User¶
See also: How to manage users
In Juju, a user is any person able to log in to a Juju controller.
Note
Juju users are not related in any way to the client system users.
Users can be created in two ways: Implicitly by bootstrapping a controller into a cloud or explicitly by adding a user to a controller (juju add-user).
A user logs in to a Juju controller using a username and a password. The user created implicitly gets the username admin and is prompted to create a password the first time they attempt to log out. A user created explicitly gets the username assigned to them when being added (via juju add-user) and is prompted to create login details when they register the new controller with their Juju client.
Note
A user’s username and password are entirely different from the credentials referenced in juju commands such as add-credential—those are about access to a cloud, whereas these are about access to a Juju controller.
Important
Multiple users can be accommodated by the same Juju client. However, there can only be one user logged in at a time.
Every user is associated with an access level. The default level for the user created implicitly (admin) is the controller superuser access level, which means they can do everything at the level of the entire controller. The default level for a user created explicitly is the controller login level, which means they can do nothing on the controller other than register it with their client and log in to it – for anything more they must be granted a higher level explicitly.
User access levels¶
A Juju user may have different abilities, according to the access level they have been granted. This document describes the various access levels and the corresponding abilities.
Valid access levels for controllers¶
login¶
Granted: Via `juju register.
Abilities: Log in to the controller.
superuser¶
Granted: Automatically by bootstrapping a controller or by having the username ‘admin’.
Abilities: Do anything that it is possible to do at the level of a controller.
Note
A person logged into the jaas controller automatically has the login access level. This is automatically granted via juju grant login everyone@external.
Note
Since multiple controllers—and therefore multiple controller administrators—are possible, there is no such thing as an overarching “Juju administrator”. Nevertheless, a user with the superuser access level is usually what people refer to as “the admin”.
Valid access levels for clouds¶
A controller can manage models on many clouds. With cloud-level access you can give a user permission to access one cloud but not another related to that controller.
add-model¶
Granted: Via juju grant-cloud.
Abilities: Add a model. Grant another user model-level permissions.
admin¶
Granted: Via juju grant-cloud.
Abilities: You can do anything that it is possible to do at the level of a cloud.
Valid access levels for models¶
read¶
Granted: Via juju grant.
Abilities: View the content of a model without changing it. Use any of the read commands.
write¶
Granted: Via juju grant.
Abilities: Deploy and manage applications on the model.
admin¶
Granted: Via juju grant.
Abilities: Do anything that it is possible to do at the level of a model.
Valid access levels for application offers¶
read¶
Granted: Via juju grant.
Abilities: View offers during a search with juju find-offers.
consume¶
Granted: Via juju grant.
Abilities: Relate an application to the offer.
admin¶
Granted: Via juju grant.
Abilities: You can do anything that it is possible to do at the level of an offer.