Update "no projects" warning in oc status
#12328
Conversation
|
[test] |
juanvallejo
force-pushed
the
jvallejo/update-oc-status-warning
branch
from
2505358 to
94cb181
Compare
Does not make sense. Projects aren't nested in projects. |
|
@smarterclayton I believe this is an error defined server-side in the authorizer package. Would it make more sense to change |
Alternatively we could just handle the forbidden error client side and return a more user-friendly message here |
|
The error you are seeing cannot be correct - projects are not nested in projects, so whatever is putting that message together is doing so incorrectly. If that's the server, the server should be fixed. |
juanvallejo
force-pushed
the
jvallejo/update-oc-status-warning
branch
2 times, most recently
from
e2af29a to
f3283ca
Compare
Updated a conditional to authorizer messages to fix this: https://github.com/openshift/origin/pull/12328/files#diff-14287a8c63a62966ec50b251f590618d EDIT: updated output |
juanvallejo
force-pushed
the
jvallejo/update-oc-status-warning
branch
from
f3283ca to
31eae66
Compare
| @@ -30,17 +30,17 @@ func NewForbiddenMessageResolver(projectRequestForbiddenTemplate string) *Forbid | |||
| } | |||
|
|
|||
| // general messages | |||
| messageResolver.addNamespacedForbiddenMessageMaker("create", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot create `+apiGroupIfNotEmpty+`{{.Attributes.GetResource}} in project "{{.Namespace}}"`)) | |||
| messageResolver.addNamespacedForbiddenMessageMaker("create", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot create `+apiGroupIfNotEmpty+`{{if not .Attributes.IsProjectResource}}{{.Attributes.GetResource}} in {{end}}project "{{.Namespace}}"`)) | |||
There was a problem hiding this comment.
This doesn't even make sense - projects aren't namspaced, why is GetResource a project resource?
There was a problem hiding this comment.
.IsProjectResource needs better phrasing (I will update this), but I did not mean for it to imply that GetResource was a project resource, rather IsProjectResource returns true if the string value of Attributes.GetResource == "projects"
There was a problem hiding this comment.
But this is messageResolver.addNamespacedForbiddenMessageMaker - why is create projects getting passed to this? Since projects is never invoked in a namespaced context, I wouldn't expect this message to get used at all (it should be a different message without referencing projects or namespaces at all).
|
@smarterclayton |
juanvallejo
force-pushed
the
jvallejo/update-oc-status-warning
branch
2 times, most recently
from
a300229 to
e571ad8
Compare
Updated authorizer messages so that only "get" requests for the "projects" resource have this custom message. "Projects" are both namespaced and non-namespaced in the authorizer depending on where they are on the stack to allow for better handling of "get" requests. cc @deads2k |
juanvallejo
force-pushed
the
jvallejo/update-oc-status-warning
branch
2 times, most recently
from
7a43510 to
bb1a3b8
Compare
| @@ -146,6 +149,11 @@ func (d *ProjectStatusDescriber) MakeGraph(namespace string) (osgraph.Graph, set | |||
| // Describe returns the description of a project | |||
| func (d *ProjectStatusDescriber) Describe(namespace, name string) (string, error) { | |||
| var f formatter = namespacedFormatter{} | |||
| var currentProject string | |||
|
|
|||
| if currentContext, exists := d.Config.Contexts[d.Config.CurrentContext]; exists { | |||
There was a problem hiding this comment.
Just looking at all this code, it is increasingly complex and not really the right point to be doing the check. Describe() knowing about ClientConfig in this way is leaking the abstraction. You already get "default namespace or not" from the bool returned the .Namespace() call. Line 114 above.
|
@smarterclayton Thanks for the feedback, review comments addressed |
juanvallejo
force-pushed
the
jvallejo/update-oc-status-warning
branch
2 times, most recently
from
9ba087b to
7811df8
Compare
|
@smarterclayton or @fabianofranz are there any more comments on this patch? Thanks! |
|
conformance flaked on #12362 re[test] |
juanvallejo
force-pushed
the
jvallejo/update-oc-status-warning
branch
5 times, most recently
from
c129637 to
03de650
Compare
|
integration e2e check flaked on #12540 re[test] |
|
@fabianofranz or @smarterclayton are there any more comments for this PR? Thanks |
|
LGTM, squash? |
juanvallejo
force-pushed
the
jvallejo/update-oc-status-warning
branch
from
03de650 to
62299d5
Compare
|
@fabianofranz Done! |
|
[merge] |
juanvallejo
force-pushed
the
jvallejo/update-oc-status-warning
branch
from
62299d5 to
870d269
Compare
|
integration check flaked on #12558 re[test] |
|
flaked on #12558 re[test] |
|
[merge] |
|
@juanvallejo Test failure seems legit, ptal. You may need to delete the project by name, instead of |
juanvallejo
force-pushed
the
jvallejo/update-oc-status-warning
branch
from
870d269 to
b1b51fa
Compare
This patch only re-uses the `oc login` "no projects" warning in
`oc status` when a user cannot access the current default namespace
and has not yet created any projects and has not passed a namespace
value with the `--namespace` flag.
**Before**
```
$ oc login -u newuser -p any
$ oc status
You don't have any projects. You can try to create a new project, by
running
oc new-project <projectname>
$ oc status -n default
You don't have any projects. You can try to create a new project, by
running
oc new-project <projectname>
```
**After**
```
$ oc login -u newuser -p any
$ oc status
You don't have any projects. You can try to create a new project, by
running
oc new-project <projectname>
$ oc status -n default
Error from server: User "newuser" cannot get projects in project "default"
$ oc new-project proj1
$ oc new-project proj2
$ oc status
In project proj2 on server https://10.13.137.149:8443
You have no services, deployment configs, or build configs.
Run 'oc new-app' to create an application.
$ oc delete project proj2
$ oc status
Error from server: User "newuser" cannot get projects in project "proj2"
$ oc logout
$ oc login -u newuser -p any
$ oc status
In project proj1 on server https://10.13.137.149:8443
You have no services, deployment configs, or build configs.
Run 'oc new-app' to create an application.
```
juanvallejo
force-pushed
the
jvallejo/update-oc-status-warning
branch
from
b1b51fa to
9cfc359
Compare
|
@fabianofranz thanks, turns out I was not waiting for projects to be deleted, so when I tried deleting a new project right after deleting a previous one, I would get a forbidden error. |
|
Evaluated for origin test up to 9cfc359 |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13249/) (Base Commit: c5868ac) |
|
[merge] |
|
Evaluated for origin merge up to 9cfc359 |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13249/) (Base Commit: dced7f7) (Image: devenv-rhel7_5774) |
|
Looks like it is, I'm reverting. |
Related bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1405636#c3
Related PR: #12304
This patch only re-uses the
oc login"no projects" warning inoc statuswhen a user cannot access the current default namespaceand has not yet created any projects and has not passed a namespace
value with the
--namespaceflag.Before
After
cc @openshift/cli-review