Bootstrap Admin Permissions¶
The following document will show you how to add permissions for an initial admin user to your JAAS environment.
Prerequisites¶
For this how-to you will need the following:
A basic understanding of JAAS tags, see our explanation doc.
A running JAAS environment, see our tutorial.
An understanding of Juju permissions, see the Juju docs.
Creating an admin user¶
In order to create an initial admin user we must use the config option controller-admins
.
The format for controller-admins
is a space separated list of email addresses or service accounts. This means
that entries can be of the form name@domain.com
or client-id@serviceaccount
.
Run the following command replacing the contents with your email address to configure your user as a JIMM admin.
juju config jimm controller-admins="[email protected]"
Hint
See also: Charmhub | juju-jimm-k8s > Configurations > controller-admin.
Now you can verify that you have admin access to JIMM using jimmctl
.
If you do not have jimmctl
installed, you can do so with the following command:
sudo snap install jimmctl --channel=3/stable
The following commands are particularly useful for interacting with controllers.
jimmctl controllers
jimmctl audit-events
In a fresh setup, the first should return an empty list, showing that no controllers have been added to JIMM.
The second command returns a list of audited events that JIMM has recorded. More information on JIMM’s audit log feature is available at the following page.
Granting permissions¶
As a JIMM admin, you are automatically an administrator of all controllers and models on those controllers.
Permissions to resources can now be handled in one of two ways.
Through
juju
All Juju permission related commands are valid with JIMM. This is the expected approach for all users to manage permissions to resources they own.
The following example will create a model and grant a fictional user read access to the model.
juju add-model permission-test
juju grant [email protected] read permission-test
This allows user foo@canonical.com
to see your model provided they have logged into JIMM.
Using
jimmctl
Admins of JIMM can use jimmctl
to view permissions on a more granular level and perform group management.
# View all relations
jimmctl auth relation list
# Check if a user has access to a resource
jimmctl auth relation check [email protected] administrator controller-jimm
# Add a group
jimmctl auth group add my-group
# Add user to a group
jimmctl auth relation add [email protected] member group-my-group
# View members of a group
jimmctl auth relation list --target group-my-group
The purpose of the prefixes user-
and group-
is to distinguish the type of the object.
More information is available in our doc on JAAS tags
And more information on group management is available in our group and access management tutorial.