[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Chicken or the egg causality dilemma (Authorization Policies)



Hi,

I added a first user over the htpasswd file. So far so good. Now I like to add this user to the cluster-admin role. But I don't have permissions. So what is the right way?

Best regards,

Olaf


--------------[ snip ]---------------

[root os-master ~]# oc login
Authentication required for https://192.168.122.249:8443 (openshift)
Username: admin
Password:
Login successful.

Using project "meteocontrol-testing".

[root os-master ~]# oc describe clusterPolicy default
Error from server: User "admin" cannot get clusterpolicies at the cluster scope

[root os-master ~]# oadm policy add-role-to-user cluster-admin admin
error: You must be logged in to the server (attempt to grant extra privileges: [PolicyRule{Verbs:[*], APIGroups:[*], Resources:[*], ResourceNames:[], Restrictions:<nil>}] user=&{admin fcd285f3-3cfe-11e6-8c1a-525400e34c10 [system:authenticated:oauth system:authenticated]} ownerrules=[PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[], Resources:[configmaps endpoints persistentvolumeclaims pods pods/attach pods/exec pods/log pods/portforward pods/proxy replicationcontrollers replicationcontrollers/scale secrets serviceaccounts services services/proxy], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[], Resources:[buildconfigs buildconfigs/instantiate buildconfigs/instantiatebinary buildconfigs/webhooks buildlogs builds builds/clone builds/log deploymentconfigrollbacks deploymentconfigs deploymentconfigs/log deploymentconfigs/scale deployments generatedeploymentconfigs imagestreamimages imagestreamimports imagestreammappings imagestreams imagestreams/secrets imagestreamtags localresourceaccessreviews localsubjectaccessreviews processedtemplates projects resourceaccessreviews rolebindings roles routes subjectaccessreviews templateconfigs templates], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[autoscaling], Resources:[horizontalpodautoscalers], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[batch], Resources:[jobs], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[extensions], Resources:[horizontalpodautoscalers jobs replicationcontrollers/scale], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get list watch], APIGroups:[extensions], Resources:[daemonsets], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get list watch], APIGroups:[], Resources:[bindings configmaps endpoints events imagestreams/status limitranges minions namespaces namespaces/status nodes persistentvolumeclaims persistentvolumes pods pods/log pods/status policies policybindings replicationcontrollers replicationcontrollers/status resourcequotas resourcequotas/status resourcequotausages routes/status securitycontextconstraints serviceaccounts services], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get update], APIGroups:[], Resources:[imagestreams/layers], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[update], APIGroups:[], Resources:[routes/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create get], APIGroups:[], Resources:[buildconfigs/webhooks], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[builds/source], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[projectrequests], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[builds/docker], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[builds/custom], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[users], ResourceNames:[~], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[projectrequests], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get list], APIGroups:[], Resources:[clusterroles], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[projects], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[localsubjectaccessreviews subjectaccessreviews], ResourceNames:[], Restrictions:&{{ }}} PolicyRule{Verbs:[delete], APIGroups:[], Resources:[oauthaccesstokens oauthauthorizetokens], ResourceNames:[], Restrictions:<nil>}] ruleResolutionErrors=[])
[root os-master ~]# oadm policy add-scc-to-user privileged admin
Error from server: User "admin" cannot get securitycontextconstraints at the cluster scope
[root os-master ~]#


--------------[ snap ]---------------

--
Mit freundlichen Grüßen / Best regards

Olaf Radicke

---

meteocontrol GmbH
Energy & Weather Services

Spicherer Strasse 48
86157 Augsburg, Germany
Phone +49 821 34666-265
Fax +49 821 34666-9032
Email o radicke meteocontrol de
Web: http://www.meteocontrol.de

Management Board: Martin Schneider, Robert Pfatischer, Jing Nealis
Register Court: Amtsgericht Augsburg, HRB 16 415


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]