[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: token/session lifetime



The username needs to be the fully qualified name for the SA.  So something like `oadm policy add-cluster-role-to-user <ROLE> system:serviceaccount:default:pruner`

On Fri, Jan 22, 2016 at 9:52 AM, Gilbert Roulot <gilbert roulot tech-angels com> wrote:
Thanks,

we are doing that, using a new service account with the cluster-admin role, and try pruning:

oadm --token='843 chat long token here'  prune builds --orphans --keep-complete=5 --keep-failed=1 --keep-younger-than=60m --confirm
Error from server: User "system:serviceaccount:default:pruner" cannot list all buildconfigs in the cluster

But the policy says otherwise:
oadm policy who-can list bc --all-namespaces=true
Namespace: <all>
Verb:      list
Resource:  bc

Users:  admin
        pruner

Groups: system:cluster-admins
        system:masters


This is on Openshift 1.1, what could be the problem ?


Regards.



2016-01-21 14:46 GMT+01:00 David Eads <deads redhat com>:
For cases where you want a long lived token, we recommend that you create a service account, grant that SA the rights you need, grab the SA's token and use it.  That gives you a long-lived, revocable token to avoid annoyances like that.

On Thu, Jan 21, 2016 at 8:23 AM, Philippe Lafoucrière <philippe lafoucriere tech-angels com> wrote:
Hi,

I wonder if there's a way to have tokens with different ttl in openshift.
I have 2 use-cases where it's an issue:

- CI: our ci server needs to be able to push image layers everyday, obviously
- Pruner: we have a dedicated user for that, and of course, after a few days:

$ /bin/oadm prune images --keep-tag-revisions=3 --keep-younger-than=60m --confirm
Error from server: the server has asked for the client to provide credentials

Thanks
Philippe

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users



_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users




--
Gilbert Roulot


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]