Bug 1867594 - oc adm release new unauthorized error lacks details
Summary: oc adm release new unauthorized error lacks details
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.6.0
Assignee: Sally
QA Contact: zhou ying
Depends On:
TreeView+ depends on / blocked
Reported: 2020-08-10 12:46 UTC by Devan Goodwin
Modified: 2020-08-26 11:30 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Github openshift oc pull 522 None closed Bug 1867594: Clarify which registry/repository fails with unauthorized 2020-08-26 06:34:18 UTC

Description Devan Goodwin 2020-08-10 12:46:05 UTC
Description of problem:

Ran into an auth problem doing oc adm release new but the default error output didn't clarify what exactly was failing.

❯ oc adm release new --from-release registry.svc.ci.openshift.org/ocp/release:4.5.0-0.nightly-2020-08-06-050650 cloud-credential-operator=quay.io/dgoodwin/cloud-credential-operator:latest --to-image quay.io/dgoodwin/origin-release:latest


info: Loading sha256:725ac6e4957036d8d85d6f9ae8fb4fe93b0fb8008fc12c81d72459bb4e1f866b operator-marketplace
info: Loading sha256:d908715bc7102d256dc4c00bb99db860d57c85a2c6a61928ded208b2fb63a00b service-ca-operator
error: unauthorized: access to the requested resource is not authorized

With loglevel 9 it turned out this was actually MY repo the auth was failing on.

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
1. oc adm release new with a --to-image you do not have auth for.

Actual results:

Unauthorized error but unclear what or where.

Expected results:

Indicate this was the auth to the --to-image that failed.

Additional info:

Comment 1 Sally 2020-08-17 18:57:08 UTC
Right, this error message can/should be clarified so user knows which registry/repo and/or image caused the failure.  In this case, 'oc adm release new' requires 2 auths, one for pulling and one for the push, and this isn't possible with the same-registry/different-repo 
(quay.io/openshift-release-dev for the pull and quay.io/dgoodwin for the push) in a single auth file.  This is a limitation of docker, podman, and oc -these tools cannot authenticate with a single auth file that holds creds for registry/repo1  and registry/repo2.  In such a scenario, only the first listed auth will be used.  With 'oc adm release new' the workaround is to mirror the nightly to disk, then `oc adm release new` from disk to quay.io/anyrepo  OR, instead of pushing the release to your quay account, you can push to docker hub.  
For this bz, I'll clarify the error message.

Note You need to log in before you can comment on or make changes to this bug.