Set-pipeline or set-team cause `error: forbidden `


#1

I tried to setup a second cluster using another github auth but all I get is error: forbidden

Things I already attempted:

  • login and logout from fly
  • delete .flyrc
  • triple check nginx
  • adding --main-team-github-user=...
  • adding --main-team-github-org=... (on top or instead)

How can I debug this further?

From the web node, all I get is the following using --logging-level=debug

Sep 24 14:46:30 ip-172-31-27-112 concourse[20989]: {"timestamp":"1537800390.737047911","source":"atc","message":"atc.set-team.setting-team","log_level":0,"data":{"session":"99"}}
Sep 24 14:46:30 ip-172-31-27-112 concourse[20989]: {"timestamp":"1537800390.737420321","source":"atc","message":"atc.set-team.not-allowed","log_level":0,"data":{"session":"99"}}

Any hints would be really helpful.


#2

Unless “second cluster” means a totally different Concourse instance what you are trying to do is not supported as of 4.0.

From Concourse v.4.0.0:

There is no support for configuring the same provider multiple times (say, multiple GitHub Enterprise instances). The migration will fail when trying to upgrade an instance with teams having different configurations for the same provider.

At the moment, you’ll have to deploy multiple Concourse instances. This may be something we can support in the future.

If they are different Concourse instances then I’m not sure. How are you deploying your Concourse (i.e. BOSH, binary, something else)?


#3

That is not what I am trying to do. The two clusters are completely distinct (different users, differnt github OAuth App, different instances the worker/web nodes run on, different infrastructure).
My first one was set up around 2.x and continuously upgraded.
The second one I tried to spin up with 4.2.1 using a github account as member of the main team, yielded above errors.
Using a basi auth dummy user account allowed me to setup teams.

My deployment is binary/docker on fedora/ubuntu host mix.


#4

I’m not as familiar with the binaries. Looking at the docs it sounds like the necessary flags are:

concourse web \
  ... \
  --github-client-id CLIENT_ID \
  --github-client-secret CLIENT_SECRET \
  --main-team-github-org=ORG_NAME

I think your error is coming from https://github.com/concourse/concourse/blob/master/atc/api/teamserver/set.go#L32 which suggests its failing because it doesn’t sufficient permission to configure the main team.

I wonder if the github auth provider needs to be configured before it can be added to the main team.


#5

That is exactly what I already had.


#6

So it seems there is no way to initialize an instance with github only. A local user seems to be necessary otherwise I always run into the fatal: forbidden case. @vito (apologies for the direct mention) should I open a ticket for this?


#7

@drahnr I’m gonna ask a dumb question here: have you tried logging out of the web UI and logging back in after all your teams are set up, and then logging in to fly?

This is coming up a lot and we’re trying to think up a fix. It’s kind of hard.

Here’s the issue: https://github.com/concourse/concourse/issues/2441

And other reports of the same thing:


#8

Actually, I am not sure if I did try this exact procedure.

The only solution so far was to use a local user for setting up teams, but I can try again.