Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

List currently authorized scopes on 403 #11720

Merged
merged 1 commit into from
Mar 11, 2019
Merged

List currently authorized scopes on 403 #11720

merged 1 commit into from
Mar 11, 2019

Conversation

nikhita
Copy link
Member

@nikhita nikhita commented Mar 11, 2019

We cannot be certain that the 403 error is caused by insufficient permissions, so while displaying which scopes should be used also display which scopes are in use currently so that it's easier to debug.

Ref: #3647 (comment)

Context for this change: peribolos currently fails with:

{"client":"github","component":"peribolos","level":"info","msg":"UpdateTeamMembership(2113629, euank, false)","time":"2019-03-11T03:17:04Z"}
{"component":"peribolos","error":"is the account using at least one of the following oauth scopes?: admin:org, repo","level":"warning","msg":"UpdateTeamMembership(2113629, euank, false) failed","time":"2019-03-11T03:17:07Z"}
{"component":"peribolos","level":"fatal","msg":"Configuration failed: failed to configure kubernetes-incubator teams: failed to update maintainers-rktlet members: 1 errors: [is the account using at least one of the following oauth scopes?: admin:org, repo]","time":"2019-03-11T03:17:07Z"}

I haven't really figured out the root cause of the error yet but it seemed weird that the token didn't have the org admin scope....it'd be useful to also list the oauth scopes that the token currently uses so that it's easier to debug in the future.

/cc @stevekuznetsov @cjwagner @fejta @spiffxp

@nikhita
List currently authorized scopes on 403
6acad33 
We cannot be certain that the 403 error is caused by insufficient
permissions, so while displaying which scopes should be used also
display which scopes are in use.
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. area/prow Issues or PRs related to prow sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Mar 11, 2019
nikhita
nikhita commented Mar 11, 2019
View reviewed changes
prow/github/client.go
err = fmt.Errorf("is the account using at least one of the following oauth scopes?: %s", oauthScopes)
authorizedScopes := resp.Header.Get("X-OAuth-Scopes")
if authorizedScopes == "" {
authorizedScopes = "no"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Personally, I don't like setting the authorizedScopes to "no" here...but I can't figure out how to make the message pretty without it. 🤔

@nikhita nikhita mentioned this pull request Mar 11, 2019
Merged
@stevekuznetsov
Copy link
Contributor

Seems fine for me

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 11, 2019
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 3dd1156bd949bad3d3c3862e872d8e7283cd629a

@stevekuznetsov
Copy link
Contributor

/approve

Thanks @nikhita

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nikhita, stevekuznetsov

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 11, 2019
@k8s-ci-robot k8s-ci-robot merged commit 80ea245 into kubernetes:master Mar 11, 2019
@nikhita nikhita deleted the list-currently-used-scopes branch March 11, 2019 16:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cjwagner cjwagner Awaiting requested review from cjwagner

@fejta fejta Awaiting requested review from fejta

@spiffxp spiffxp Awaiting requested review from spiffxp

@stevekuznetsov stevekuznetsov Awaiting requested review from stevekuznetsov

Assignees

@stevekuznetsov stevekuznetsov

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/prow Issues or PRs related to prow cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nikhita @stevekuznetsov @k8s-ci-robot