22
22
"github.com/juju/juju/apiserver/common/cloudspec"
23
23
"github.com/juju/juju/apiserver/facade"
24
24
"github.com/juju/juju/apiserver/params"
25
"github.com/juju/juju/core/description"
26
25
coremigration "github.com/juju/juju/core/migration"
27
26
"github.com/juju/juju/migration"
27
"github.com/juju/juju/permission"
28
28
"github.com/juju/juju/state"
29
29
"github.com/juju/juju/state/stateenvirons"
40
40
AllModels() (params.UserModelList, error)
41
41
DestroyController(args params.DestroyControllerArgs) error
42
42
ModelConfig() (params.ModelConfigResults, error)
43
HostedModelConfigs() (params.HostedModelConfigsResults, error)
43
44
GetControllerAccess(params.Entities) (params.UserAccessResults, error)
44
45
ControllerConfig() (params.ControllerConfigResult, error)
45
46
ListBlockedModels() (params.ModelBlockInfoList, error)
93
94
func (s *ControllerAPI) checkHasAdmin() error {
94
isAdmin, err := s.authorizer.HasPermission(description.SuperuserAccess, s.state.ControllerTag())
95
isAdmin, err := s.authorizer.HasPermission(permission.SuperuserAccess, s.state.ControllerTag())
96
97
return errors.Trace(err)
233
234
return result, nil
237
// HostedModelConfigs returns all the information that the client needs in
238
// order to connect directly with the host model's provider and destroy it
240
func (s *ControllerAPI) HostedModelConfigs() (params.HostedModelConfigsResults, error) {
241
result := params.HostedModelConfigsResults{}
242
if err := s.checkHasAdmin(); err != nil {
243
return result, errors.Trace(err)
246
controllerModel, err := s.state.ControllerModel()
248
return result, errors.Trace(err)
251
allModels, err := s.state.AllModels()
253
return result, errors.Trace(err)
256
for _, model := range allModels {
257
if model.UUID() != controllerModel.UUID() {
258
config := params.HostedModelConfig{
260
OwnerTag: model.Owner().String(),
262
modelConf, err := model.Config()
264
config.Error = common.ServerError(err)
266
config.Config = modelConf.AllAttrs()
268
cloudSpec := s.GetCloudSpec(model.ModelTag())
269
if config.Error == nil {
270
config.CloudSpec = cloudSpec.Result
271
config.Error = cloudSpec.Error
273
result.Models = append(result.Models, config)
236
280
// RemoveBlocks removes all the blocks in the controller.
237
281
func (s *ControllerAPI) RemoveBlocks(args params.RemoveBlocksArgs) error {
238
282
if err := s.checkHasAdmin(); err != nil {
309
353
// have on the controller.
310
354
func (c *ControllerAPI) GetControllerAccess(req params.Entities) (params.UserAccessResults, error) {
311
355
results := params.UserAccessResults{}
312
isAdmin, err := c.authorizer.HasPermission(description.SuperuserAccess, c.state.ControllerTag())
356
isAdmin, err := c.authorizer.HasPermission(permission.SuperuserAccess, c.state.ControllerTag())
314
358
return results, errors.Trace(err)
383
427
// Construct target info.
384
428
specTarget := spec.TargetInfo
385
controllerTag, err := names.ParseModelTag(specTarget.ControllerTag)
429
controllerTag, err := names.ParseControllerTag(specTarget.ControllerTag)
387
431
return "", errors.Annotate(err, "controller tag")
408
452
// Check if the migration is likely to succeed.
409
if err := runMigrationPrechecks(hostedState, targetInfo); err != nil {
410
return "", errors.Trace(err)
453
if !(spec.ExternalControl && spec.SkipInitialPrechecks) {
454
if err := runMigrationPrechecks(hostedState, targetInfo); err != nil {
455
return "", errors.Trace(err)
413
459
// Trigger the migration.
483
529
return result, nil
486
hasPermission, err := c.authorizer.HasPermission(description.SuperuserAccess, c.state.ControllerTag())
532
hasPermission, err := c.authorizer.HasPermission(permission.SuperuserAccess, c.state.ControllerTag())
488
534
return result, errors.Trace(err)
497
controllerAccess := description.Access(arg.Access)
498
if err := description.ValidateControllerAccess(controllerAccess); err != nil {
543
controllerAccess := permission.Access(arg.Access)
544
if err := permission.ValidateControllerAccess(controllerAccess); err != nil {
499
545
result.Results[i].Error = common.ServerError(err)
521
567
// Check target controller.
522
conn, err := api.Open(targetToAPIInfo(targetInfo), api.DialOpts{})
568
conn, err := api.Open(targetToAPIInfo(targetInfo), migration.ControllerDialOpts())
524
570
return errors.Annotate(err, "connect to target controller")
565
func grantControllerAccess(accessor *state.State, targetUserTag, apiUser names.UserTag, access description.Access) error {
611
func grantControllerAccess(accessor *state.State, targetUserTag, apiUser names.UserTag, access permission.Access) error {
566
612
_, err := accessor.AddControllerUser(state.UserAccessSpec{User: targetUserTag, CreatedBy: apiUser, Access: access})
567
613
if errors.IsAlreadyExists(err) {
568
614
controllerTag := accessor.ControllerTag()
594
func revokeControllerAccess(accessor *state.State, targetUserTag, apiUser names.UserTag, access description.Access) error {
640
func revokeControllerAccess(accessor *state.State, targetUserTag, apiUser names.UserTag, access permission.Access) error {
595
641
controllerTag := accessor.ControllerTag()
597
case description.LoginAccess:
643
case permission.LoginAccess:
598
644
// Revoking login access removes all access.
599
645
err := accessor.RemoveUserAccess(targetUserTag, controllerTag)
600
646
return errors.Annotate(err, "could not revoke controller access")
601
case description.AddModelAccess:
647
case permission.AddModelAccess:
602
648
// Revoking add-model access sets login.
603
649
controllerUser, err := accessor.UserAccess(targetUserTag, controllerTag)
605
651
return errors.Annotate(err, "could not look up controller access for user")
607
_, err = accessor.SetUserAccess(controllerUser.UserTag, controllerUser.Object, description.LoginAccess)
653
_, err = accessor.SetUserAccess(controllerUser.UserTag, controllerUser.Object, permission.LoginAccess)
608
654
return errors.Annotate(err, "could not set controller access to read-only")
609
case description.SuperuserAccess:
655
case permission.SuperuserAccess:
610
656
// Revoking superuser sets add-model.
611
657
controllerUser, err := accessor.UserAccess(targetUserTag, controllerTag)
613
659
return errors.Annotate(err, "could not look up controller access for user")
615
_, err = accessor.SetUserAccess(controllerUser.UserTag, controllerUser.Object, description.AddModelAccess)
661
_, err = accessor.SetUserAccess(controllerUser.UserTag, controllerUser.Object, permission.AddModelAccess)
616
662
return errors.Annotate(err, "could not set controller access to add-model")
624
670
// ChangeControllerAccess performs the requested access grant or revoke action for the
625
671
// specified user on the controller.
626
func ChangeControllerAccess(accessor *state.State, apiUser, targetUserTag names.UserTag, action params.ControllerAction, access description.Access) error {
672
func ChangeControllerAccess(accessor *state.State, apiUser, targetUserTag names.UserTag, action params.ControllerAction, access permission.Access) error {
628
674
case params.GrantControllerAccess:
629
675
err := grantControllerAccess(accessor, targetUserTag, apiUser, access)