[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How to grant system:admin rights to admin?




On 7 Jun 2017, at 3:01 AM, Ulf Lilleengen <lulf redhat com> wrote:

Hi Henryk,

Not sure if this is applicable to your setup, but an alternative is to point oc to admin.kubeconfig. E.g.:

oc --config /var/lib/origin/openshift.local.config/master/admin.kubeconfig adm policy add-cluster-role-to-user cluster-admin developer

I've been using this way as 'oc login -u system:admin' didn't work with my dev setup (created using 'oc cluster up') for some reason. It seems to work when using minishift, so I'd love to know what's causing it as well.

If you have access to the master node that will work. Sometimes the master nodes will already have cached login as admin from setup of cluster and just being able to access the master node as root will leave you as admin user anyway.

Another alternative is if you have granted specific user sudoer role access, then such a user could use impersonation to run:

    oc admin policy add-cluster-role-to-user cluster-admin developer --as system:admin

See:


Graham

Hth,

Ulf

On 06. juni 2017 16:16, Henryk Konsek wrote:
Hi Graham,
That would be probably fine. I assume that I should log in as system:admin in order to execute those commands, right?
The problem is that I cannot switch to system:admin...
oc login -u system:admin
Authentication required for https://localhost:8443 (openshift)
Username: system:admin
Password:
error: username system:admin is invalid for basic auth
Any idea what I'm doing wrong?
Cheers!
pon., 5 cze 2017 o 12:28 u┼╝ytkownik Graham Dumpleton <gdumplet redhat com <mailto:gdumplet redhat com>> napisa┼é:
    > On 5 Jun 2017, at 8:13 PM, Henryk Konsek <hekonsek gmail com
   <mailto:hekonsek gmail com>> wrote:
    >
    > Hi,
    >
    > Quick question. Is there an easy way to grant "system:admin"
   privileges to "admin" user? I'd like to make it possible for 'admin'
   user to list projects and namespaces for example. I'm aware that
   this is not recommended for production environment, but this is
   something we need for an automation of our integration tests suite.
   Not sure if suits your requirements, but presuming 'username'
   exists, as user who already has admin rights, try:
            oc adm policy add-cluster-role-to-user cluster-reader username
   If only want them to be able to read view stuff but not modify, or:
            oc adm policy add-cluster-role-to-user cluster-admin username
   if want to allow them full edit ability on cluster.
   Replace 'username' with actual name of user.
   Graham
-- 
Henryk Konsek
https://linkedin.com/in/hekonsek
_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

-- 
Ulf


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]