Bug 1341634
| Summary: | Improve vault error messages | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Aneta Šteflová Petrová <apetrova> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED WONTFIX | QA Contact: | Kaleem <ksiddiqu> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | mbasti, pvoborni, rcritten |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-12-08 12:01:49 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Isn't the expected result of case 1 less verbose? Current message says that the user cannot do the operation because he lacks privilege for some attribute. I can image a situation where somebody would create permission which would allow user to set it for some vaults but not for others. Then the expected message would not be correct. Case 2: this is a result of bad UI(commands). Isn't the message too verbose? What about: (assuming kinited administrator fbar) $ ipa vault-show shared_vault ipa: ERROR: shared_vault: vault not found in user container fbar $ ipa vault-show shared_vault --user=baz ipa: ERROR: shared_vault: vault not found in user container baz $ ipa vault-show user_vault --shared ipa: ERROR: user_vault: vault not found in shared container $ ipa vault-show shared_vault --service=foo/bar.test ipa: ERROR: shared_vault: vault not found in service container foo/bar.test It would indicate where it searched for the vault and therefore user can realize his mistake but would not assume that user meant something different. (In reply to Petr Vobornik from comment #1) > Isn't the expected result of case 1 less verbose? Current message says that > the user cannot do the operation because he lacks privilege for some > attribute. I can image a situation where somebody would create permission > which would allow user to set it for some vaults but not for others. Then > the expected message would not be correct. The current message doesn't seem very clear to me. As a user learning how to use vaults, I had to spend some time figuring out what it means and how to fix the problem. (Granted, it wasn't a lot of time, but it still felt like an obstacle.) Would a message like this one still be correct? "You do not have sufficient privileges to run this command. Try repeating the action as a user who is allowed to perform this action." (Note that this is just a suggestion, feel free to rephrase it any way you like.) > > Case 2: this is a result of bad UI(commands). Isn't the message too verbose? > > What about: > > (assuming kinited administrator fbar) > > $ ipa vault-show shared_vault > ipa: ERROR: shared_vault: vault not found in user container fbar > > $ ipa vault-show shared_vault --user=baz > ipa: ERROR: shared_vault: vault not found in user container baz > > $ ipa vault-show user_vault --shared > ipa: ERROR: user_vault: vault not found in shared container > > $ ipa vault-show shared_vault --service=foo/bar.test > ipa: ERROR: shared_vault: vault not found in service container foo/bar.test > > It would indicate where it searched for the vault and therefore user can > realize his mistake but would not assume that user meant something different. Yes, this is much better, thanks. Would it be also possible to hint how to fix the problem? Something like: "Repeat the command and add the appropriate option to specify which container are you targeting." Upstream ticket: https://fedorahosted.org/freeipa/ticket/5950 We haven't been able to fulfill this requirement as it requires changes in framework or majority of vault-* commands code which we do not want to modify. Thus WONTFIX. To be more precise, the improvement is non-trivial task given that how vault-* commands are implemented. We do not think that fixing this bug would bring enough value to justify the amount of time required. |
Description of problem: Some vault error message can be improved to be more helpful and descriptive. How reproducible: Always. Steps to Reproduce: 1. Try to add a new vault owner as a regular user without vault admin privileges: $ ipa vault-add-owner vault_name --users user_name ... Failed owners: owner user: user_name: Insufficient access: Insufficient 'write' privilege to the 'owner' attribute of entry ... 2. Try to display information about a vault in a container other than your own private container. For example, run ipa vault-show on a shared vault without adding --shared: $ ipa vault-show shared_vault ipa: ERROR: shared_vault: vault not found Actual results: The current error messages don't clearly explain what is wrong and how to fix the problem. Expected results: In case of 1., the error message could clearly say that the user doesn't have sufficient privileges for the command. In case of 2., the error message could say that by default, users can only use the command on vaults in their private container. If they want to target a vault in another container, they must add additional options (--shared, --user, or --service). Additional info: