The story about the user who fought charmcraft and won

This is a story of the day a user was about to battle the charmcraft-login-beast to retrieve a CHARMHUB_TOKEN. (to be able to update our CI/CD action in github.)

This is a story about bravery, perils of charmcraft and how only the most rough-necked users gets to live and tell the story.

The story about the user and the charmcraft-login-beast.

One day, a user was about to login to update the CHARMHUB_TOKEN credential. Its was needed to build charms in github.

charmcraft login --ttl <seconds> --export ./token.file

The user knew that he needed to interact with charmcraft and switch user. He knew that this was a treacherous journey, so he made all the preparations. The charmcraft-login-beast was waiting.

At the beginning of the terminal session, he met the beast.

He did a few login attempts, but the beast was not letting him through to switch to the correct user. He was always pushed back to the first user. There was no way to switch. Also, there was no way to perform the login as a specific user or any help to get.

The user cried for help: charmcraft help login

But there was none to find.

image1152×384 103 KB

The battle was raging for a long time. The browser login attempts failed in many ways, mostly the beast responded with “invalid login state” - causing severe blows to the user. The beast had slain many users before.

The user knew that it was not going to help knowing the regular “username”, so he tried the “Use email” maneuver, but the beast responded quickly and witty. The beast was winning.

The battle raged on with errors, no explanations, and no help to the user. The battle seemed to be lost!

The user was just about to give up when the machine saint “Private browser window” appeared and whispered in his ear:

– I have seen your fight with the beast, and I have come to help you. Listen carefully:

– Thou shall use this combination, and no other combination, to slay the beast and that shall grant you the CHARMHUB_TOKEN:

• Thou must log out from charmcraft. (charmcraft logout) or the beast will win.
• Thous must use the link from the terminal output, it must be from terminal. Not browser or the beast will win.
• Thou must not try using the username, use only email and correct password. The beast will not let you know you have the wrong password, so you have to be certain or the beast will win.
• Thou must use a “Private browser window” because the beast will not allow you to change user in any other way and you will lose.

After doing what the saint had said, and after some 40 minutes fight, the user was able to defeat the charmcraft-login-beast and access the treasure CHARMHUB_TOKEN.

Screenshot from 2024-07-05 10-46-171151×162 35.9 KB

The user was happy, but severely damaged. He returned to his terminal and at old age, settled for Ansible. He told the story to his grand-kids of the day he battled charmcraft and just barely survived.

My charmcraft help login / charmcraft login --help does have info about the envvar:

We also feature this process in our tutorial though we should perhaps also feature it in our how-to guide (we have it here but it’s a little buried) and we should definitely have a doc with all the Charmcraft envvars as well. I’ll add those to my TODO list.

However, it sounds like the main problem is that things that should have worked did not. @lengau WDYT, should we open an issue on Issues · canonical/charmcraft · GitHub or Issues · canonical/charmhub.io · GitHub or …?

Oh, the story here is not so much about the details, as much as it is about “the whole story” as a user experience.

There are so many pitfalls here which all of them leads into a horrible user experience.

I’ve been with Juju for a long time, so its not so much for my own part - but for a sufficiently new user - this path is impossible and repels them from Juju at large.

Good point, and thank you for writing this up – now we can study where it failed and work to improve it!

Chatted with Erik. I’ll try to summarize the circumstances, the workflow, and the issues.

He was setting up the CI pipeline for a charm. So he used charmcraft login with the --export and the --ttl flags. But, the argument of the --ttl flag must be given in seconds. If what you want is, e.g., 1 year, you first have to calculate how many seconds that is. SUGGESTION: Make the flag accept other units too.

He calculated the --ttl amount and then ran the command. That opened up a browser window with a prompt to log in using Ubuntu SSO. He clicked and that used cached content to automatically log him in as the user he had been logged in with before. However, that was not the user he wanted. He ended up having to log out / use a private browser window before he could log in as the user he wanted to log in as. SUGGESTION: Make it possible to choose the intended user. E.g., juju login has a --user flag (+ a no-browser-login flag) – maybe charmcraft login could have that too? PS When he moved to a private window, he initially copied the link from the previous browser, but noticed that it was different from the one provided in the CLI, and only the link provided in the CLI worked – the same email+password combo failed for the link copied from the browser. SUGGESTION: Investigate why they are different.

He also noticed that juju whoami / charmcraft whoami show the user in a different format than the Ubuntu SSO “You’re logged in as…" message – the whoami output shows user@realm but the Ubuntu SSO page shows only user, which can be confusing if you have the same user with multiple realms. SUGGESTION: Make consistent.

He also noticed that the Ubuntu SSO login only accepts an email (not a username). If you forget which email address you used for an account, there is no way to get the account back. (E.g., the “Forgot your password” button also relies on typing in the email.)

@lengau the issues go beyond Charmcraft. Anyone else we can / should ping?

Thanx @tmihoc for the writeup which is largely what goes on. This user story - “Setting up and managing a CI workflow” - contains all these perils which would be something that should be polished imo.