Canonical Juju

Juju migrate failed with "permission denied"

Bug #2040138 reported by Bui Hong Ha on 2023-10-23

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Fix Committed	High	Ian Booth	Canonical Juju 2.9.46

Bug Description

I bootstrapped 2 Juju controllers versions 2.9.45 and 3.1.6 with candid as identity backend. In the candid side, I use static identity provider (username / password) as documented at https://github.com/canonical/candid/blob/master/docs/configuration.md.

I granted my telescreen@external account superuser privilege in juju3 side while granted login/add-model in juju2 side.

$ juju controllers
Use --refresh option with this command to see the latest information.

Controller Model User Access Cloud/Region Models Nodes HA Version
juju2* test telescreen@external login stsstack/stsstack 1 1 none 2.9.45
juju3 admin/controller telescreen@external superuser - 1 none 3.1.6

$ juju models
Controller: juju2

Model Cloud/Region Type Status Access Last connection
test* stsstack/stsstack openstack available - never connected

$ juju show-model test
test:
  name: telescreen@external/test
  short-name: test
  model-uuid: c232e506-57dc-4e8b-8111-1cd62ad9d951
  model-type: iaas
  controller-uuid: 0a2287d9-0aa4-4f18-802e-817b70113478
  controller-name: juju2
  is-controller: false
  owner: telescreen@external
  cloud: stsstack
  region: stsstack
  type: openstack
  life: alive
  status:
    current: available
    since: 33 minutes ago
  users:
    telescreen@external:
      display-name: telescreen
      access: admin
      last-connection: never connected
  sla: unsupported
  agent-version: 2.9.45
  credential:
    name: telescreen@external
    owner: telescreen@external
    cloud: stsstack
    validity-check: valid
  supported-features:
  - name: juju
    description: the version of Juju used by the model
    version: 2.9.45

As the show-model shows, I have admin access to the test model and admin privilege in juju3 controller side. Yet, when juju always shows "permission denied" when I try to migrate the test model.

$ juju migrate test juju3
ERROR permission denied (unauthorized access)
$
$ juju migrate telescreen@external/test juju3
ERROR permission denied (unauthorized access)

Tags:

Revision history for this message

Bui Hong Ha (telescreen) wrote on 2023-10-23:

Juju2 /var/log/juju/machine-0.log Edit (227.9 KiB, text/plain)

I attached juju controllers machine-0.log

Revision history for this message

Bui Hong Ha (telescreen) wrote on 2023-10-23:

Juju3 /var/log/juju/machine-0.log Edit (162.3 KiB, text/plain)

Juju3 controller machine-0.log

Revision history for this message

Ian Booth (wallyworld) wrote on 2023-10-23:

Testing this scenario, I am logged into both controllers as a candid user eg someone@external.
Trying to migrate a model

$ juju migrate foo test
ERROR connect to target controller: invalid request - expected local user (unauthorized access)

The source controller tries to connect to the target controller to do the migration prechecks and fails because the target controller is attempting to only authenticate a local (non-candid) user for some reason.

I tried again, this time as the original local "admin" user and got the same error.

So it does seem there's an issue migrating models owned by external/candid users.

Changed in juju:
status:	New → Triaged
importance:	Undecided → High
milestone:	none → 3.1.7

Revision history for this message

Ian Booth (wallyworld) wrote on 2023-10-24:

The issue is a bug from 2016 when model migrations were first implemented - non-local users (those managed by an external identity service) were not catered for properly.