I have updated my server ubuntu OS to version 20.04. and am now encountering following error when using juju with sudo:
ERROR cannot acquire lock file to get the current controller name: unable to open /tmp/juju-store-lock-X: permission denied
Removing the file does not help, as it is regenerated every time.
It worked on ubuntu version 18.04. and I assumed requiring superuser privileges to the command was the standard procedure.
However, running it without sudo works. This seems counterintuitive to me since the juju command is very powerful and not even restricting it to superusers seems hazardous. Is there a good way to restrict access to the juju command?
You’re right that Juju is very powerful! But, perhaps counter-intuitively, the user account that is interacting with the juju
executable does not directly affect the user account that is interacting with machines/applications.
Juju has its own user account system. Commands that users may run are able to be restricted by the Juju administrator.
The user account on the machine you’re running juju
commands for does not exist on other machines. When you run juju
commands, you interact with a Juju controller that is delegated with the responsibility to act on your behalf.
The Juju controller will restrict itself to the commands that the user is entitled to.
Once a controller is created with juju bootstrap
, you have a few commands available to you:
juju add-user
-
juju grant
can control whether user accounts can access or modifying a given model
-
juju disable-command
to prevent a user account from executing particular commands, and its reverse juju enable-command
-
juju enable-destroy-controller
has the effect re-enabling all commands
Permissions are specific to models. If your org requires teams to not interfere with each other, then you should create a model for each team and make use of cross-model relations.
A nice side effect of this system is that accounts are portable. The output of the add-user
command can be sent to someone (by email perhaps) then used by the juju register
command to allow that person to log in.
1 Like