make oc login kubeconfig permission error clearer

[juanvallejo]

Related BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1332131

When logging in with a $KUBECONFIG variable, or --config flag pointing to a location that denies write access, oc login prints a non-specific error at the bottom of its output:

export KUBECONFIG=/src
oc login --token=<my_token> --insecure-skip-tls-verify

Logged into "https://localhost:8443" as "test" using the token provided.

You have one project on this server: "test-project"

Using project "test-project".
error: open /src.lock: permission denied

This updates the error to be more clear as to what has happened:

oc login -u test -p test --insecure-skip-tls-verify

Login successful.

You have one project on this server: "myproject"

Using project "myproject".
error: KUBECONFIG is set to a file that cannot be created or modified: /src
Solution:

You can unset the KUBECONFIG variable to use the default location for it:
   unset KUBECONFIG

Or you can set its value to a file that can be written to:
   export KUBECONFIG=/path/to/file

Caused By:
  open /src.lock: permission denied

Same output, but using a --config flag:

oc login -u test -p test --insecure-skip-tls-verify --config=/src

Login successful.

You have one project on this server: "myproject"

Using project "myproject".
error: KUBECONFIG is set to a file that cannot be created or modified: /src
Solution:

Make sure that the value of the --config flag passed contains a valid path:
        --config=/path/to/valid/file

Caused By:
  open /src.lock: permission denied

[juanvallejo]

[test]

[juanvallejo]

@fabianofranz Could you please take a look? Thanks!

[liggitt]

Is the only error that could come back from this a file permission error

[juanvallejo]

@liggitt hm, I could parse the error string to make sure it is a "permission denied" error before returning this message, and then otherwise return just the original error message. But I am not sure that the only error that comes back is file permission error.

[liggitt]

Parsing error strings is a code smell

[juanvallejo]

Hm, what if I type the errors in loader.go#WriteToFile and then return a message accordingly in loginoptions.go?

EDIT: turns out os.IsPermission works :p 0a85f23#diff-f260fb37cbe8b4d20167cc6bc6d4e51aR397

[juanvallejo]

[test]

[stevekuznetsov]

Check with @csrwng, he implemented a similar feature in oc cluster up recently.

[csrwng]

I added a check and error message in case your config is not writeable:
https://github.com/openshift/origin/blob/master/pkg/bootstrap/docker/up.go#L356

[juanvallejo]

@csrwng @fabianofranz I think @csrwng's error message for kubeconfig not being writable definitely would work for oc login, do you think it'd be better to just import github.com/openshift/origin/pkg/bootstrap/docker/errors to use it here, or simply copy it over?

[fabianofranz]

@juanvallejo importing works for me.

[liggitt]

I would move it if we intend to reuse it. I don't want login depending on docker bootstrap packages.

[csrwng]

@juanvallejo so in the cluster up code I check for the interfaces implemented by the error so I can print out additional details, solution, etc. In this case, it seems that would all make sense to be part of the error message, since that's what would get printed out, no?

[stevekuznetsov]

Quote your vars

os::cmd::expect_failure_and_text "oc login '${KUBERNETES_MASTER}' -u test ...
                                           ^                    ^

[juanvallejo]

@csrwng

@juanvallejo so in the cluster up code I check for the interfaces implemented by the error so I can print out additional details, solution, etc

Thanks for pointing this out! I went ahead and added that in the printer.go file, as well as a FormatError function for cases where you're returning the final error with its message, rather than passing a writer interface.

[csrwng]

@juanvallejo you can implement FormatError by calling PrintError on a buffer and returning the buffer string.

One concern is that we don't usually display errors like this for other CLI commands.

[juanvallejo]

@csrwng

you can implement FormatError by calling PrintError on a buffer and returning the buffer string.

Sounds good

One concern is that we don't usually display errors like this for other CLI commands.

I went ahead and changed the format so that it resembles more a standard error msg:

Login successful.

You have one project on this server: "myproject"

Using project "myproject".
error: KUBECONFIG is set to a file that cannot be created or modified: /src
open /src.lock: permission denied

You can unset the KUBECONFIG variable to use the default location for it:
   unset KUBECONFIG

Or you can set its value to a file that can be written to:
   export KUBECONFIG=/path/to/file

[juanvallejo]

re[test]

[fabianofranz]

Looks like parts of this new errors structure (the interface, printer, internalError, etc) are generic enough to be used not only by oc but also other commands (oadm, openshift, etc). Should then be in a parent package like pkg/cmd/errors?

[juanvallejo]

@fabianofranz

Should then be in a parent package like pkg/cmd/errors?

I agree with this, I'll go ahead and update the PR

[fabianofranz]

I believe this belongs to the suite you started in line 13 (which is doing nothing).

[stevekuznetsov]

The rest of our tests for oc login are in the main body of hack/test-cmd.sh.

Although I have a PR in flight to move that location, I think it makes the most sense to colocate this test and those others. Whichever of us merges first will rebase.

[juanvallejo]

Sounds good, I will update the PR with these changes

[juanvallejo]

@deads2k @fabianofranz

If you're going to use this type to collapse the pkg/bootstrap/docker usage, then it can live here. If its only call site is pkg/cmd/cli/cmd, then it should live there.

Sounds good, since errors/login.go is only used by pkg/cmd/cli/cmd/loginoptions.go, I have moved it to pkg/cmd/cli/cmd/errors

[fabianofranz]

@juanvallejo good to go?

[juanvallejo]

@fabianofranz Yeah, everything looks good to me

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7026/) (Image: devenv-rhel7_4690)

[deads2k]

@juanvallejo could use a squash

[juanvallejo]

@deads2k

could use a squash

Done!

[fabianofranz]

[merge]

[openshift-bot]

Evaluated for origin test up to ce8595f

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7001/)

[openshift-bot]

Evaluated for origin merge up to ce8595f