JAAS Overview

What is JAAS?

To detail what JAAS is, let’s look at what JAAS provides:

  • JAAS provides a single location to manage your Juju infrastructure by using the Dashboard or using the same Juju CLI commands to create a high-level overview of your deployments with the ability to drill into the details when you need it.

  • JAAS is useful for organisations running their own Juju infrastructure giving them a single point of contact for their entire real estate and, in combination with the Juju Dashboard, giving them a clear overview of their infrastructure.

  • JAAS enables site reliability engineers and developers to access models via identities from an external IdP and is not limited to local users.

  • JAAS enables site reliability engineers and developers to manage access control across all of their controllers, models, applications and application offers from a single place, as opposed to having to go through each Juju controller manually and updating permissions specifically for individual local users on each controller.

  • As JAAS provides a single point of contact for customers entire real estate, automation is substantially easier, automation need only perform actions through JAAS and not consult each controller individually.

  • JAAS can query across multiple models at once, giving deeper insights into your estate.

JAAS Components

The diagram below shows an overall picture of JAAS architecture.

../../_images/jaas.png

JAAS consists of the following components:

  • Juju Intelligent Model Manager (JIMM)

  • ReBAC authorisation (OpenFGA)

  • Database (PostgreSQL)

  • Secure storage (Vault)

JIMM is an API server that implements a number of Juju facades (i.e. endpoints) and behaves as a Juju Controller, which under the hood proxies operations to underlying controllers. This enables other tools, like the Juju Dashboard or Juju CLI, that communicate with a Juju Controller to work seamlessly with JIMM.

For authentication of users or service accounts, JAAS requires an OIDC Provider (Hydra) that handles the standard OAuth2.0 flows including browser flow, device flow, and client credentials.

For more information on the architecture on JAAS and its scalability, check out our architecture doc.