feat: allow querying models owned by other users #577
Conversation
kian99
force-pushed
the
allow-access-to-shared-models
branch
from
c4df570 to
1fb3651
Compare
- Move model cache into a separate package - Rework model cache to handle multiple models with the same name but different owners - Small tweak to testAccPreCheck to use sync.Once to fix potential race condition - Add test for deploying to a model owned by a different user
kian99
force-pushed
the
allow-access-to-shared-models
branch
from
50327d1 to
2fe0d91
Compare
- add missing copyright headers - add package godoc - add --force flag to CLI logout commands
kian99
force-pushed
the
allow-access-to-shared-models
branch
from
2fe0d91 to
5c961df
Compare
| @@ -809,6 +1000,50 @@ func testAccResourceApplicationBasic_Minimal(modelName, charmName string) string | |||
| `, modelName, charmName) | |||
| } | |||
|
|
|||
| func testAccResourceApplicationWithExistingModel(appName, username, modelName string) string { | |||
There was a problem hiding this comment.
This does not test an existing model - you need to add a model data source to the plan.
There was a problem hiding this comment.
I create the model outside of Terraform for the reasons mentioned in the tests,
// We do this outside of Terraform because we don't currently support
// creating a model owned by a different user than the one making the connection.
Then test we can deploy an application into that model.
|
|
||
| resource "juju_application" "this" { | ||
| name = "{{.AppName}}" | ||
| model = "{{.Username}}/${juju_model.this.name}" |
There was a problem hiding this comment.
I'm concerned this is a step in the opposite direction from where we want to be with referencing a model inside of other resources, by using the model UUID. The idea is that if we have the model idea, no cache will be necessary.
Also, looking at this example, you've created a model XYZ for the default user, then are deploying a an application to model XYZ owned by a different user. The linkage inferred by using juju_model.this.name appears to be incorrect.
There was a problem hiding this comment.
I agree that if we don't reference models by name and rather by UUID then this problem goes away. Happy to close this PR in favour of that change but I was aiming for something that maintains backwards compatability.
Also, looking at this example, you've created a model XYZ for the default user, then are deploying a an application to model XYZ owned by a different user. The linkage inferred by using juju_model.this.name appears to be incorrect.
In this case the "different user" is the same as the "default user", we pass in "admin" who is the user making the connection. If we were to pass in a different user the test should fail with "model not found", I can add that as a test case.
I'm not sure I understand what you mean by "linkage inferred by using juju_model.this.name appears to be incorrect."?
|
Closing in favour of an approach where we use model UUIDs as reference with a possibility of maintaining backwards compatability. |
Description
This PR aims to solve #504 to handle scenarios where a user has access to multiple models with the same name.
Juju namespaces models by username, i.e. user-1 and user-2 can both have a model called "foo". Currently the provider doesn't handle such cases properly.
This PR addresses the issue by:
<model-name>or<model-owner>/<model-name>. This keeps backwards compatibility with the existing provider semantics.Consider a scenario where a user-1 creates a model and grants user-2 with admin access to that model. User-2 can now write "user-1/model-name" in their plan to reference user-1's model. This is mainly useful when you are not creating the model in your plan, just referencing one that already exists. See "Additional notes" below for the scenario where the plan uses a reference to a model rather than hardcoding strings.
The concrete changes implemented:
Fixes: #504, CSS-10769
Type of change
QA steps
The change allows for the following TF plan. Assuming you are the admin user on the controller,
If you have access to 2 models called
testyou can specify the model by switching the model owner fromadmin.Additional notes
I am still looking at how best to update the documentation.
There is 1 scenario worth mentioning:
juju_model.model-name.name, the model name does not contain the owner. If the Juju user has access to 2 models with this name, there will be an error returned to the user. The fix for this would be to do something like"<username>/${juju_model.this.name}"in your plan as is done in the tests.There are two acceptance tests for the new behaviour.