diagnostics: make cluster role warning info, modify text

bug 1381611 https://bugzilla.redhat.com/show_bug.cgi?id=1381611
openshift · Nov 4, 2016 · ebceafe · ebceafe
1 parent 905f0c7
commit ebceafe
Showing 1 changed file with 31 additions and 4 deletions.
diff --git a/pkg/diagnostics/cluster/roles.go b/pkg/diagnostics/cluster/roles.go
@@ -20,7 +20,34 @@ type ClusterRoles struct {
 }
 
 const (
-	ClusterRolesName = "ClusterRoles"
+	ClusterRolesName   = "ClusterRoles"
+	clusterRoleMissing = `
+clusterrole/%s is missing.
+
+Use the 'oadm policy reconcile-cluster-roles' command to create the role. For example,
+
+  $ oadm policy reconcile-cluster-roles \
+         --additive-only=true --confirm
+`
+	clusterRoleReduced = `
+clusterrole/%s has changed, but the existing role has more permissions than the new role.
+
+If you can confirm that the extra permissions are not required, you may use the
+'oadm policy reconcile-cluster-roles' command to update the role to reduce permissions.
+For example,
+
+  $ oadm policy reconcile-cluster-roles \
+         --additive-only=false --confirm
+`
+	clusterRoleChanged = `
+clusterrole/%s has changed and the existing role does not have enough permissions.
+
+Use the 'oadm policy reconcile-cluster-roles' command to update the role.
+For example,
+
+  $ oadm policy reconcile-cluster-roles \
+         --additive-only=true --confirm
+`
 )
 
 func (d *ClusterRoles) Name() string {
@@ -70,7 +97,7 @@ func (d *ClusterRoles) Check() types.DiagnosticResult {
 	for _, changedClusterRole := range changedClusterRoles {
 		actualClusterRole, err := d.ClusterRolesClient.ClusterRoles().Get(changedClusterRole.Name)
 		if kerrs.IsNotFound(err) {
-			r.Error("CRD1002", nil, fmt.Sprintf("clusterrole/%s is missing.\n\nUse the `oadm policy reconcile-cluster-roles` command to create the role.", changedClusterRole.Name))
+			r.Error("CRD1002", nil, fmt.Sprintf(clusterRoleMissing, changedClusterRole.Name))
 			continue
 		}
 		if err != nil {
@@ -79,15 +106,15 @@ func (d *ClusterRoles) Check() types.DiagnosticResult {
 
 		_, missingRules := rulevalidation.Covers(actualClusterRole.Rules, changedClusterRole.Rules)
 		if len(missingRules) == 0 {
-			r.Warn("CRD1003", nil, fmt.Sprintf("clusterrole/%s has changed, but the existing role has more permissions than the new role.\n\nUse the `oadm policy reconcile-cluster-roles` command to update the role to reduce permissions.", changedClusterRole.Name))
+			r.Info("CRD1003", fmt.Sprintf(clusterRoleReduced, changedClusterRole.Name))
 			_, extraRules := rulevalidation.Covers(changedClusterRole.Rules, actualClusterRole.Rules)
 			for _, extraRule := range extraRules {
 				r.Info("CRD1008", fmt.Sprintf("clusterrole/%s has extra permission %v.", changedClusterRole.Name, extraRule))
 			}
 			continue
 		}
 
-		r.Error("CRD1005", nil, fmt.Sprintf("clusterrole/%s has changed and the existing role does not have enough permissions.\n\nUse the `oadm policy reconcile-cluster-roles` command to update the role.", changedClusterRole.Name))
+		r.Error("CRD1005", nil, fmt.Sprintf(clusterRoleChanged, changedClusterRole.Name))
 		for _, missingRule := range missingRules {
 			r.Info("CRD1007", fmt.Sprintf("clusterrole/%s is missing permission %v.", changedClusterRole.Name, missingRule))
 		}