[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Chicken or the egg causality dilemma (Authorization Policies)



Hey Olaf --
You can do this as the system:admin user, which is the built-in cluster "superuser". In order to login as system:admin, you have to be SSH'd into (one of) your master(s) as the root user:

[root master example com ~] oc login -u system:admin

This account has no password but is only available from the shell of a master with you as the root user.

Once you've done that, you can run the add-role-to-user command that you were attempting.

Regards,
Harrison


On Tue, Jul 5, 2016 at 3:56 AM, Olaf Radicke <o radicke meteocontrol de> wrote:
Hi,

I added a first user over the htpasswd file. So far so good. Now I like to add this user to the cluster-admin role.  But I don't have permissions. So what is the right way?

Best regards,

Olaf


--------------[ snip ]---------------

[root os-master ~]# oc login
Authentication required for https://192.168.122.249:8443 (openshift)
Username: admin
Password:
Login successful.

Using project "meteocontrol-testing".

[root os-master ~]# oc describe clusterPolicy default
Error from server: User "admin" cannot get clusterpolicies at the cluster scope

[root os-master ~]# oadm policy add-role-to-user cluster-admin admin
error: You must be logged in to the server (attempt to grant extra privileges: [PolicyRule{Verbs:[*], APIGroups:[*], Resources:[*], ResourceNames:[], Restrictions:<nil>}] user=&{admin fcd285f3-3cfe-11e6-8c1a-525400e34c10 [system:authenticated:oauth system:authenticated]} ownerrules=[PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[], Resources:[configmaps endpoints persistentvolumeclaims pods pods/attach pods/exec pods/log pods/portforward pods/proxy replicationcontrollers replicationcontrollers/scale secrets serviceaccounts services services/proxy], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[], Resources:[buildconfigs buildconfigs/instantiate buildconfigs/instantiatebinary buildconfigs/webhooks buildlogs builds builds/clone builds/log deploymentconfigrollbacks deploymentconfigs deploymentconfigs/log deploymentconfigs/scale deployments generatedeploymentconfigs imagestreamimages imagestreamimports imagestreammappings imagestreams imagestreams/secrets imagestreamtags localresourceaccessreviews localsubjectaccessreviews processedtemplates projects resourceaccessreviews rolebindings roles routes subjectaccessreviews templateconfigs templates], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[autoscaling], Resources:[horizontalpodautoscalers], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[batch], Resources:[jobs], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[extensions], Resources:[horizontalpodautoscalers jobs replicationcontrollers/scale], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get list watch], APIGroups:[extensions], Resources:[daemonsets], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get list watch], APIGroups:[], Resources:[bindings configmaps endpoints events imagestreams/status limitranges minions namespaces namespaces/status nodes persistentvolumeclaims persistentvolumes pods pods/log pods/status policies policybindings replicationcontrollers replicationcontrollers/status resourcequotas resourcequotas/status resourcequotausages routes/status securitycontextconstraints serviceaccounts services], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get update], APIGroups:[], Resources:[imagestreams/layers], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[update], APIGroups:[], Resources:[routes/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create get], APIGroups:[], Resources:[buildconfigs/webhooks], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[builds/source], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[projectrequests], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[builds/docker], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[builds/custom], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[users], ResourceNames:[~], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[projectrequests], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get list], APIGroups:[], Resources:[clusterroles], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[projects], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[localsubjectaccessreviews subjectaccessreviews], ResourceNames:[], Restrictions:&{{ }}} PolicyRule{Verbs:[delete], APIGroups:[], Resources:[oauthaccesstokens oauthauthorizetokens], ResourceNames:[], Restrictions:<nil>}] ruleResolutionErrors=[])
[root os-master ~]# oadm policy add-scc-to-user privileged admin
Error from server: User "admin" cannot get securitycontextconstraints at the cluster scope
[root os-master ~]#


--------------[ snap ]---------------

--
Mit freundlichen Grüßen / Best regards

Olaf Radicke

---

meteocontrol GmbH
Energy & Weather Services

Spicherer Strasse 48
86157 Augsburg, Germany
Phone +49 821 34666-265
Fax +49 821 34666-9032
Email o radicke meteocontrol de
Web: http://www.meteocontrol.de

Management Board: Martin Schneider, Robert Pfatischer, Jing Nealis
Register Court: Amtsgericht Augsburg, HRB 16 415

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]