// Init implements cmd.Command.
func (c *accessCommand) Init(args []string) error {
if len(args) < 1 {
return errors.New("no user specified")
}
if len(args) < 2 {
return errors.New("no permission level specified")
}
c.User = args[0]
c.ModelNames = args[2:]
c.Access = args[1]
// Special case for backwards compatibility.
if c.Access == "addmodel" {
c.Access = "add-model"
}
if len(c.ModelNames) > 0 {
if err := permission.ValidateControllerAccess(permission.Access(c.Access)); err == nil {
return errors.Errorf("You have specified a controller access permission %q.\n"+
"If you intended to change controller access, do not specify any model names.\n"+
"See 'juju help grant'.", c.Access)
}
return permission.ValidateModelAccess(permission.Access(c.Access))
}
if err := permission.ValidateModelAccess(permission.Access(c.Access)); err == nil {
return errors.Errorf("You have specified a model access permission %q.\n"+
"If you intended to change model access, you need to specify one or more model names.\n"+
"See 'juju help grant'.", c.Access)
}
return nil
}
// AddModelUser adds a new user for the model identified by modelUUID to the database.
func (st *State) AddModelUser(modelUUID string, spec UserAccessSpec) (permission.UserAccess, error) {
if err := permission.ValidateModelAccess(spec.Access); err != nil {
return permission.UserAccess{}, errors.Annotate(err, "adding model user")
}
target := userAccessTarget{
uuid: modelUUID,
globalKey: modelGlobalKey,
}
return st.addUserAccess(spec, target)
}
// setModelAccess changes the user's access permissions on the model.
func (st *State) setModelAccess(access permission.Access, userGlobalKey, modelUUID string) error {
if err := permission.ValidateModelAccess(access); err != nil {
return errors.Trace(err)
}
op := updatePermissionOp(modelKey(modelUUID), userGlobalKey, access)
err := st.runTransactionFor(modelUUID, []txn.Op{op})
if err == txn.ErrAborted {
return errors.NotFoundf("existing permissions")
}
return errors.Trace(err)
}
// ModifyModelAccess changes the model access granted to users.
func (m *ModelManagerAPI) ModifyModelAccess(args params.ModifyModelAccessRequest) (result params.ErrorResults, _ error) {
result = params.ErrorResults{
Results: make([]params.ErrorResult, len(args.Changes)),
}
canModifyController, err := m.authorizer.HasPermission(permission.SuperuserAccess, m.state.ControllerTag())
if err != nil {
return result, errors.Trace(err)
}
if len(args.Changes) == 0 {
return result, nil
}
for i, arg := range args.Changes {
modelAccess := permission.Access(arg.Access)
if err := permission.ValidateModelAccess(modelAccess); err != nil {
err = errors.Annotate(err, "could not modify model access")
result.Results[i].Error = common.ServerError(err)
continue
}
modelTag, err := names.ParseModelTag(arg.ModelTag)
if err != nil {
result.Results[i].Error = common.ServerError(errors.Annotate(err, "could not modify model access"))
continue
}
canModifyModel, err := m.authorizer.HasPermission(permission.AdminAccess, modelTag)
if err != nil {
return result, errors.Trace(err)
}
canModify := canModifyController || canModifyModel
if !canModify {
result.Results[i].Error = common.ServerError(common.ErrPerm)
continue
}
targetUserTag, err := names.ParseUserTag(arg.UserTag)
if err != nil {
result.Results[i].Error = common.ServerError(errors.Annotate(err, "could not modify model access"))
continue
}
result.Results[i].Error = common.ServerError(
changeModelAccess(m.state, modelTag, m.apiUser, targetUserTag, arg.Action, modelAccess, m.isAdmin))
}
return result, nil
}
func (c *Client) modifyModelUser(action params.ModelAction, user, access string, modelUUIDs []string) error {
var args params.ModifyModelAccessRequest
if !names.IsValidUser(user) {
return errors.Errorf("invalid username: %q", user)
}
userTag := names.NewUserTag(user)
modelAccess := permission.Access(access)
if err := permission.ValidateModelAccess(modelAccess); err != nil {
return errors.Trace(err)
}
for _, model := range modelUUIDs {
if !names.IsValidModel(model) {
return errors.Errorf("invalid model: %q", model)
}
modelTag := names.NewModelTag(model)
args.Changes = append(args.Changes, params.ModifyModelAccess{
UserTag: userTag.String(),
Action: action,
Access: params.UserAccessPermission(modelAccess),
ModelTag: modelTag.String(),
})
}
var result params.ErrorResults
err := c.facade.FacadeCall("ModifyModelAccess", args, &result)
if err != nil {
return errors.Trace(err)
}
if len(result.Results) != len(args.Changes) {
return errors.Errorf("expected %d results, got %d", len(args.Changes), len(result.Results))
}
for i, r := range result.Results {
if r.Error != nil && r.Error.Code == params.CodeAlreadyExists {
logger.Warningf("model %q is already shared with %q", modelUUIDs[i], userTag.Canonical())
result.Results[i].Error = nil
}
}
return result.Combine()
}
// Init implements cmd.Command.
func (c *accessCommand) Init(args []string) error {
if len(args) < 1 {
return errors.New("no user specified")
}
if len(args) < 2 {
return errors.New("no permission level specified")
}
c.User = args[0]
c.ModelNames = args[2:]
c.ModelAccess = args[1]
if len(c.ModelNames) > 0 {
err := permission.ValidateModelAccess(permission.Access(c.ModelAccess))
if err != nil {
return err
}
}
return nil
}
