Managing multi-user environments

Juju supports multi-user environments by allowing multiple users to connect to an environment with unique credentials.

When an environment is bootstrapped the name of the initial Juju user is hardcoded to "admin".

Support for fine grain permissions is in development. The only permission checked at this stage is that only the initial administrative user can create or disable other users. Any user is now able to change their own password.

The user commands are grouped under the juju user command. For syntax use juju user --help or juju user <sub-command> --help or see the command reference page.

To add a user:

juju user add fred -o /tmp/fred-local.jenv "Test User"

Assuming the current user is 'ubuntu', this will result in:

To generate a random strong password, use the --generate flag.
password:
type password again:
user "Test User (fred)" added
environment file written to /tmp/fred-local.jenv

The environment file contains everything that Juju needs to connect to the API server of the Juju system. It has the network address, server certificate, username and a randomly generated password. For instance, fred-local.jenv above looks like:

user: fred
password: ubuntu
environ-uuid: bbb0d979-4c04-407f-8f6e-b5e14b0d1a0e
state-servers:
- localhost:17070
- 10.0.3.1:17070
- 10.5.0.218:17070
ca-cert: |
  -----BEGIN CERTIFICATE-----
  MIICVzCCAcKgAwIBAgIBADALBgkqhkiG9w0BAQUwQTENMAsGA1UEChMEanVqdTEw
  MC4GA1UEAwwnanVqdS1nZW5lcmF0ZWQgQ0EgZm9yIGVudmlyb25tZW50ICJseGMi
  MB4XDTE1MDgwNTA0MzcyM1oXDTI1MDgxMjA0MzcyM1owQTENMAsGA1UEChMEanVq
  dTEwMC4GA1UEAwwnanVqdS1nZW5lcmF0ZWQgQ0EgZm9yIGVudmlyb25tZW50ICJs
  eGMiMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC80dmRPflt5t37uMvf7sZc
  bp7wJlppscoc4nISGv2Yi+vDB3wMrL6VRfk1XCH7IW/JnQC83iWHUjROgiWpouRk
  WvW9EZcaiB2mbwyz2tebJZPRCQAx7iBCs4LwB6R9FcwYdDPfhvAFQ7lM26Edm888
  kTfK8VQEY+DRzEEXA5IqjwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAKQwDwYDVR0T
  AQH/BAUwAwEB/zAdBgNVHQ4EFgQUXXiW0kpmqL9UcHhmgU7QcDqe6GQwHwYDVR0j
  BBgwFoAUXXiW0kpmqL9UcHhmgU7QcDqe6GQwCwYJKoZIhvcNAQEFA4GBAFWeOilH
  97f4A2KZjJJW48pccPMEGt97Q0uB2RpsDI61GhPFrG0sLF8k8qcPxp/RG+Ng8o8N
  zxHjbv+uJdNPt65WLU7WsArM7KuWgRX4KJJoU3KJnHYTJJRnW6lu90uxzb/bzTcX
  1kGr20LNUMT6bv42/y7h3cI/00T/M3zKGK/W
  -----END CERTIFICATE-----

Now create the system user (also called 'fred' for simplicity) and set everything up:

sudo adduser fred
su - fred
mkdir -p .juju/environments
cp /tmp/fred-local.jenv .juju/environments
juju status -e fred-local

You can see which users have been created using the juju user list command:

juju user list

The output will be similar to:

NAME   DISPLAY NAME  DATE CREATED    LAST CONNECTION
admin  admin         2015-08-12      just now
test   Test User     5 minutes ago   never connected
fred   Test User     26 minutes ago  never connected

The output of this command can also be in YAML or JSON using the usual "--format" options.

To disable a user:

juju user disable test

Disabled users are not shown with the list sub-command unless the '--all' option is given:

juju user list --all

Query an environment for the current user 'fred' (with the api-info command):

juju api-info user -e fred-local

If a disabled user issues the above command his name will be shown. However, if such a user, such as 'test', tries to request information:

juju user info -e test-local

He will be confronted with an error:

WARNING discarding API open error: invalid entity name or password
ERROR environment "test-local" not found

An enabled user, such as 'fred', should get output similar to:

user-name: fred
display-name: Test User
date-created: 35 minutes ago
last-connection: just now

A disabled user can be re-enabled easily:

juju user enable test