I worked with Tom on this in IRC and got to the bottom of it. We hit a corner case of the superuser. The folks that own the controller themselves are a bit special. While technically they're the boss and can juju status any model in the controller, they don't see all the models by default in juju models and the like. It'd make being the controller admins a real pain.
Likewise, we don't auto add the ssh key of every superuser to every machine in every model regardless of the owner. We take the tact that supserusers can sudo around and do anything, but by default commands only allow them to do things on models they've been given model level access to directly. Tom was setting up a controller, adding a user, and granting them superuser on the controller. However, as the user had no direct share/access to the model in question it could not ssh to the machines in the model. I think we can be more clear here around the error messaging as we know the user is a superuser and why the request failed. On Fri, May 11, 2018 at 6:11 AM Tom Barber <t...@spicule.co.uk> wrote: > Hello folks > > IRC has failed me so lets try the wider world. > > We have a multinode manual cloud deployed. We have juju add-user 2 new > users and also juju add-ssh-key for those users. > > We know the ssh key works because > > ssh ubuntu@<host> > > works fine and we can sudo -i etc and do stuff. > > But > > juju ssh <machine number> > > says: > > ERROR permission denied (unauthorized access) > 11:05:18 DEBUG cmd supercommand.go:459 error stack: > permission denied (unauthorized access) > github.com/juju/juju/rpc/client.go:149: > github.com/juju/juju/api/apiclient.go:924: > github.com/juju/juju/api/sshclient/facade.go:109: > github.com/juju/juju/cmd/juju/commands/ssh_common.go:257: > github.com/juju/juju/cmd/juju/commands/ssh_common.go:141: > github.com/juju/juju/cmd/juju/commands/ssh.go:117: > > I've looked at the code and it claims we can > > juju ssh ubuntu@<machine number> -i <key> > > that fails with the same error. > > If I tail the target servers auth.log there isn't even a failed login > attempt which strikes me as a little weird considering it says > > permission denied (unauthorized access) > > Which does make me question... what permission is denied? > > > -- > > > Spicule Limited is registered in England & Wales. Company Number: > 09954122. Registered office: First Floor, Telecom House, 125-135 Preston > Road, Brighton, England, BN1 6AF. VAT No. 251478891. > > > > > All engagements > are subject to Spicule Terms and Conditions of Business. This email and > its > contents are intended solely for the individual to whom it is addressed > and > may contain information that is confidential, privileged or otherwise > protected from disclosure, distributing or copying. Any views or opinions > presented in this email are solely those of the author and do not > necessarily represent those of Spicule Limited. The company accepts no > liability for any damage caused by any virus transmitted by this email. If > you have received this message in error, please notify us immediately by > reply email before deleting it from your system. Service of legal notice > cannot be effected on Spicule Limited by email. > > -- > Juju mailing list > Juju@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/juju >
-- Juju mailing list Juju@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju
