Using an external identity provider with juju controllers

martin-hilton · 29 August 2018 13:30

To setup a Juju Controller to use an external identity provider the identity provider needs to be configured at bootstrap time using the identity-url and allow-model-access settings. For example to bootstrap a controller that use the jujucharms identity provider do the following:

juju bootstrap google \
    --config identity-url=https://api.jujucharms.com/identity \
    --config allow-model-access=true

identity-url configures the URL of the external identity provider. The identity provider should be a candid server 1.

allow-model-access configures the controller to not check that a user has been explicitly added to the set of users known to the controller before checking if the user has access to a particular model.

jamesbeedy · 29 August 2018 19:58

@martin-hilton thanks for this. I’m still a little confused how I would be able grant external users access to my controller:model using jujucharms.com identity, it seems that users still need to exist locally on the controller. Possibly you have other thoughts around this?

rick_h · 29 August 2018 20:02

You have to have the local admin account. They need to be able to run the controller. You can grant users on the remote identity system with the @external suffix like you do in JAAS I believe.

jamesbeedy · 29 August 2018 20:04

ahh, so pass around the yaml config files for the admin user to users that need access (via jujucharms.com) ? that doesn’t seem right, possibly I’m hearing you wrong.

rick_h · 29 August 2018 20:10

Oh, I see. How do you get access there. Hmm, I think you’ll have to seed some info. Maybe you can try to login to the controller IP address? juju login xxxxxx ?

jamesbeedy · 29 August 2018 20:13

from another machine I try juju login

 ▶ juju login juju00.impactvi.com --debug
13:13:08 INFO  juju.cmd supercommand.go:56 running juju [2.4.2 gc go1.10]
13:13:08 DEBUG juju.cmd supercommand.go:57   args: []string{"/snap/juju/5070/bin/juju", "login", "juju00.impactvi.com", "--debug"}
13:13:08 DEBUG juju.api apiclient.go:729 looked up juju00.impactvi.com -> [52.8.51.63]
ERROR cannot log into "juju00.impactvi.com": unable to connect to API: x509: certificate signed by unknown authority
13:13:08 DEBUG cmd supercommand.go:459 error stack: 
x509: certificate signed by unknown authority
github.com/juju/juju/api/apiclient.go:896: 
github.com/juju/juju/api/apiclient.go:857: unable to connect to API
github.com/juju/juju/api/apiclient.go:753: 
github.com/juju/juju/api/apiclient.go:597: 
github.com/juju/juju/api/apiclient.go:197: 
github.com/juju/juju/cmd/juju/user/login.go:382: 
github.com/juju/juju/cmd/juju/user/login.go:318: 
github.com/juju/juju/cmd/juju/user/login.go:195: cannot log into "juju00.impactvi.com"

jamesbeedy · 29 August 2018 21:31

@martin-hilton How can I allow external users to register/ login to a controller that uses jujucharms.com for identity?

martin-hilton · 30 August 2018 14:40

@jamesbeedy You’re doing the right thing here, the problem is that your second juju doesn’t trust the certificate generated by the first one. The easiest way to make this work is to set your controller up with Let’s encrypt certificates as well. I won’t repeat all of @rick_h’s instructions 1 here, but the command line will end up something like:

$ juju bootstrap google jujushow-dns --config autocert-dns-name=show.jujugui.org \
    --config identity-url=https://api.jujucharms.com/identity \
    --config allow-model-access=true

jamesbeedy · 30 August 2018 17:07

The command I used to bootstrap:

juju bootstrap manual/myuser@juju00.example.com juju-controller-manual \
    --config identity-url=https://api.jujucharms.com/identity \
    --config allow-model-access=true \
    --config autocert-dns-name=juju00.example.com \
    --bootstrap-series bionic

@martin-hilton the issue is that I have no idea how to register and login as an external identity user to my controller.

jamesbeedy · 24 November 2018 18:55

@martin-hilton any ideas on this part of the process?

erik-lonroth · 8 January 2019 14:15

Any progress on this? I think we have a similar situation.

– Update –
We messed up for our part by not first granting access to the controller, along granting access to the desired model.

Something like below:

$ juju grant USER@global mycontroller login # Allow username login to controller
$ juju grant admin USER@global mymodel # Allow admin to model

pmatulis · 15 January 2019 19:19

I’ve also tried without success to use jujucharms.com to authenticate external users. I tried many login command permutations. The one that I was told should work was:

juju login -c <controller name>

Site jujucharms.com told me my user was logged in but the result was always:

ERROR cannot log into controller "aws-sso": invalid entity name or
password (unauthorized access)

erik-lonroth · 17 January 2019 18:49

You need to first grant login access to the controller.

Then, grant access to models.

pmatulis · 17 January 2019 19:59

My previous understanding was that controller key allow-model-access obviated the need to grant login access. After re-reading Martin’s definition above I see that I was wrong. This key bypasses a local user check when a model connection is attempted. After granting login access it worked.