The add-user command is for dealing only with local users on a controller.
As @rick_h mentioned above, the idea was always for an identity provider to managage external users, like the @scania part. I had always thought that the part after the @ would be configurable. Not sure if that bit was implemented.
So, the way to get the USER@scania would be to use candid.
Yes, we do have candid, integrated with AD, but the thing is that we’re trying to figure out how to get the juju client setup for a controller without having to copy or edit yaml files.
The ‘juju register’ way was super, but that doesnt work with candid.
Yes. The login command hits an unauthenticated endpoint to initiate download of the server CA Cert, and the user is authenticated. There are some caveats…
the machine needs to have routability to the controller
the controller should be configured with candid
the special user everyone@external should be granted login and add-model permissions
The external user should not be added as per @rick_h’s post above. everyone@external is a special user that exists for the purpose of configuring general perissions until Juju gets proper RBAC security.
NOTE: you should use “@external” here even though you use “@scania” for the candid entries because “everyone@external” is a hard-coded string in Juju just now.
Note! The client must not provide the username at login (will error) but instead uses the URL login provided by candid for that.
Login succeed!
After this, adding cloud and credentials is needed to be able to “juju add-model” as:
juju add-cloud … (cloud name must match exactly the cloud name in the controller)
juju add-credential …
juju update-credentials …
juju add-model …
… etc
As a follow up question: Is there a way to extract the cloud names from the controller since that is important for the subsequent “juju add-cloud” to make sure the name of the clouds are exactly the same on the client as on the controller…
This is by all means great news for the simplified way of adding in new users to a/the Juju infrastructure. Thanx alot for taking us there!
Nice! Glad you found a path. Can you give an example of what you mean by “the client must not provide the username at login”? Do you mean providing the username argument to the login command?
As for the clouds, you should be able to use something like
juju list-clouds --format=yaml
The one thing you’ll hit is a bug that I’ve asked @nammn to look into as part of his onboarding:
Clearly that’s going to be a pain point and we’re looking to have that adjusted for 2.7.
