How to manage users

See also: User

Add a user

If you’re the controller creator:
Juju has already set up a user for you. Your username is admin and your access level is that of controller superuser. Run juju logout to be prompted to set up a password. Use juju change-user-password to set the password.

To add a user to a controller, run the add-user command followed by the username you want to assign to this user. For example:

juju add-user alex

This will create a user with username ‘alex’ and a controller login access level.

See more: User access levels

It will also print a line of code that you must give this user to run using their Juju client – this will register the controller with their client and also prompt them to set up a password for the user.


Example user setup

Admin adding a new user ‘alex’ to the controller:

# Add a user named `alex`:
$ juju add-user alex
User "alex" added
Please send this command to alex:
    juju register MFUTBGFsZXgwFRMTMTAuMTM2LjEzNi4xOToxNzA3MAQghBj6RLW5VgmCSWsAesRm5unETluNu1-FczN9oVfNGuYTFGxvY2FsaG9zdC1jb250cm9sbGVy

"alex" has not been granted access to any models. You can use "juju grant" to grant access.

New user ‘alex’ accessing the controller:

$ juju register MFUTBGFsZXgwFRMTMTAuMTM2LjEzNi4xOToxNzA3MAQghBj6RLW5VgmCSWsAesRm5unETluNu1-FczN9oVfNGuYTFGxvY2FsaG9zdC1jb250cm9sbGVy
Enter a new password: ********
Confirm password: ********
Enter a name for this controller [localhost-controller]: localhost-controller
Initial password successfully set for alex.

Welcome, alex. You are now logged into "localhost-controller".

There are no models available. You can add models with
"juju add-model", or you can ask an administrator or owner
of a model to grant access to that model with "juju grant".


Controller registration (and any other Juju operations that involves communication between a client and a controller) requires that the client be able to contact the controller over the network on TCP port 17070. In particular, if using a LXD-based cloud, network routes need to be in place (i.e. to contact the controller LXD container the client traffic must be routed through the LXD host).

See more: juju add-user,How to register a private controller

To add a user to a controller, in your Terraform plan add a juju_user resource, specifying a label, a name, and a password. For example:

resource "juju_user" "alex" {
  name = "alex"
  password = "alexsupersecretpassword"

}

See more: juju_user (resource)

To add a user to a controller, on a connected Controller object, use the add_user() method.

await my_controller.add_user("alex")

See more: add_user()

View all the known users

To view a list of all the users known (i.e., allowed to log in) to the current controller, run the users command:

juju users

The command also has flags that will allow you to specify a different controller, an output file, an output format, whether to print the full timestamp for connection times, etc.

See more: juju users

The terraform juju client does not support this. Please use the juju client.

To view a list of all the users known (i.e., allowed to log in) to a controller, on a connected Controller object, use the get_users() method.

await my_controller.get_users()

See more: get_users()

View details about a user

To view details about a specific user, run the show-user command followed by the name of the user. For example:

juju show-user alice

This will display the user’s username, display name (if available), access level, creation date, and last connection time, in a YAML format.


Expand to see a sample output for user 'admin'
user-name: admin
display-name: admin
access: superuser
date-created: 8 minutes ago
last-connection: just now

See more: juju show-user

The terraform juju client does not support this. Please use the juju client.

To view details about a specific user, on a connected Controller, use the get_user() method to retrieve a User object that encapsulates everything about that user. Using that object, you can access all the details (via the object properties) for that user.

user_object = await my_controller.get_user("alice")
# Then we can access all the properties to view details
print(user_object.display_name)
print(user_object.access)
print(user_object.date_created)
print(user_object.last_connection)

See more: get_user(), User (module)

View details about the current user

To see details about the current user, run the whoami command:

juju whoami

This will print the current controller, model, and user username.


Expand to see a sample output
Controller:  microk8s-controller
Model:       <no-current-model>
User:        admin

See more: juju whoami

The terraform juju client does not support this. Please use the juju client.

To see details about the current user, on a connected Controller, use the get_current_user() method to retrieve a User object that encapsulates everything about the current user. Using that object, you can access all the details (via the object properties) for that user.

user_object = await my_controller.get_current_user()
# Then we can access all the properties to view details
print(user_object.display_name)
print(user_object.access)
print(user_object.date_created)
print(user_object.last_connection)

See more: get_current_user(), User (module)

Manage a user’s access level

See also: User access levels

The procedure for how to control a user’s access level depends on whether you want to grant access at the level of the controller, model, application, or application offer or rather at the level of a cloud.

This division doesn’t currently align perfectly with the scope hierarchy, which is rather controller > cloud > model > application > offer (because the cloud scope is designed as a restriction on the controller scope for cases where multiple clouds are managed via the same controller).

Manage user access at the controller, model, application, or offer level

Grant access. To grant a user access at the controller, model, application, or offer level, run the grant command, specifying the user, applicable desired access level, and the target controller, model, application, or offer. For example:

juju grant jim write mymodel

The command also has a flag that allows you to specify a different controller to operate in.

See more: juju grant

Revoke access. To revoke a user’s access at the controller, model, application, or offer level, run the revoke command, specifying the user, access level to be revoked, and the controller, model, application, or offer to be revoked from. For example:

juju revoke joe read mymodel

The command also has a flag that allows you to specify a different controller to operate in.

See more: juju revoke

## Manage user access at the cloud level

Grant access. To grant a user’s access at the cloud level, run the grant-cloud command followed by the name of the user, the access level, and the name of the cloud. For example:

juju grant-cloud joe add-model fluffy

See more: juju grant-cloud

Revoke access. To revoke a user’s access at the cloud level, run the revoke-cloud command followed by the name of the user, the access level to be revoked, and the name of the cloud. For example:

juju revoke-cloud joe add-model fluffy

See more: juju revoke-cloud

With the terraform juju client you can manage user access only at the model level; for anything else, please use the juju client.

To grant a user access to a model, in your Terraform plan add a juju_access_model resource, specifying the model, the access level, and the user(s) to which you want to grant access. For example:

resource "juju_access_model" "this" {
  model  = juju_model.dev.name
  access = "write"
  users  = [juju_user.dev.name, juju_user.qa.name]
}

See more: juju_access_model

To manage a user’s access to a controller, a model, or an offer, on a User object, use the grant() and revoke() methods to grant or revoke a certain access level to a user.

# grant a superuser access to the controller (that the user is on)
await user_object.grant('superuser')

# grant user the access to see a model
await user_object.grant("read", model_name="test-model")

# revoke ‘read’ (and ‘write’) access from user for application offer ‘fred/prod.hosted-mysql’:
await user_object.revoke("read", offer_url="fred/prod.hosted-mysql")

See more: grant(), revoke(), User (module)

Manager a user’s login details

Set a password. The procedure for how to set a password depends on whether you are the controller creator or rather some other user.

  • To set a password as a controller creator user (‘admin’), run the change-user-password command, optionally followed by your username, ‘admin’.
juju change-user-password 

This will prompt you to type, and then re-type, your desired password.

See more: juju change-user-password

  • To set a password as a non-controller-creator user, follow the prompt you get when registering the controller via the register command.

See more: How to register a controller

Change a password. To change the current user’s password, run the change-user-password command:

juju change-user-password 

This will prompt you to type, and then re-type, your desired password.

The command also allows an optional username argument, and flags, allowing an admin to change / reset the password for another user.

See more: juju change-user-password

To set or change a user’s password, in your Terraform plan add, in the relevant juju_user resource definition, change the password attribute to the desired value. For example:

resource "juju_user" "alex" {
  name = "alex"
  password = "alexnewsupersecretpassword"

}

See more: juju_user

To set or change a user’s password, on a User object, use the set_password() method.

await user_object.set_password('123')

See more: set_password(), User (module)

Manage a user’s login status

Log in.

If you’re the controller creator:
You’ve already been logged in as the admin user. To verify, run juju whoami or juju show-user admin; to set a password, run juju change-user-password to set a password; to log out, run juju logout.

If you’ve just registered an external controller with your client (via juju register):
You’re already logged in. Run juju whoami or juju show-user <username> to view your user details.

To log in as a user on the current controller, run the login command, using the -u flag to specify the user you want to log in as. For example:

juju login -u alice

This will prompt you to enter the password.

The command also has flags that allow you to specify a controller, etc.

See more: juju login

Log out.

If you’re the controller creator, and you haven’t set a password yet:
You will be prompted to set a password. Make sure to set it before logging out.

To log a user out of the current controller, run the logout command:

juju logout

See more: juju logout

The terraform juju client does not support this. Please use the juju client.

The python-libjuju client does not currently support this. Please use the juju client.

Manage a user’s enabled status

To disable a user on the current controller, run the disable-user command followed by the name of the user. For example:

juju disable-user mike

See more: juju disable-user

To view disabled users in the output of juju users: Use the --all flag.

To re-enable a disabled user on a controller, run the enable-user command followed by the name of the user. For example:

juju enable-user mike

See more: juju enable-user

The terraform juju client does not support this. Please use the juju client.

To enable or disable a user, on a User object, use the enable() and disable() methods.

await user_object.enable()

await user_object.disable()

You can also check if a user is enabled or disabled using the enabled and disabled properties on the Unit object.

# re-enable a disabled user
if user_object.disabled:
    await user_object.enable()

See more: enable(), disable(), User (module)

Remove a user

To remove a user from the current controller, run the remove-user command followed by the name of the user. For example:

juju remove-user bob

This will prompt you to confirm, and then proceed to remove.

The command also has flags that allow you to specify a different controller, skip the confirmation, etc.

See more: juju remove-user

To remove a user, in your Terraform plan remove its resource definition.

See more: juju_user (resource)

To remove a user, on a connected Controller object, use the remove_user() method.

await my_controller.remove_user("bob")

See more: remove_user(), User (module)


Contributors: @cderici, @hmlanigan, @pedroleaoc, @pmatulis, @timclicks, @tmihoc

I would love to request a permission level of status in addition to the current read, write, and admin permissions. A status level permission would be able to see the status of the cluster without being able to read the configuration of the state of the model. This would be beneficial in environments I’d wish a user to see the relations of the charms and the status of the applications without having to be able to see configuration data which could contain secrets/keys private to those applications. If the user can SEE the config, in many cases they can also access the underlying applications and change them. If there was a status only permission, juju could manage that API. I’m not familiar with the UAC on the juju api – so i’d be happy with some kinda of admin managed permissions of groups/users and permissions to certain APIs.

Link to Bug

Hi,

The last couple of links (Multi-user basic setup, Multi-user external setup) are broken. They point to [1] and [2].

  1. https://juju.is/t/multi-user-basic-setup-tutorial/1195
  2. https://juju.is/t/multi-user-external-setup-tutorial/1196