[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Several questions about authorization

I guessed that some configurations was not proper.

When I create a new user, it is always added to project "aura" by default.

Cluster is setup on OpenShift Origin 3.6.

[root host-10-1-236-92 ~]# oc describe project aura
Name:            aura
Created:        7 weeks ago
Labels:            <none>
Annotations:        openshift.io/description=
Display Name:        <none>
Description:        <none>
Status:            Active
Node Selector:        <none>
Quota:            <none>
Resource limits:    <none>
[root host-10-1-236-92 ~]# oc login
Authentication required for (openshift)
Username: hello
Login successful.

You have one project on this server: "aura"

Using project "aura".

Where should I start to fix the problem? Any advice?


Jared, (韦煜)
Software developer
Interested in open source software, big data, Linux

From: Clayton Coleman <ccoleman redhat com>
Sent: Monday, December 18, 2017 10:41:30 PM
To: Yu Wei
Cc: users lists openshift redhat com; dev lists openshift redhat com
Subject: Re: Several questions about authorization

On Mon, Dec 18, 2017 at 5:17 AM, Yu Wei <yu2003w hotmail com> wrote:


I have several questions about user and authorization management.

1, How could I remove user from project?


[root host-10-1-236-92 gpu-test]# oc login -u test1 -p test1
Login successful.

You have access to the following projects and can switch between them with 'oc project <projectname>':

  * aura

Using project "aura".
[root host-10-1-236-92 gpu-test]# oc project aura
Already on project "aura" on server "".
[root host-10-1-236-92 gpu-test]# oc get rolebindings
Error from server (Forbidden): User "test1" cannot list rolebindings in project "aura"

How should I remove user "test1" from project "aura"?

How did you get added to the "aura" project?  If you can't view role bindings, then you likely don't have the "view" role and you have been given a more constrained role.  You'd need to ask the person who added you in that case.

And how could I find which users belongs to project "aura"?

You can see which users have been added with explicit roles by doing "oc get rolebindings".  You can see who can view the namespace by running "oc policy who-can get namespace aura" if you have sufficient permissions.

2, basic-user

    When should "basic-user" be used? It seems that basic-user is cluster wide. Is my understanding right?

There are two types of role bindings - namespace scoped role bindings (rolebindings) and cluster scoped role bindings (clusterrolebindings).  If you add someone to a clusterrolebinding they have that role on all namespaces in the cluster.  If you add someone with a rolebinding, they only have that permission on the namespace the rolebinding is created in.

3, user created automatically

    When issues the instructions "oc login -u test2 -p test2", user "test2" is to be created automatically.

    After user creation, which project does created user belong to?

None, unless you grant a clusterrolebinding to a group and the new user is in that group.


Jared, (韦煜)
Software developer
Interested in open source software, big data, Linux

users mailing list
users lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]