Project

General

Profile

action #82067

Unable to use openqa-clone-custom-git-refspec - Returns 403 Not authorized

Added by ggardet_arm 7 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Concrete Bugs
Target version:
Start date:
2021-01-08
Due date:
% Done:

0%

Estimated time:
Difficulty:

Description

When I try to use openqa-clone-custom-git-refspec, I get the following error:

openqa-clone-custom-git-refspec https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/11715 https://openqa.opensuse.org/tests/1561242
Github oauth token provided, peforming authenticated requests
Failed to create job: "{\"error\":\"Not authorized\",\"error_status\":403}" at /usr/share/openqa/script/../lib/OpenQA/Script/CloneJob.pm line 288.

Related issues

Related to openQA Project - action #88053: Improve logging in scripts (was: openQA in openQA test fails with cryptic error enumerating jobs)Workable2021-01-20

History

#1 Updated by ggardet_arm 7 months ago

  • Priority changed from High to Normal

If I try when my corporate VPN is enabled, it works... My IP is blacklisted or something like that?

#2 Updated by okurz 7 months ago

  • Project changed from openQA Infrastructure to openQA Project
  • Category set to Concrete Bugs
  • Status changed from New to Feedback
  • Assignee set to okurz
  • Target version set to Ready

As DimStar correctly stated in chat openQA does not do any IP filtering :) And

Failed to create job: "{\"error\":\"Not authorized\",\"error_status\":403}" at /usr/share/openqa/script/../lib/OpenQA/Script/CloneJob.pm line 288.

certainly shows a response from openQA directly. Maybe you can privately share the key you used, not the secret! And at best also the exact timestamp of a reproduction and the output from the command:

bash -ex $(which openqa-clone-custom-git-refspec) https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/11715 https://openqa.opensuse.org/tests/1561242

#4 Updated by okurz 7 months ago

I could confirm that your API key and secret are valid. I could also successfully execute the command line you gave and the last "openqa-clone-job" line with your key+secret.

Your next best step could be to debug

openqa-clone-job --skip-chained-deps --within-instance https://openqa.opensuse.org 1561242 _GROUP=0 TEST=jeos@ggardet/os-autoinst-distri-opensuse#fix_ssh BUILD=ggardet/os-autoinst-distri-opensuse#11715 CASEDIR=https://github.com/ggardet/os-autoinst-distri-opensuse.git#fix_ssh PRODUCTDIR=os-autoinst-distri-opensuse/products/opensuse NEEDLES_DIR=/var/lib/openqa/share/tests/opensuse/products/opensuse/needles

can you try to call it once again explicitly to reproduce the error and then specify the --apikey $your_key --apisecret $your_secret parameters additionally as first parameters.

#5 Updated by ggardet_arm 7 months ago

okurz wrote:

I could confirm that your API key and secret are valid. I could also successfully execute the command line you gave and the last "openqa-clone-job" line with your key+secret.

Your next best step could be to debug

openqa-clone-job --skip-chained-deps --within-instance https://openqa.opensuse.org 1561242 _GROUP=0 TEST=jeos@ggardet/os-autoinst-distri-opensuse#fix_ssh BUILD=ggardet/os-autoinst-distri-opensuse#11715 CASEDIR=https://github.com/ggardet/os-autoinst-distri-opensuse.git#fix_ssh PRODUCTDIR=os-autoinst-distri-opensuse/products/opensuse NEEDLES_DIR=/var/lib/openqa/share/tests/opensuse/products/opensuse/needles

can you try to call it once again explicitly to reproduce the error and then specify the --apikey $your_key --apisecret $your_secret parameters additionally as first parameters.

If I specify --apikey $your_key --apisecret $your_secret for openqa-clone-job, then it worked!
But without, it still fails...

#6 Updated by okurz 6 months ago

ok, can you try to call the above commands with strace -eopen -f … to see which openQA config file is read? Maybe an unexpected config file is read.

#7 Updated by ggardet_arm 6 months ago

okurz wrote:

ok, can you try to call the above commands with strace -eopen -f … to see which openQA config file is read? Maybe an unexpected config file is read.

strace -eopen -f … returns nothing, so I tried strace -e read -f... and /etc/openqa/client.conf is not read...

#8 Updated by okurz 6 months ago

I would have assumed that ~/.config/openqa/client.conf is read, see help text of openqa-client: https://github.com/os-autoinst/openQA/blob/e8470f0ab1b197c8dac5914645350d1412b62a2d/script/client#L69

#9 Updated by ggardet_arm 6 months ago

  • Status changed from Feedback to Resolved

okurz wrote:

I would have assumed that ~/.config/openqa/client.conf is read, see help text of openqa-client: https://github.com/os-autoinst/openQA/blob/e8470f0ab1b197c8dac5914645350d1412b62a2d/script/client#L69

Ok, So, I fixed ~/.config/openqa/client.conf and it worked. My mistake was to update /etc/openqa/client.conf only. The funny part is updating /etc/openqa/client.conf changed the error message displayed.

#10 Updated by okurz 6 months ago

great that we could fix it. I am always looking for ways to improve the software we develop to prevent similar problems in the future. In this case though I am not sure what we could improve. Do you have an idea?

#11 Updated by cdywan 6 months ago

okurz wrote:

great that we could fix it. I am always looking for ways to improve the software we develop to prevent similar problems in the future. In this case though I am not sure what we could improve. Do you have an idea?

We could log where we read the config from when verbose: https://github.com/os-autoinst/openQA/pull/3679/files

salt for examples does that, and I found that very useful when trying to see if it found my overrides the other day.

#12 Updated by tinita 6 months ago

  • Related to action #88053: Improve logging in scripts (was: openQA in openQA test fails with cryptic error enumerating jobs) added

Also available in: Atom PDF