// Init implements cmd.Command. func (c *accessCommand) Init(args []string) error { if len(args) < 1 { return errors.New("no user specified") } if len(args) < 2 { return errors.New("no permission level specified") } c.User = args[0] c.ModelNames = args[2:] c.Access = args[1] // Special case for backwards compatibility. if c.Access == "addmodel" { c.Access = "add-model" } if len(c.ModelNames) > 0 { if err := permission.ValidateControllerAccess(permission.Access(c.Access)); err == nil { return errors.Errorf("You have specified a controller access permission %q.\n"+ "If you intended to change controller access, do not specify any model names.\n"+ "See 'juju help grant'.", c.Access) } return permission.ValidateModelAccess(permission.Access(c.Access)) } if err := permission.ValidateModelAccess(permission.Access(c.Access)); err == nil { return errors.Errorf("You have specified a model access permission %q.\n"+ "If you intended to change model access, you need to specify one or more model names.\n"+ "See 'juju help grant'.", c.Access) } return nil }
// setAccess changes the user's access permissions on the controller. func (st *State) setControllerAccess(access permission.Access, userGlobalKey string) error { if err := permission.ValidateControllerAccess(access); err != nil { return errors.Trace(err) } op := updatePermissionOp(controllerKey(st.ControllerUUID()), userGlobalKey, access) err := st.runTransaction([]txn.Op{op}) if err == txn.ErrAborted { return errors.NotFoundf("existing permissions") } return errors.Trace(err) }
// ModifyControllerAccess changes the model access granted to users. func (c *ControllerAPI) ModifyControllerAccess(args params.ModifyControllerAccessRequest) (params.ErrorResults, error) { result := params.ErrorResults{ Results: make([]params.ErrorResult, len(args.Changes)), } if len(args.Changes) == 0 { return result, nil } hasPermission, err := c.authorizer.HasPermission(permission.SuperuserAccess, c.state.ControllerTag()) if err != nil { return result, errors.Trace(err) } for i, arg := range args.Changes { if !hasPermission { result.Results[i].Error = common.ServerError(common.ErrPerm) continue } controllerAccess := permission.Access(arg.Access) if err := permission.ValidateControllerAccess(controllerAccess); err != nil { result.Results[i].Error = common.ServerError(err) continue } targetUserTag, err := names.ParseUserTag(arg.UserTag) if err != nil { result.Results[i].Error = common.ServerError(errors.Annotate(err, "could not modify controller access")) continue } result.Results[i].Error = common.ServerError( ChangeControllerAccess(c.state, c.apiUser, targetUserTag, arg.Action, controllerAccess)) } return result, nil }
// AddControllerUser adds a new user for the curent controller to the database. func (st *State) AddControllerUser(spec UserAccessSpec) (permission.UserAccess, error) { if err := permission.ValidateControllerAccess(spec.Access); err != nil { return permission.UserAccess{}, errors.Annotate(err, "adding controller user") } return st.addUserAccess(spec, userAccessTarget{globalKey: controllerGlobalKey}) }