jaas plugin¶
jaas add-cloud¶
Summary¶
Add cloud to specific controller in jimm
Usage¶
jaas add-cloud [options] <controller_name> <cloud_name>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
The path to the cloud’s definition file. |
|
|
false |
Forces the cloud to be added to the controller |
|
yaml |
Specify output format (json|yaml) |
|
Specify an output file |
Examples¶
juju add-cloud mycontroller mycloud
juju add-cloud mycontroller mycloud --cloud=./cloud-definition.yaml
Details¶
Adds the specified cloud to a specific controller on JIMM.
One can specify a cloud definition via a yaml file passed with the –cloud flag. If the flag is missing, the command will assume the cloud definition is already known and will error otherwise.
jaas add-group¶
Summary¶
Add group to jimm.
Usage¶
jaas add-group [options] <name>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
yaml |
Specify output format (json|yaml) |
|
Specify an output file |
Examples¶
juju add-group
Details¶
Adds a group.
jaas add-permission¶
Summary¶
Add relation to JIMM.
Usage¶
jaas add-permission [options] <object> <relation> <target_object>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
file location of JSON encoded tuples |
|
|
yaml |
Specify output format (json|yaml) |
|
Specify an output file |
Examples¶
juju add-permission [email protected] member group-mygroup
juju add-permission group-MyTeam#member admin model-mymodel
juju add-permission -f /path/to/file.yaml
Details¶
Grants access to a resource.
This command works at a low-level and commands like ‘juju grant’ should be preferred in most cases.
Permissions in JIMM consist of an object, a relation and a target object. These are used to define access control between resources.
The object and target object must be of the form <tag>-<objectname> or <tag>-<object-uuid> E.g. “user-Alice” or “controller-MyController”
-f Read from a file where filename is the location of a JSON encoded file of the form: [ { “object”:“user-mike”, “relation”:“member”, “target_object”:“group-yellow” }, { “object”:“user-alice”, “relation”:“member”, “target_object”:“group-yellow” } ]
Certain constraints apply when creating/removing permissions, namely: Object may be one of:
user tag = "user-<name>"
group tag = "group-<name>"
controller tag = "controller-<name>"
model tag = "model-<name>"
application offer tag = "offer-<name>"
If target_object is a group, the relation can only be:
member
If target_object is a controller, the relation can be one of:
loginer
administrator
If target_object is a model, the relation can be one of:
reader
writer
administrator
If target_object is an application offer, the relation can be one of:
reader
consumer
administrator
Additionally, if the object is a group, a userset can be applied by adding #member as follows. This will grant/revoke access to all users within TeamA:
group-TeamA#member administrator controller-MyController
jaas add-role¶
Summary¶
Add role to jimm.
Usage¶
jaas add-role [options] <role name>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
yaml |
Specify output format (json|yaml) |
|
Specify an output file |
Examples¶
juju add-role myrole
Details¶
Adds a role.
jaas add-service-account¶
Summary¶
Add permission to manage a service account
Usage¶
jaas add-service-account [options] <client-id>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
yaml |
Specify output format (json|yaml) |
|
Specify an output file |
Examples¶
juju add-service-account <client-id>
Details¶
add-service-account binds a service account to your user, giving you administrator access over the service account. Can only be run once per service account.
jaas audit-events¶
Aliases: audit-events
Summary¶
Displays audit events
Usage¶
jaas list-audit-events [options]
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
display events that happened after a specified time, formatted as RFC3339 |
|
|
display events that happened before specified time, formatted as RFC3339 |
|
|
yaml |
Specify output format (json|tabular|yaml) |
|
0 |
limit the maximum number of returned audit events |
|
display events for a specific method call |
|
|
display events for a specific model (model name is controller/model) |
|
|
Specify an output file |
|
|
0 |
offset the set of returned audit events |
|
false |
reverse the order of logs, showing the most recent first |
|
display events performed by authenticated user |
Examples¶
juju list-audit-events --after 2020-01-01T15:00:00 --before 2020-01-01T15:00:00 --user-tag [email protected] --limit 50
juju list-audit-events --method CreateModel
juju audit-events --after 2020-01-01T15:00:00 --format yaml
Details¶
Returns audit log events.
jaas check-permission¶
Summary¶
Check access to a resource.
Usage¶
jaas check-permission [options] <object> <relation> <target_object>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
smart |
Specify output format (json|smart|yaml) |
|
Specify an output file |
Examples¶
juju check-permission [email protected] administrator controller-aws-controller-1
Details¶
Verifies access to a resource.
jaas controllers¶
Aliases: list-controllers
Summary¶
Lists all controllers known to JIMM.
Usage¶
jaas controllers [options]
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
yaml |
Specify output format (json|yaml) |
|
Specify an output file |
Examples¶
juju controllers
juju controllers --format json
Details¶
Displays controller information for all controllers known to JIMM.
jaas documentation¶
Summary¶
Generate the documentation for all commands
Usage¶
jaas documentation [options] --out <target-folder> --no-index --split --url <base-url> --discourse-ids <filepath>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
File containing a mapping of commands and their discourse ids |
|
|
false |
Do not generate the commands index |
|
Documentation output folder if not set the result is displayed using the standard output |
|
|
false |
Generate a separate Markdown file for each command |
|
Documentation host URL |
Examples¶
juju documentation
juju documentation --split
juju documentation --split --no-index --out /tmp/docs
To render markdown documentation using a list of existing commands, you can use a file with the following syntax
command1: id1
command2: id2
commandN: idN
For example:
add-cloud: 1183
add-secret: 1284
remove-cloud: 4344
Then, the urls will be populated using the ids indicated in the file above.
juju documentation --split --no-index --out /tmp/docs --discourse-ids /tmp/docs/myids
Details¶
This command generates a markdown formatted document with all the commands, their descriptions, arguments, and examples.
jaas grant-audit-log¶
Summary¶
Grants access to audit logs.
Usage¶
jaas grant-audit-log [options] <username>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
Examples¶
juju grant-audit-log <username>
Details¶
Grants a user access to read audit logs.
jaas grant-service-account-access¶
Summary¶
Grants administrator access over a service account
Usage¶
jaas grant-service-account-access [options] <client-id> (<user>|<group>) [(<user>|<group>) ...]
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
smart |
Specify output format (smart) |
|
Specify an output file |
Examples¶
juju grant-service-account-access 00000000-0000-0000-0000-000000000000 user-foo group-bar
Details¶
grant-service-account-access grants administrator access over a service account to the given groups/identities.
jaas groups¶
Aliases: groups
Summary¶
List all groups.
Usage¶
jaas list-groups [options]
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
yaml |
Specify output format (json|yaml) |
|
0 |
The maximum number of groups to return |
|
Specify an output file |
|
|
0 |
The offset to use when requesting groups |
Examples¶
juju list-groups
Details¶
Lists all groups.
jaas help¶
Summary¶
Show help on a command or other topic.
Usage¶
jaas help [flags] [topic]
Details¶
See also: topics
jaas import-model¶
Aliases: register-model
Summary¶
Import a model to jimm
Usage¶
jaas import-model [options] <controller name> <model uuid>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
switch the model owner to the desired user |
Examples¶
juju import-model mycontroller ac30d6ae-0bed-4398-bba7-75d49e39f189
juju import-model mycontroller ac30d6ae-0bed-4398-bba7-75d49e39f189 --owner [email protected]
Details¶
Imports a model running on a controller into JIMM’s state.
When importing, it is necessary for JIMM to contain a set of cloud credentials that represent a user’s access to the incoming model’s cloud.
The –owner command is necessary when importing a model created by a local user and it will switch the model owner to the desired external user.
jaas list-audit-events¶
Aliases: audit-events
Summary¶
Displays audit events
Usage¶
jaas list-audit-events [options]
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
display events that happened after a specified time, formatted as RFC3339 |
|
|
display events that happened before specified time, formatted as RFC3339 |
|
|
yaml |
Specify output format (json|tabular|yaml) |
|
0 |
limit the maximum number of returned audit events |
|
display events for a specific method call |
|
|
display events for a specific model (model name is controller/model) |
|
|
Specify an output file |
|
|
0 |
offset the set of returned audit events |
|
false |
reverse the order of logs, showing the most recent first |
|
display events performed by authenticated user |
Examples¶
juju list-audit-events --after 2020-01-01T15:00:00 --before 2020-01-01T15:00:00 --user-tag [email protected] --limit 50
juju list-audit-events --method CreateModel
juju audit-events --after 2020-01-01T15:00:00 --format yaml
Details¶
Returns audit log events.
jaas list-controllers¶
Aliases: list-controllers
Summary¶
Lists all controllers known to JIMM.
Usage¶
jaas controllers [options]
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
yaml |
Specify output format (json|yaml) |
|
Specify an output file |
Examples¶
juju controllers
juju controllers --format json
Details¶
Displays controller information for all controllers known to JIMM.
jaas list-groups¶
Aliases: groups
Summary¶
List all groups.
Usage¶
jaas list-groups [options]
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
yaml |
Specify output format (json|yaml) |
|
0 |
The maximum number of groups to return |
|
Specify an output file |
|
|
0 |
The offset to use when requesting groups |
Examples¶
juju list-groups
Details¶
Lists all groups.
jaas list-permissions¶
Aliases: permissions
Summary¶
List relations.
Usage¶
jaas list-permissions [options]
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
yaml |
Specify output format (json|tabular|yaml) |
|
Specify an output file |
|
|
relation object |
|
|
relation name |
|
|
true |
resolves UUIDs to human readable tags |
|
relation target object |
Examples¶
List all permissions
juju list-permissions
List permissions where the target object match
juju list-permissions --target model-mymodel
List permissions where the target object and relation match
juju list-permissions --target model-mymodel --relation admin
Details¶
List permissions known to JIMM. Using the “target”, “relation” and “object” flags, only those permissions matching the filter will be returned.
jaas list-roles¶
Aliases: roles
Summary¶
List all roles.
Usage¶
jaas list-roles [options]
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
yaml |
Specify output format (json|yaml) |
|
0 |
The maximum number of roles to return |
|
Specify an output file |
|
|
0 |
The offset to use when requesting roles |
Examples¶
juju list-roles list
Details¶
Lists all roles.
jaas list-service-account-credentials¶
Summary¶
List service account cloud credentials
Usage¶
jaas list-service-account-credentials [options] <client-id>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
tabular |
Specify output format (json|tabular|yaml) |
|
Specify an output file |
|
|
false |
Show secrets, applicable to yaml or json formats only |
Examples¶
juju list-service-account-credentials <client-id>
juju list-service-account-credentials <client-id> --show-secrets
juju list-service-account-credentials <client-id> --format yaml
Details¶
list-service-account-credentials lists the cloud credentials belonging to a service account.
This command only shows credentials uploaded to the controller that belong to the service account. Client-side credentials should be managed via the juju credentials command.
jaas migrate¶
Summary¶
Migrate models to the target controller
Usage¶
jaas migrate [options] <controller name> <model uuid> [<model uuid>...]
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
yaml |
Specify output format (json|yaml) |
|
Specify an output file |
Examples¶
juju migrate mycontroller 2cb433a6-04eb-4ec4-9567-90426d20a004 fd469983-27c2-423b-bebf-84f616fb036b ...
juju migrate mycontroller [email protected]/model-a [email protected]/model-b ...
juju migrate mycontroller [email protected]/model-a fd469983-27c2-423b-bebf-84f616fb036b ...
Details¶
The migrate commands migrates a model, or many models between two controllers registered within JIMM.
You may specify a model name (of the form owner/name) or model UUID.
jaas model-status¶
Summary¶
Displays full model status
Usage¶
jaas model-status [options] <model uuid>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
yaml |
Specify output format (json|yaml) |
|
Specify an output file |
Examples¶
juju model-status 2cb433a6-04eb-4ec4-9567-90426d20a004
juju model-status 2cb433a6-04eb-4ec4-9567-90426d20a004 --format yaml
Details¶
Displays full model status.
jaas permissions¶
Aliases: permissions
Summary¶
List relations.
Usage¶
jaas list-permissions [options]
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
yaml |
Specify output format (json|tabular|yaml) |
|
Specify an output file |
|
|
relation object |
|
|
relation name |
|
|
true |
resolves UUIDs to human readable tags |
|
relation target object |
Examples¶
List all permissions
juju list-permissions
List permissions where the target object match
juju list-permissions --target model-mymodel
List permissions where the target object and relation match
juju list-permissions --target model-mymodel --relation admin
Details¶
List permissions known to JIMM. Using the “target”, “relation” and “object” flags, only those permissions matching the filter will be returned.
jaas purge-audit-logs¶
Summary¶
purge audit logs from the database before the given date
Usage¶
jaas purge-audit-logs [options] <date>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
yaml |
Specify output format (json|yaml) |
|
Specify an output file |
Examples¶
juju purge-audit-logs 2021-02-03
juju purge-audit-logs 2021-02-03T00
juju purge-audit-logs 2021-02-03T15:04:05Z
Details¶
Purges logs from the database before the given date.
The provided date must be formatted as an ISO8601 date string.
jaas query-models¶
Summary¶
Query model statuses
Usage¶
jaas query-models [options] <query>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
json |
Specify output format (json|yaml) |
|
Specify an output file |
Examples¶
juju query-models '.applications | with_entries(select(.key=="nginx-ingress-integrator"))'
Details¶
Queries all models available to the current user performing the query against each model status individually, returning the collated query responses for each model.
The query runs against the output of “juju status –format json”, as such you can format your query against an output like this.
The queries expect a JQ query string.
jaas register-controller¶
Summary¶
Add controller to jimm
Usage¶
jaas register-controller [options] <filepath>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
false |
Dry-run enabled will only print the controller details. |
|
Specify a file-path for controller details, use ‘-’ to read from stdin. |
|
|
yaml |
Specify output format (json|yaml) |
|
false |
If local flag is specified, then the local API address and CA cert of the controller will be used. |
|
Specify an output file |
|
|
Specify a custom public address to use for dialing the controller. |
|
|
Specify the hostname for TLS verification. |
Examples¶
juju register-controller mycontroller
juju register-controller mycontroller --local
Details¶
Registers a controller with JIMM.
Using the controller name provided, this command will inspect your Juju client store for details on the specified controller.
Note that by default, this command assumes the controller has the public-hostname field set, which will define the preferred address JIMM will use to contact the controller. Use of a public address will also ignore any custom CA cert in your local client store and assumes the server is secured with a public certificate.
Use the –local flag if the server is not configured with a public address or to ignore the controller’s public-hostname and use the custom CA of the controller.
A yaml formatted file can also be used as input for cases where the controller is not available on the client. Using the –file will validate that the provided controller name matches the name in the yaml file. Using –file will ignore other flags like –public-address.
Use the –dry-run flag to generate a sample file without registering the controller. This can be used later as input to register-controller.
jaas register-model¶
Aliases: register-model
Summary¶
Import a model to jimm
Usage¶
jaas import-model [options] <controller name> <model uuid>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
switch the model owner to the desired user |
Examples¶
juju import-model mycontroller ac30d6ae-0bed-4398-bba7-75d49e39f189
juju import-model mycontroller ac30d6ae-0bed-4398-bba7-75d49e39f189 --owner [email protected]
Details¶
Imports a model running on a controller into JIMM’s state.
When importing, it is necessary for JIMM to contain a set of cloud credentials that represent a user’s access to the incoming model’s cloud.
The –owner command is necessary when importing a model created by a local user and it will switch the model owner to the desired external user.
jaas remove-cloud¶
Summary¶
Remove cloud from specific controller in jimm
Usage¶
jaas remove-cloud [options] <controller_name> <cloud_name>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
yaml |
Specify output format (json|yaml) |
|
Specify an output file |
Examples¶
juju remove-cloud mycontroller mycloud
Details¶
Removes the specified cloud from the specified controller in JIMM.
jaas remove-group¶
Summary¶
Remove a group.
Usage¶
jaas remove-group [options] <name>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
smart |
Specify output format (smart) |
|
Specify an output file |
|
|
false |
delete group without prompt |
Examples¶
juju remove-group mygroup
Details¶
Removes a group.
jaas remove-permission¶
Summary¶
Remove relation from JIMM.
Usage¶
jaas remove-permission [options] <object> <relation> <target_object>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
file location of JSON encoded tuples |
|
|
yaml |
Specify output format (json|yaml) |
|
Specify an output file |
Examples¶
juju remove-permission [email protected] member group-mygroup
juju remove-permission group-MyTeam#member admin model-mymodel
juju remove-permission -f /path/to/file.yaml
Details¶
Revokes access to a resource.
This command works at a low-level and commands like ‘juju grant’ should be preferred in most cases.
Permissions in JIMM consist of an object, a relation and a target object. These are used to define access control between resources.
The object and target object must be of the form <tag>-<objectname> or <tag>-<object-uuid> E.g. “user-Alice” or “controller-MyController”
-f Read from a file where filename is the location of a JSON encoded file of the form: [ { “object”:“user-mike”, “relation”:“member”, “target_object”:“group-yellow” }, { “object”:“user-alice”, “relation”:“member”, “target_object”:“group-yellow” } ]
Certain constraints apply when creating/removing permissions, namely: Object may be one of:
user tag = "user-<name>"
group tag = "group-<name>"
controller tag = "controller-<name>"
model tag = "model-<name>"
application offer tag = "offer-<name>"
If target_object is a group, the relation can only be:
member
If target_object is a controller, the relation can be one of:
loginer
administrator
If target_object is a model, the relation can be one of:
reader
writer
administrator
If target_object is an application offer, the relation can be one of:
reader
consumer
administrator
Additionally, if the object is a group, a userset can be applied by adding #member as follows. This will grant/revoke access to all users within TeamA:
group-TeamA#member administrator controller-MyController
jaas remove-role¶
Summary¶
Remove a role.
Usage¶
jaas remove-role [options] <role name>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
smart |
Specify output format (smart) |
|
Specify an output file |
|
|
false |
delete role without prompt |
Examples¶
juju remove-role remove myrole
Details¶
Removes a role.
jaas rename-group¶
Summary¶
Rename a group.
Usage¶
jaas rename-group [options] <name> <new name>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
Examples¶
juju rename-group mygroup newgroup
Details¶
Renames a group.
jaas rename-role¶
Summary¶
Rename a role.
Usage¶
jaas rename-role [options] <role name> <new role name>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
Examples¶
juju rename-role myrole newrolename
Details¶
Renames a role.
jaas revoke-audit-log¶
Summary¶
revokes access to audit logs.
Usage¶
jaas revoke-audit-log [options] <user>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
Examples¶
juju revoke-audit-log [email protected]
Details¶
Revokes user access to audit logs.
jaas roles¶
Aliases: roles
Summary¶
List all roles.
Usage¶
jaas list-roles [options]
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
yaml |
Specify output format (json|yaml) |
|
0 |
The maximum number of roles to return |
|
Specify an output file |
|
|
0 |
The offset to use when requesting roles |
Examples¶
juju list-roles list
Details¶
Lists all roles.
jaas set-controller-deprecated¶
Summary¶
Sets controller deprecated status.
Usage¶
jaas set-controller-deprecated [options] <controller name>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
yaml |
Specify output format (json|yaml) |
|
Specify an output file |
Examples¶
juju set-controller-deprecated mycontroller
Details¶
Sets the deprecated status of a controller.
jaas unregister-controller¶
Summary¶
Remove controller from jimm
Usage¶
jaas unregister-controller [options] <name>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
false |
force unregister a controller |
|
yaml |
Specify output format (json|yaml) |
|
Specify an output file |
Examples¶
juju unregister-controller mycontroller
juju unregister-controller mycontroller --force
Details¶
Deregisters a controller from JIMM.
jaas update-migrated-model¶
Summary¶
Update the controller running a model.
Usage¶
jaas update-migrated-model [options] <controller name> <model uuid>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
Examples¶
juju update-migrated-model mycontroller e0bf3abf-7029-4e48-9c26-68a7b6e02947
Details¶
Updates a model known to JIMM that has been migrated externally to a different JAAS controller.
jaas update-service-account-credential¶
Summary¶
Update service account cloud credential
Usage¶
jaas update-service-account-credential [options] <client-id> <cloud> <credential-name>
Options¶
Flag |
Default |
Usage |
|---|---|---|
|
false |
Do not use web browser for authentication |
|
false |
Provide this option to use a credential from your local store instead |
|
yaml |
Specify output format (json|yaml) |
|
Specify an output file |
Examples¶
juju update-service-account-credential <client-id> aws <credential-name>
juju update-service-account-credential --client <client-id> aws <credential-name>
Details¶
update-service-account-credential command updates the credentials associated with a service account. Without any additional flags this command will search for the specified credentials on the controller and create a copy that belongs to the service account.
If the –client option is provided, the command will search for the specified credential on your local client store and upload a copy of the credential that will be owned by the service account.
[canonical]: https://canonical.com/ [iam]: https://charmhub.io/topics/canonical-identity-platform [cos]: https://charmhub.io/topics/canonical-observability-stack