accounts.yaml is required to have both username and password for connection to be established. This is not always true, for example, juju change-user-password actually removes the password from the accounts.yaml file.
cderici
added
bug fix
hint/2.9
jack-w-shaw
approved these changes
Jan 11, 2024
| proxy=proxy, | ||
| ) | ||
| kwargs.update(endpoint=endpoints, | ||
| uuid=None, |
There was a problem hiding this comment.
Does None need to be provided in uuid, or can it be left out?
jujubot
added a commit
that referenced
this pull request
Jan 11, 2024
…r-connection #1003 #### Description This is a follow up PR, includes changes from #1002. If you're reviewing this and #1002 hasn't landed yet, you might see some additional changes that'll land with #1002. We need those changes to be able to test this change. `ControllerAPIInfoForModels` call in `update_endpoints` after a controller connection requires the `uuid` of the controller model, and if the user doesn't have at least read access, they won't be able to have that, so the `update_endpoint` call at the end of a regular connection fails. Fixes #998 #### QA Steps We'll need a 2.9 controller, so: ``` $ juju_29 bootstrap localhost issue998 ``` Now we have the admin user on this by default, but we don't wanna use that. Let's create a new user (that doesn't have superuser so it can't read the controller model): ```sh $ juju add-user caner $ juju register ``` Now let's make a password for this user. ```sh $ juju change-user-password # to be able to access the admin user later $ juju logout $ juju login -u caner -c issue998 $ juju change-user-password <your-password> This should work just fine, we're just making sure the user is ready to go. ``` Now let's spawn a pylibjuju repl to test this change with this user (that can't access the `controller` model): Wihtout this change, you'd see the error in #998. With this change the connection should work just fine: ```python # cd pylibjuju directory $ python -m asyncio >>> from juju import controller; c=controller.Controller() >>> await c.connect(username='caner', password=<your-password>) >>> exiting asyncio REPL... # Connection works without any issues. ``` #### Notes & Discussion JUJU-5268
cderici
removed
the
area/forward-port
jujubot
added a commit
that referenced
this pull request
Feb 8, 2024
#1022 #### Description This brings onto the 3.x track some of the latest fixes from to the 2.9 track. Here're the details: * Fix for #989 from #990 * Fix for #1001 from #1002 * Fix for #998 from #1003 #### QA Steps No QA needed for #990. For 1002 and 1003 please refer to their QA steps. Though they are very related so I'd expect the QA for both of them can be done in one fell swoop. * #1002 * #1003 All CI tests need to pass (there's still some known intermittent ones in there).
Merged
jujubot
added a commit
that referenced
this pull request
Feb 13, 2024
#1023 ## What's Changed * Drop use of walrus operator by @freyes in #993 * No controller model access needed for connection with a non-admin user by @cderici in #1003 * Password resolution in connector by @cderici in #1002 * Remove dependency to juju-cli for controller_name by @cderici in #1009 #### Notes & Discussion JUJU-5413
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
For both model and controller connections,
accounts.yamlis required to have both username and password for connection to be established. This is not always true, for example, juju change-user-password actually removes the password from theaccounts.yamlfile, so we pass an empty password to the connection.This fixes #1001 by checking the credentials before trying to establish connection, and asks for whichever cred is required:
QA Steps
This will require a
2.9controller, so bootstrap one.Then check the
accounts.yamlfile to see a line like the following for the admin, make sure the password is in there:issue1001: user: admin password: asdasdsadasdadasdasdasdasd last-known-access: superuserNow go ahead and try to connect via python-libjuju repl:
Change the admin user password with
juju change-user-password:Go take another look at the
accounts.yaml, the password field should've disappeared.issue1001: user: admin last-known-access: superuserWithout this change, you'd see the ssl error from #1001, because pylibjuju was trying to establish a connection with passing
Noneas password. But with this change, first you need to see a nice error message when it fails:Now provide your password in
connectand it should connect just fine:Notes & Discussion
JUJU-5267