Restricting changes to running models
Deployed models can be protected from unintentional changes by disabling commands that can alter a model.
This is accomplished through the use of the disable-command command with one
of three progressively restrictive command groups:
- destroy-model
- remove-object
- all
By disabling the destroy-model group, for instance, the user loses the ability
to destroy both the model and its controller. Specifying the remove-object
group adds to these restrictions by disabling the removal of machines,
relations, applications and units. The all group disables the complete set of
commands that can change the configuration of a model.
To give the user some feedback on why a command might be disabled, an optional message argument can be passed as part of the disable command.
For example, the following could be used to prevent execution of both the
destroy-model and destroy-controller commands:
juju disable-command destroy-model "Check with SA before destruction."
If a user now attempts to destroy a protected model, they'd encounter an error similar to the following:
Destroying model
ERROR cannot destroy model: Check with SA before destruction.
destroy-model operation has been disabled for the current model.
To enable the command run
juju enable-command destroy-model
Re-enabling a command
The reverse of disable-command is enable-command. This can be used with
the corresponding group to restore a user's access to that group's commands:
juju enable-command destroy-model
By default, these actions are performed against the currently selected controller and model, but specific models can be targeted by using the additional '-m' or '--model' argument.
If you need to list which commands have been disabled, use disabled-commands:
juju disabled-commands
This will output will list any group that's currently disabled:
Disabled commands Message all
Warning: In some cases, the disable command will only take effect after the user has logged out of Juju and logged back in again.
Commands within each enable and disable group
| destroy-model | remove-object | all |
|---|---|---|
| destroy-controller | destroy-controller | add-relation |
| destroy-model | destroy-model | add-unit |
| destroy-machine | add-ssh-key | |
| remove-machine | add-user | |
| remove-relation | change-user-password | |
| remove-application | deploy | |
| remove-unit | disable-user | |
| destroy-controller | ||
| destroy-model | ||
| enable-ha | ||
| enable-user | ||
| expose | ||
| import-ssh-key | ||
| remove-application | ||
| remove-machine | ||
| remove-relation | ||
| remove-ssh-key | ||
| remove-unit | ||
| resolved | ||
| retry-provisioning | ||
| run | ||
| config | ||
| set-constraints | ||
| model-config | ||
| sync-agent-binaries | ||
| unexpose | ||
| upgrade-charm | ||
| upgrade-model |
Note: The '--force' option recognized by some Juju commands bypasses any restriction level that would otherwise apply. If your policy is to use restrictions then the immediate use of the '--force' option should not be part of your workflow. If you must use it, do so after having first run the Juju command without it to ensure you are aware of any possible restrictions.