[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How to grant system:admin rights to admin?



Title: Re: How to grant system:admin rights to admin?
Hi.

am Mittwoch, 07. Juni 2017 um 01:31 schrieben Sie:





On 7 Jun 2017, at 3:01 AM, Ulf Lilleengen <lulf redhat com> wrote:

Hi Henryk,

Not sure if this is applicable to your setup, but an alternative is to point oc to admin.kubeconfig. E.g.:

oc --config /var/lib/origin/openshift.local.config/master/admin.kubeconfig adm policy add-cluster-role-to-user cluster-admin developer

I've been using this way as 'oc login -u system:admin' didn't work with my dev setup (created using 'oc cluster up') for some reason. It seems to work when using minishift, so I'd love to know what's causing it as well.

If you have access to the master node that will work. Sometimes the master nodes will already have cached login as admin from setup of cluster and just being able to access the master node as root will leave you as admin user anyway.

Well the main issue is that a lot of customers change the user with 'oc login -u ...' when they a root on the masters, and then you can't login with system:admin!

I solved this with the following sequence.

oc config view |egrep 'context|default' # look for system:admin
oc set-context default/...../system:admin
oc use-context default/...../system:admin

My first advice to all users on the master servers is!

Don't use root for 'normal' oc work.

Create a user on the master switch to this user and run the oc commands as this user.
This is by far the safest way, afaik.




Another alternative is if you have granted specific user sudoer role access, then such a user could use impersonation to run:

   oc admin policy add-cluster-role-to-user cluster-admin developer --as system:admin

See:

   
https://docs.openshift.com/online/architecture/additional_concepts/authentication.html#authentication-impersonation

Graham


Hth,

Ulf

On 06. juni 2017 16:16, Henryk Konsek wrote:

Hi Graham,
That would be probably fine. I assume that I should log in as system:admin in order to execute those commands, right?
The problem is that I cannot switch to system:admin...
oc login -u system:admin
Authentication required for
https://localhost:8443 (openshift)
Username: system:admin
Password:
error: username system:admin is invalid for basic auth
Any idea what I'm doing wrong?
Cheers!
pon., 5 cze 2017 o 12:28 użytkownik Graham Dumpleton <
gdumplet redhat com <mailto:gdumplet redhat com>> napisał:
   > On 5 Jun 2017, at 8:13 PM, Henryk Konsek <
hekonsek gmail com
  <mailto:hekonsek gmail com>> wrote:
   >
   > Hi,
   >
   > Quick question. Is there an easy way to grant "system:admin"
  privileges to "admin" user? I'd like to make it possible for 'admin'
  user to list projects and namespaces for example. I'm aware that
  this is not recommended for production environment, but this is
  something we need for an automation of our integration tests suite.
  Not sure if suits your requirements, but presuming 'username'
  exists, as user who already has admin rights, try:
           oc adm policy add-cluster-role-to-user cluster-reader username
  If only want them to be able to read view stuff but not modify, or:
           oc adm policy add-cluster-role-to-user cluster-admin username
  if want to allow them full edit ability on cluster.
  Replace 'username' with actual name of user.
  Graham
--
Henryk Konsek
https://linkedin.com/in/hekonsek
_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

--
Ulf

--
Best regards
Aleksandar Lazic - ME2Digital e. U.
https://me2digital.online/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]