Bug 1704827 - oc login provides useless error when authentication is denied
Summary: oc login provides useless error when authentication is denied
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
: 4.2.0
Assignee: Sally
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks: 1664187
TreeView+ depends on / blocked
 
Reported: 2019-04-30 15:26 UTC by Eric Jones
Modified: 2019-10-16 06:28 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-16 06:28:21 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift oc pull 48 0 'None' closed Bug 1704827: Improve error msg when console URL passed to login via CLI 2021-01-12 09:10:21 UTC
Red Hat Product Errata RHBA-2019:2922 0 None None None 2019-10-16 06:28:33 UTC

Description Eric Jones 2019-04-30 15:26:41 UTC
Description of problem:
after a successful installation, oc binary fails to allow login:

> ./oc login -u kubeadmin -p L2P74-oyKs7-sfTbJ-okZYk https://console-openshift-console.apps.erjonessecondtry.rhcee.support
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y

error: invalid character '<' looking for beginning of value

Even tried exporting the KUBECONFIG per the installer:

> export KUBECONFIG=/home/erjones/4.X/2nd/auth/kubeconfig

Still fails afterwards with same error

Version-Release number of selected component (if applicable):
> ./oc version
Client Version: version.Info{Major:"4", Minor:"1+", GitVersion:"v4.1.0-201904211700+86afce9-dirty", GitCommit:"86afce9", GitTreeState:"", BuildDate:"2019-04-21T23:20:35Z", GoVersion:"", Compiler:"", Platform:""}
Server Version: version.Info{Major:"1", Minor:"13+", GitVersion:"v1.13.4+81fc896", GitCommit:"81fc896", GitTreeState:"clean", BuildDate:"2019-04-21T23:18:54Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}


Steps to Reproduce:
1. install 4.1 cluster
2. attempt to login

Actual results:
fail

Expected results:
succeed

Comment 1 Eric Jones 2019-04-30 15:41:09 UTC
Digging into this further I identified that the issue is not with not authenticating or reaching the api but the fact that the Authentication provider blocks other users from logging into the cli.

When I check the log-level=8 output I can see a DENY as the response, but instead of saying that the user is not a valid user or that the provider doesn't allow others to authenticate via CLI we simply get this "invalid character" error.

So we need to change the response message from [0] to something along the lines of "not authenticated" or "authentication denied".

[0]
error: invalid character '<' looking for beginning of value

Comment 4 Maciej Szulik 2019-05-02 20:36:19 UTC
This is not a bug per se, the error you're seeing states you're hitting web console URL (thus the starting < as the opening character from <html).
We could try improving the message stating something along the lines: the provided URL is not a valid cluster.

Comment 5 Sally 2019-08-08 17:38:45 UTC
yes, what's going on is this:
$ oc cluster-info
Kubernetes master is running at https://api.sotest871.devcluster.openshift.com:6443

$ oc login -u kubeadmin -p blahh-blahh https://api.sotest871.devcluster.openshift.com:6443
Login successful.
or
$ oc login -u kubeadmin -p blahh-blahh  (no server)
Login successful.


But if you use this instead:
$ oc get routes -n openshift-console
NAME        HOST/PORT                                                             PATH   SERVICES    PORT    TERMINATION          WILDCARD
console     console-openshift-console.apps.sotest871.devcluster.openshift.com            console     https   reencrypt/Redirect   None

$ oc login -u kubeadmin -p blahh-blahh https://console-openshift-console.apps.sotest871.devcluster.openshift.com
you'll see the error:
Use insecure connections? (y/n): y

error: invalid character '<' looking for beginning of value

I'll update the error msg to guide user to login using the cluster-info output

Comment 8 zhou ying 2019-09-11 02:34:16 UTC
Confirmed with latest oc , the issue has fixed:
[zhouying@dhcp-140-138 ~]$ oc version
Client Version: v4.2.0
Server Version: 4.2.0-0.nightly-2019-09-10-231328


[zhouying@dhcp-140-138 ~]$ oc login -u kubeadmin -p nJmnK-IvaBR-4rpEm-qDEN8 https://console-openshift-console.apps.yinzhou.qe.devcluster.openshift.com
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y

error: Seems you passed an HTML page (console?) instead of server URL.
Verify provided address and try again.

Comment 9 errata-xmlrpc 2019-10-16 06:28:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922


Note You need to log in before you can comment on or make changes to this bug.