Skip to content

Update jaas reference doc #125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kian99 merged 1 commit into from
Jan 7, 2026
Merged

Update jaas reference doc #125

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
112 changes: 104 additions & 8 deletions reference/jaas-plugin.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,29 +152,40 @@ Permissions in JIMM consist of an object, a relation and a target object. These

The object and target object must be of the form <tag>-<objectname> or <tag>-<object-uuid> E.g. “user-Alice” or “controller-MyController”

Certain reserved tags exist to denote specific resource types: - The user-everyone@external tag represents all users. - The controller-jimm tag represents the JIMM controller itself.

Comment on lines +155 to +156
Copy link

Copilot AI Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reserved tags description appears to be on a single line without proper formatting. The list items should be separated (either by line breaks or proper bullet formatting) to improve readability. Currently, the dashes are used as separators in running text rather than as list markers.

Suggested change
Certain reserved tags exist to denote specific resource types: - The user-everyone@external tag represents all users. - The controller-jimm tag represents the JIMM controller itself.
Certain reserved tags exist to denote specific resource types:
- The user-everyone@external tag represents all users.
- The controller-jimm tag represents the JIMM controller itself.

Copilot uses AI. Check for mistakes.
-f Read from a file where filename is the location of a JSON encoded file of the form: [ { “object”:“user-mike”, “relation”:“member”, “target_object”:“group-yellow” }, { “object”:“user-alice”, “relation”:“member”, “target_object”:“group-yellow” } ]

Certain constraints apply when creating/removing permissions, namely: Object may be one of:
Certain constraints apply when creating/removing permissions, namely: Resources may be one of:

::

user tag = "user-<name>"
group tag = "group-<name>"
role tag = "role-&lt;name&gt;"
Copy link

Copilot AI Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HTML entity encoding issue: "<" and ">" are being used instead of angle brackets. This should be "role-<name>" which will render as "role-" in the final output, but the inconsistency with other tags on lines 163, 166, and 167 which use actual angle brackets suggests this might be unintended encoding.

Copilot uses AI. Check for mistakes.
controller tag = "controller-<name>"
model tag = "model-<name>"
application offer tag = "offer-<name>"
cloud tag = "cloud-&lt;name&gt;"
Copy link

Copilot AI Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HTML entity encoding issue: "<" and ">" are being used instead of angle brackets. This should be "cloud-<name>" which will render as "cloud-" in the final output, but the inconsistency with other tags on lines 163, 166, and 167 which use actual angle brackets suggests this might be unintended encoding.

Copilot uses AI. Check for mistakes.
application-offer tag = "applicationoffer-<name>"

If target_object is a group, the relation can only be:

::

member

If target_object is a role, the relation can only be:

::

assignee

If target_object is a controller, the relation can be one of:

::

loginer
audit_log_viewer (only relevent for the JIMM controller)
Copy link

Copilot AI Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The word "relevent" is misspelled. It should be "relevant".

Suggested change
audit_log_viewer (only relevent for the JIMM controller)
audit_log_viewer (only relevant for the JIMM controller)

Copilot uses AI. Check for mistakes.
can_addmodel
administrator

If target_object is a model, the relation can be one of:
Expand All @@ -185,6 +196,13 @@ If target_object is a model, the relation can be one of:
writer
administrator

If target_object is a cloud, the relation can be one of:

::

administrator
can_addmodel

If target_object is an application offer, the relation can be one of:

::
Expand All @@ -193,12 +211,18 @@ If target_object is an application offer, the relation can be one of:
consumer
administrator

Additionally, if the object is a group, a userset can be applied by adding #member as follows. This will grant/revoke access to all users within TeamA:
If the object is a group, a userset must be applied by adding #member as follows. This will grant/revoke access to all users within TeamA:

::

group-TeamA#member administrator controller-MyController

Similarly if the object is a role, a userset must be applied by adding #member as follows.

::

role-Auditor#assignee audit_log_viewer controller-MyController

jaas add-role
=============

Expand Down Expand Up @@ -1569,29 +1593,40 @@ Permissions in JIMM consist of an object, a relation and a target object. These

The object and target object must be of the form <tag>-<objectname> or <tag>-<object-uuid> E.g. “user-Alice” or “controller-MyController”

Certain reserved tags exist to denote specific resource types: - The user-everyone@external tag represents all users. - The controller-jimm tag represents the JIMM controller itself.

Comment on lines +1596 to +1597
Copy link

Copilot AI Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reserved tags description appears to be on a single line without proper formatting. The list items should be separated (either by line breaks or proper bullet formatting) to improve readability. Currently, the dashes are used as separators in running text rather than as list markers.

Suggested change
Certain reserved tags exist to denote specific resource types: - The user-everyone@external tag represents all users. - The controller-jimm tag represents the JIMM controller itself.
Certain reserved tags exist to denote specific resource types:
- The ``user-everyone@external`` tag represents all users.
- The ``controller-jimm`` tag represents the JIMM controller itself.

Copilot uses AI. Check for mistakes.
-f Read from a file where filename is the location of a JSON encoded file of the form: [ { “object”:“user-mike”, “relation”:“member”, “target_object”:“group-yellow” }, { “object”:“user-alice”, “relation”:“member”, “target_object”:“group-yellow” } ]

Certain constraints apply when creating/removing permissions, namely: Object may be one of:
Certain constraints apply when creating/removing permissions, namely: Resources may be one of:

::

user tag = "user-<name>"
group tag = "group-<name>"
role tag = "role-&lt;name&gt;"
Copy link

Copilot AI Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HTML entity encoding issue: "<" and ">" are being used instead of angle brackets. This should be "role-<name>" which will render as "role-" in the final output, but the inconsistency with other tags on lines 1604, 1607, and 1608 which use actual angle brackets suggests this might be unintended encoding.

Copilot uses AI. Check for mistakes.
controller tag = "controller-<name>"
model tag = "model-<name>"
application offer tag = "offer-<name>"
cloud tag = "cloud-&lt;name&gt;"
Copy link

Copilot AI Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HTML entity encoding issue: "<" and ">" are being used instead of angle brackets. This should be "cloud-<name>" which will render as "cloud-" in the final output, but the inconsistency with other tags on lines 1604, 1607, and 1608 which use actual angle brackets suggests this might be unintended encoding.

Copilot uses AI. Check for mistakes.
application-offer tag = "applicationoffer-<name>"

If target_object is a group, the relation can only be:

::

member

If target_object is a role, the relation can only be:

::

assignee

If target_object is a controller, the relation can be one of:

::

loginer
audit_log_viewer (only relevent for the JIMM controller)
Copy link

Copilot AI Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The word "relevent" is misspelled. It should be "relevant".

Suggested change
audit_log_viewer (only relevent for the JIMM controller)
audit_log_viewer (only relevant for the JIMM controller)

Copilot uses AI. Check for mistakes.
can_addmodel
administrator

If target_object is a model, the relation can be one of:
Expand All @@ -1602,6 +1637,13 @@ If target_object is a model, the relation can be one of:
writer
administrator

If target_object is a cloud, the relation can be one of:

::

administrator
can_addmodel

If target_object is an application offer, the relation can be one of:

::
Expand All @@ -1610,12 +1652,18 @@ If target_object is an application offer, the relation can be one of:
consumer
administrator

Additionally, if the object is a group, a userset can be applied by adding #member as follows. This will grant/revoke access to all users within TeamA:
If the object is a group, a userset must be applied by adding #member as follows. This will grant/revoke access to all users within TeamA:

::

group-TeamA#member administrator controller-MyController

Similarly if the object is a role, a userset must be applied by adding #member as follows.

::

role-Auditor#assignee audit_log_viewer controller-MyController

jaas remove-role
================

Expand Down Expand Up @@ -1940,3 +1988,51 @@ Details
-------

Updates a model known to JIMM that has been migrated externally to a different JAAS controller.

jaas upgrade-to
===============

.. _summary-35:

Summary
-------

Upgrades a controller to a specified version

.. _usage-35:

Usage
-----

``jaas upgrade-to [options] <version> <model-uuid>``

.. _options-34:

Options
~~~~~~~

+--------------------------------+-----------------------+-------------------------------------------+
| Flag | Default | Usage |
+================================+=======================+===========================================+
| ``-B``, ``--no-browser-login`` | false | Do not use web browser for authentication |
+--------------------------------+-----------------------+-------------------------------------------+
| ``--format`` | yaml | Specify output format (json|yaml) |
+--------------------------------+-----------------------+-------------------------------------------+
| ``-o``, ``--output`` | | Specify an output file |
+--------------------------------+-----------------------+-------------------------------------------+

.. _examples-34:

Examples
--------

::

juju upgrade-to 3.6.11 2cb433a6-04eb-4ec4-9567-90426d20a004

.. _details-35:

Details
-------

Upgrades a controller to a specified version.