[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Several questions about authorization





On Mon, Dec 18, 2017 at 5:17 AM, Yu Wei <yu2003w hotmail com> wrote:

Hi,

I have several questions about user and authorization management.

1, How could I remove user from project?

   

[root host-10-1-236-92 gpu-test]# oc login -u test1 -p test1
Login successful.

You have access to the following projects and can switch between them with 'oc project <projectname>':

  * aura
    test1

Using project "aura".
[root host-10-1-236-92 gpu-test]# oc project aura
Already on project "aura" on server "https://10.1.241.54:8443".
[root host-10-1-236-92 gpu-test]# oc get rolebindings
Error from server (Forbidden): User "test1" cannot list rolebindings in project "aura"

How should I remove user "test1" from project "aura"?


How did you get added to the "aura" project?  If you can't view role bindings, then you likely don't have the "view" role and you have been given a more constrained role.  You'd need to ask the person who added you in that case.
 

And how could I find which users belongs to project "aura"?


You can see which users have been added with explicit roles by doing "oc get rolebindings".  You can see who can view the namespace by running "oc policy who-can get namespace aura" if you have sufficient permissions.
 


2, basic-user

    When should "basic-user" be used? It seems that basic-user is cluster wide. Is my understanding right?


There are two types of role bindings - namespace scoped role bindings (rolebindings) and cluster scoped role bindings (clusterrolebindings).  If you add someone to a clusterrolebinding they have that role on all namespaces in the cluster.  If you add someone with a rolebinding, they only have that permission on the namespace the rolebinding is created in.
 


3, user created automatically

    When issues the instructions "oc login -u test2 -p test2", user "test2" is to be created automatically.

    After user creation, which project does created user belong to?


None, unless you grant a clusterrolebinding to a group and the new user is in that group.
 


Thanks,

Jared, (韦煜)
Software developer
Interested in open source software, big data, Linux


_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]