I think all of the above items are relevant and interesting ways of expanding on juju actions.
As we are using “jimm” today, users are slowly discovering the powerful ability to “share” models.
It looks like this when Adam and Erik are developing a charm for example or managing a service:
=== Conversation ====
[Adam] - Hey, Erik, I have a problem in my model, I cant figure it out - can you help me?
[Erik] - Sure, can you grant me access to the model?
[Adam] - Yeah, sec I’ll grant you admin.
juju grant ERIK@scania adams-model-99 admin
[Erik] - Thanx, I’ll look.
$ juju models
Controller: jimm.scania.com
Model Cloud/Region Type Status Machines Cores Access Last connection
ADAM@scania/adams-model-99 vsphere-cloud/sweden-region-1 vsphere available 3 0 admin never connected
eriks-model-1 maas-cloud/sweden-region-1 maas available 5 0 write never connected
[ Erik ] - Thanx Adam, I’ll help you.
juju switch ADAM@scania/adams-model-99
juju add-ssh-key "$(cat ~/.ssh/id_rsa.pub)"
juju ssh 0
...
...
...
exit
[Adam] - Thanx Erik, I’ll remove your access so you don’t have to see it any more!
juju revoke ERIK@scania admin adams-model-99
=======
The above scenario is a good example for admins of models, but introduce the security issue that Erik will be now allowed to SSH into the machine to perform arbitrary commands as root and could also at that point install whatever keys to bypass subsequent “juju revoke”. Erik will in effect be able to get full control over the node without Adam be able to prevent that.
This second scenario below, is what we are exploring now which is alot better for operators which should not be allowed access to our servers via SSH:
Adam : Is the admin of a Nextcloud cluster with access to ssh login etc.
David the Operator : Is a remote contractor which should have no access to the Nextcloud instance since it contains private or sensitive data which David should have no access to, e.g. no SSH access at all. David should however be able to help out with some predefined tasks (juju actions).
====== Conversation =======
[Adam] - Hey, David the Operator, can you register a ERIK as admin-user in our Nextcloud test instance?
[David the Operator] - Sure, which model?
[Adam] - Its in the juju model ADAM@scania/nextcloud-test
[David the Operator] - I’ll do it now. My operator username is DAVID@scania (attached to Candid + Active Directory)
[Adam] - Great, I’ll give you access to the model, please go ahead and make ERIK administrator with the register-admin action.
juju grant DAVID@scania nextcloud-test write
[David the Operator]
I’ll go ahead with that now.
juju switch ADAM@scania/nextcloud-test
juju run-action nextcloud-admin/0 register-admin username=ERIK
[David the Operator] The action went well, I’m all done.
[Adam] Thanx David, I’ll revoke your access to the model now. Thanx for your help.
juju revoke DAVID@scania read nextcloud-test
====
While this prevents David from installing any SSH-keys or logging in, the granularity of access to actions is too low.
I would love to be able to do something like:
juju grant DAVID@scania --unit nextcloud/0 action=register-admin
or addressing “general” access to actions.
juju grant everyone --unit nextcloud/0 actions
or …
juju grant everyone --application nextcloud actions
… something like the above.