Changing model owner

erik-lonroth · 16 January 2019 11:34

Hello!

I’ve been trying to find documentation about changing owner of a model, but can’t seem to find it.

Is there any way of doing that?

pmatulis · 16 January 2019 14:17

I don’t think it can be done at this time.

I believe the model owner is something that we want to deprecate due to the conflicting concepts of user “type” and user “rights” (e.g. model ‘admin’ access). However, when a model is viewed from a non-owner Juju user (e.g. models command) the owner is the string that is prefixed to the model name (e.g. erik/model-1), which sets it apart from a “locally-owned” model. Perhaps we should just use a way of doing this that is not associated with the concept of a user.

rick_h · 17 January 2019 08:41

I wonder if @anastasia-macmood can clarify. There was the start of some work towards this but I don’t recall how far it got.

erik-lonroth · 17 January 2019 09:22

The reason I ask, is because we are trying to get our heads around how to administer users and mapping them to their respective ownership of various entities in juju (models, machines, etc).

This is equally true for the underlying MAAS we have.

We are trying to figure out a good way of organizing this in an enterprise context. Not easy, but we are getting there.

rick_h · 17 January 2019 09:44

Yea, it’s a natural issue that we’ve hit in JAAS as well as folks leave a company and we want to move the owner over. What we’ve been trying to do is get to replace owner as an idea and move it to more of a “namespace” so that in theory the owner would be a team and access managed by users instead. It’s work in flight though.

For MAAS, there’s work going on to support Candid as a backend to it with RBAC on top of that. I don’t know for sure where that’s at with being able to test and play with it though. I’ll see if I can bug the MAAS folks and get your more details.

anastasia-macmood · 17 January 2019 20:32

The only work that has been done with respect to model ‘owner’ is internal - we made sure that there are no lingering permission checks. The rest of the work that rick_h describes - “namespacing” part - is yet to come. We still want to provide the ability to group models using some arbitrary parameters, say business unit they belong to as a category, but not to attach any individuals or Juju functionality.