Client setup (better login, config files and switch projects)

[fabianofranz]

No description provided.

[deads2k]

Is this a straight copy of: https://github.com/openshift/origin/blob/master/pkg/cmd/experimental/login/smart_merge.go? Need to clean up the original?

[fabianofranz]

Almost a straight copy, I just moved getUniqueName into this file.

----- Original Message -----

@@ -0,0 +1,157 @@
+package config

Is this a straight copy of:
https://github.com/openshift/origin/blob/master/pkg/cmd/experimental/login/smart_merge.go?
Need to clean up the original?

---

Reply to this email directly or view it on GitHub:
https://github.com/openshift/origin/pull/992/files#r24611203

[fabianofranz]

Removed the original.

----- Original Message -----

@@ -0,0 +1,157 @@
+package config

Is this a straight copy of:
https://github.com/openshift/origin/blob/master/pkg/cmd/experimental/login/smart_merge.go?
Need to clean up the original?

---

Reply to this email directly or view it on GitHub:
https://github.com/openshift/origin/pull/992/files#r24611203

[fabianofranz]

@smarterclayton I need to intercept every API request in order to check for an eventual 401 Unauthorized and then be able to print a proper, user-friendly, message (you need to log in bla bla). Any feedback about this approach? Would you suggest something different than taking the clients and injecting it here in the Factory? Looks a little hacky, nothing protects us against people doing client.New / kclient.New directly.

[smarterclayton]

You want to create a transport and pass it in to client.New on the config. Your transport should wrap http.DefaultTransport.

----- Original Message -----

if err != nil {
    return nil, nil, err
}

• oc, err := client.New(os)

• transport, err := kclient.TransportFor(cfg)

@smarterclayton I need to intercept every API request in order to check for
an eventual 401 Unauthorized and then be able to print a proper,
user-friendly, message (you need to log in bla bla). Any feedback about
this approach? Would you suggest something different than taking the clients
and injecting it here in the Factory? Looks a little hacky, nothing protects
us against people doing client.New / kclient.New directly.

---

Reply to this email directly or view it on GitHub:
https://github.com/openshift/origin/pull/992/files#r24695535

[fabianofranz]

Note that I need to wrap both the origin and the kube clients, so that it works when doing i.e. osc get <kubeobject>

[smarterclayton]

You should be able to alter the ClientConfig before it is passed up

----- Original Message -----

if err != nil {
    return nil, nil, err
}

• oc, err := client.New(os)

• transport, err := kclient.TransportFor(cfg)

Note that I need to wrap both the origin and the kube clients, so that it
works when doing i.e. osc get <kubeobject>

---

Reply to this email directly or view it on GitHub:
https://github.com/openshift/origin/pull/992/files#r24702754

[fabianofranz]

User login flow

Every osc command will try to use a config file from the expected locations (more info below). If a config file could not be found in any of the locations (and the individual configs were also not specified through flags like --server), commands will fail as "not configured". Example:

$ osc get templates
OpenShift is not configured. You need to run the login command in order to create a default config for your server and credentials:

  osc login [--username=<username>] [--password<password>] [--server=<server>]

You can also run this command again providing the path to a config file directly, either through the --config flag of the OPENSHIFTCONFIG environment variable.

The osc login command is the entry point to start the client configuration. Login will take several information from the user (server URL, username, password), either through flags or interactive prompt if flags were not provided, and will automatically create a config file in the home directory that will be used by every command after logging in.

The --project flag is also accepted by login and if provided the command will switch to the provided project after logging in.

1. Log in by providing username, password and server (and alternatively other optional flags that may apply), either through flags or interactive input.

$ osc login
Username: myself
Password: ********
Server: https://localhost:8443/
Logged into <server> as <username>.

$ osc login [--username <username>] [--password <password>] [--server <server>] [--project <project>]
Logged into <server> as <username>.

$ osc login [--username <username>] [--password <password>] [--server <server>] [--project <project>]
Already logged into <server> as <username>.

The command always checks for an existing and valid token for the given server and username and if exists, just make use of it. All flags are optional and if the command misses something that it needs and were not provided and not present in the context currently in use, the user will be prompted for input.

1. The server and username flags can also recognize existing clusters or users present in the config file in use by its keys. So users can also log in by providing clusters, users or contexts already known by the config file.

$ osc login [--context <context>]
Logged into <server> as <username>.

$ osc login [--username <user>]  [--password <password>] [--server <cluster>]
Logged into <server> as <username>.

1. TODO: Kerberos

Config loading order

Notice it may not make sense to support both the --kubeconfig and --openshiftconfig flags so we will probably only keep the latter. Same for the KUBECONFIG and OPENSHIFTCONFIG env vars. Alternative names are presented below.

1. --openshiftconfig or even just --config flag
2. OPENSHIFTCONFIG or OPENSHIFT_CONFIG env var
3. .openshiftconfig file in current directory
4. ~/.openshift/.openshiftconfig or just ~/.openshift/.config ~/.config/openshift/.config file
5. --kubeconfig flag
6. KUBECONFIG env var
7. .kubeconfig file in current directory
8. ~/.kube/.kubeconfig file

Progress

• Login
  • By username and password
  • By existing context
  • Save auth info to config file after logging in and make sure it's used
  • Support all locations following the loading order (todo: handle file not writable)
  • Switch to another user or server
  • Reuse previous tokens when switching users
• Config
  • Config files provided by either flags, env vars, local or home directories (following the loading order above)
  • OpenShift-specific configs
  • Create a config file if one is not located in any of the supported locations
• Other
  • User-friendly message when running any command and auth fails
  • Set the project in use after logging in
  • Logout
  • Move from experimental to osc login
  • More tests
• Project
  • Command to switch between projects (osc project <project-name>)
  • Must only use projects the user has access to (waiting for Make List Projects authorization aware #971)

FYI @smarterclayton @deads2k @jwforres @liggitt It's starting to look good, in case you want to check out and give it a try. ;)

[smarterclayton]

----- Original Message -----

User login flow

The --project flag is accepted by all flows and if provided the command
will switch to the provided project after logging in.

1. Log in by providing username, password and server (and alternatively other
   optional flags that may apply). The command always checks for an existing
   and valid token for the given server and username and if exists, just make
   use of it. All flags are optional and if the command misses something that
   it needs and were not provided and not present in the context currently in
   use, the user will be prompted for input.

$ osc login [--username <username>] [--password <password>] [--server
<server>] [--project <project>]
Logged into <server> as <username>.

$ osc login
Username: myself
Password: ********
Server: https://localhost:8443/
Logged into <server> as <username>.

$ osc login [--username <username>] [--password <password>] [--server
<server>] [--project <project>]
Already logged into <server> as <username>.

1. The server and username flags can also recognize existing clusters or
   users present in the config file in use by its keys. So users can also log
   in by providing clusters, users or contexts already known by the config
   file.

$ osc login [--context <context>]
Logged into <server> as <username>.

What happens if I pass user, context, and server?

$ osc login [--username ] [--password ] [--server ]
Logged into as .

3. TODO: Kerberos

Config loading order
-----

Notice it may not make sense to support *both* the `--kubeconfig` and
`--openshiftconfig` flags so we will probably only keep the latter. Same for
the `KUBECONFIG` and `OPENSHIFTCONFIG` env vars. Alternative names are
presented below.

1. `--openshiftconfig` or even just `--config` flag
2. `OPENSHIFTCONFIG` or `OPENSHIFT_CONFIG` env var

--config

1. ./.openshiftconfig file
2. ~/.openshift/.openshiftconfig or just ~/.openshift/.config file

Or .config/openshift/.config

We should be consistent with upstream though.

1. --kubeconfig flag

Don't support

1. KUBECONFIG env var

Support

1. ./.openshiftconfig file

We should only support one config path

1. ~/.kube/.kubeconfig file

We should support upstreams config path.

Progress

• Login
  • By username and password
  • By existing context
  • Save auth info to config file after logging in and make sure it's
    used
  • Support all locations following the loading order (todo: handle file
    not writable)
  • Switch to another user or server
  • Reuse previous tokens when switching users
• Config
  • Config files provided by either flags, env vars, local or home
    directories (following the loading order above)
  • OpenShift-specific configs
  • Create a config file if one is not located in any of the supported
    locations
• Other
  • User-friendly message when running any command and auth fails
  • Set the project in use after logging in
  • Logout
  • Move from experimental to osc login
  • More tests

FYI @smarterclayton @deads2k @jwforres @liggitt It's starting to look good,
in case you want to check out and give it a try. ;)

---

Reply to this email directly or view it on GitHub:
#992 (comment)

[fabianofranz]

----- Original Message -----

----- Original Message -----

User login flow

The --project flag is accepted by all flows and if provided the command
will switch to the provided project after logging in.

1. Log in by providing username, password and server (and alternatively
   other
   optional flags that may apply). The command always checks for an existing
   and valid token for the given server and username and if exists, just
   make
   use of it. All flags are optional and if the command misses something that
   it needs and were not provided and not present in the context currently in
   use, the user will be prompted for input.

$ osc login [--username <username>] [--password <password>] [--server
<server>] [--project <project>]
Logged into <server> as <username>.

$ osc login
Username: myself
Password: ********
Server: https://localhost:8443/
Logged into <server> as <username>.

$ osc login [--username <username>] [--password <password>] [--server
<server>] [--project <project>]
Already logged into <server> as <username>.

1. The server and username flags can also recognize existing clusters
   or
   users present in the config file in use by its keys. So users can also log
   in by providing clusters, users or contexts already known by the config
   file.

$ osc login [--context <context>]
Logged into <server> as <username>.

What happens if I pass user, context, and server?

I believe they should be mutually exclusive - if context were provided don't accept the other flags. Let's not fall into merging configs provided by different levels of the priority stack again.

$ osc login [--username ] [--password ] [--server
]
Logged into as .

3. TODO: Kerberos

Config loading order
-----

Notice it may not make sense to support *both* the `--kubeconfig` and
`--openshiftconfig` flags so we will probably only keep the latter. Same
for
the `KUBECONFIG` and `OPENSHIFTCONFIG` env vars. Alternative names are
presented below.

1. `--openshiftconfig` or even just `--config` flag
2. `OPENSHIFTCONFIG` or `OPENSHIFT_CONFIG` env var

--config

1. ./.openshiftconfig file
2. ~/.openshift/.openshiftconfig or just ~/.openshift/.config file

Or .config/openshift/.config

We should be consistent with upstream though.

1. --kubeconfig flag

Don't support

1. KUBECONFIG env var

Support

1. ./.openshiftconfig file

We should only support one config path

1. ~/.kube/.kubeconfig file

We should support upstreams config path.

Progress

• Login
  • By username and password
  • By existing context
  • Save auth info to config file after logging in and make sure it's
    used
  • Support all locations following the loading order (todo: handle
    file
    not writable)
  • Switch to another user or server
  • Reuse previous tokens when switching users
• Config
  • Config files provided by either flags, env vars, local or home
    directories (following the loading order above)
  • OpenShift-specific configs
  • Create a config file if one is not located in any of the supported
    locations
• Other
  • User-friendly message when running any command and auth fails
  • Set the project in use after logging in
  • Logout
  • Move from experimental to osc login
  • More tests

FYI @smarterclayton @deads2k @jwforres @liggitt It's starting to look
good,
in case you want to check out and give it a try. ;)

---

Reply to this email directly or view it on GitHub:
#992 (comment)

---

Reply to this email directly or view it on GitHub:
#992 (comment)

[fabianofranz]

@smarterclayton @deads2k Check how this proposal for the config file loading sound (notice the loading follows this order of priority).

First try using OpenShift locations:

1. path provided through the --config flag
2. path provided through the OPENSHIFTCONFIG env var
3. .openshiftconfig file in current directory
4. in home dir, ~/.config/openshift/.config file

If not found in any of the above, try the Kube locations (except for the --kubeconfig flag which we don't support:

1. path provided through the KUBECONFIG env var
2. .kubeconfig file in current directory
3. in home dir, ~/.kube/.kubeconfig file

Notice that if a config file were not found in any of the above locations we create one, using the OpenShift config file in home dir (in the proposal above, ~/.config/openshift/.config).

This is already implemented (although I need to do a big review of the code, a few things like the loaders are disconnected, etc), so when we close the deal I'll update it.

[fabianofranz]

@deads2k Ok, all 3 blockers addressed. Please check handle certs and tokens and report deserialization errors. All logic around wrapping errors was removed. The new errors.go is still there, but now only targeting to provide pretty messages and Is*Error kind of methods. Used only in login for now.

[deads2k]

ReadFile can fail for reasons other than FileNotFound (permissions as an example). Those other kinds of failures should be reported. Only suppress the FileNotFound case.

[fabianofranz]

Good catch, fixed.

[deads2k]

Two more comments and then we'll merge this take the rest as follow ons.

[liggitt]

shouldn't need to copy these files... the kubeconfig inlines the cert/key/roots data

[fabianofranz]

Good catch, fixed.

[liggitt]

(fine to tweak the test sh files post-merge)

[fabianofranz]

@deads2k all set.

[fabianofranz]

@deads2k Project no longer required for a successful setup.

[deads2k]

There's a few TODOs, but this is a good starting point. [merge]

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_openshift3/1188/) (Image: devenv-fedora_1053)

[openshift-bot]

Evaluated for origin up to aa0ba81

[smarterclayton]

Fabiano, email to public list please detailing the new function and how people can give feedback (i.e. how it works)

----- Original Message -----

There's a few TODOs, but this is a good starting point. [merge]

---

Reply to this email directly or view it on GitHub:
#992 (comment)