How to debug the openid auth plugin ?

[fabio martinelli]

Dear OpenShift Colleagues

I can't get working the OpenID Auth plugin [$], not necessarily because 
that's broken Origin side since it's involved also the AD layer where 
I'm not root [%] ; furthermore I don't have very much experience with 
OpenID.


I believe I've slavishly followed the manual [$] and I've selected as 
the mappingMethod the option "lookup" since I don't want any automatic 
login from our AD at this stage.


This is my failed login attempt by oc :

$ oc login --loglevel=10
I0326 22:58:26.698146   38291 loader.go:357] Config loaded from file 
/Users/f_martinelli/.kube/config
I0326 22:58:26.701628   38291 round_trippers.go:386] curl -k -v -XHEAD  
https://hosting.wfp.org:443/
I0326 22:58:26.922676   38291 round_trippers.go:405] HEAD 
https://hosting.wfp.org:443/ 403 Forbidden in 220 milliseconds

I0326 22:58:26.922709   38291 round_trippers.go:411] Response Headers:
I0326 22:58:26.922720   38291 round_trippers.go:414] Vary: 
Accept-Encoding
I0326 22:58:26.922729   38291 round_trippers.go:414] 
X-Content-Type-Options: nosniff
I0326 22:58:26.922738   38291 round_trippers.go:414] Date: Mon, 26 
Mar 2018 20:58:26 GMT
I0326 22:58:26.922747   38291 round_trippers.go:414] Content-Type: 
text/plain
I0326 22:58:26.922756   38291 round_trippers.go:414] Connection: 
keep-alive

I0326 22:58:26.922765   38291 round_trippers.go:414] Server: nginx
I0326 22:58:26.922774   38291 round_trippers.go:414] Content-Length: 90
I0326 22:58:26.922782   38291 round_trippers.go:414] Cache-Control: no-store
I0326 22:58:26.922889   38291 round_trippers.go:386] curl -k -v -XGET  
-H "X-Csrf-Token: 1" 
https://hosting.wfp.org:443/.well-known/oauth-authorization-server
I0326 22:58:26.965442   38291 round_trippers.go:405] GET 
https://hosting.wfp.org:443/.well-known/oauth-authorization-server 200 
OK in 42 milliseconds

I0326 22:58:26.965686   38291 round_trippers.go:411] Response Headers:
I0326 22:58:26.966184   38291 round_trippers.go:414] Server: nginx
I0326 22:58:26.966199   38291 round_trippers.go:414] Date: Mon, 26 
Mar 2018 20:58:26 GMT
I0326 22:58:26.966210   38291 round_trippers.go:414] Content-Type: 
application/json
I0326 22:58:26.966529   38291 round_trippers.go:414] Connection: 
keep-alive
I0326 22:58:26.966557   38291 round_trippers.go:414] Vary: 
Accept-Encoding

I0326 22:58:26.966572   38291 round_trippers.go:414] Cache-Control: no-store
I0326 22:58:26.968573   38291 round_trippers.go:386] curl -k -v -XGET  
-H "X-Csrf-Token: 1" 
https://hosting.wfp.org/oauth/authorize?client_id=openshift-challenging-client_challenge=kJm9R5VPybDF9QjG-t9EhOAw0CCcLpiVQ2pXxmME08w_challenge_method=S256_uri=https%3A%2F%2Fhosting.wfp.org%2Foauth%2Ftoken%2Fimplicit_type=code
I0326 22:58:27.002233   38291 round_trippers.go:405] GET 
https://hosting.wfp.org/oauth/authorize?client_id=openshift-challenging-client_challenge=kJm9R5VPybDF9QjG-t9EhOAw0CCcLpiVQ2pXxmME08w_challenge_method=S256_uri=https%3A%2F%2Fhosting.wfp.org%2Foauth%2Ftoken%2Fimplicit_type=code 
401 Unauthorized in 33 milliseconds

I0326 22:58:27.002305   38291 round_trippers.go:411] Response Headers:
I0326 22:58:27.002333   38291 round_trippers.go:414] Connection: 
keep-alive
I0326 22:58:27.002343   38291 round_trippers.go:414] Www-Authenticate: 
Basic realm="openshift"

I0326 22:58:27.002352   38291 round_trippers.go:414] Server: nginx
I0326 22:58:27.002361   38291 round_trippers.go:414] Date: Mon, 26 
Mar 2018 20:58:26 GMT
I0326 22:58:27.002370   38291 round_trippers.go:414] Content-Type: 
text/plain; charset=utf-8

I0326 22:58:27.002379   38291 round_trippers.go:414] Content-Length: 0
Authentication required for https://hosting.wfp.org:443 (openshift)
Username: MYUSERNAME
Password:  MYPASSWORD
I0326 22:58:32.977080   38291 round_trippers.go:386] curl -k -v -XGET  
-H "Authorization: Basic ZmFiaW8ubWFydGluZWxsaTo=" -H "X-Csrf-Token: 1" 
https://hosting.wfp.org/oauth/authorize?client_id=openshift-challenging-client_challenge=kJm9R5VPybDF9QjG-t9EhOAw0CCcLpiVQ2pXxmME08w_challenge_method=S256_uri=https%3A%2F%2Fhosting.wfp.org%2Foauth%2Ftoken%2Fimplicit_type=code
I0326 22:58:33.018514   38291 round_trippers.go:405] GET 
https://hosting.wfp.org/oauth/authorize?client_id=openshift-challenging-client_challenge=kJm9R5VPybDF9QjG-t9EhOAw0CCcLpiVQ2pXxmME08w_challenge_method=S256_uri=https%3A%2F%2Fhosting.wfp.org%2Foauth%2Ftoken%2Fimplicit_type=code 
500 Internal Server Error in 41 milliseconds

I0326 22:58:33.018570   38291 round_trippers.go:411] Response Headers:
I0326 22:58:33.018584   38291 round_trippers.go:414] Server: nginx
I0326 22:58:33.018595   38291 round_trippers.go:414] Date: Mon, 26 
Mar 2018 20:58:32 GMT
I0326 22:58:33.018603   38291 round_trippers.go:414] Content-Type: 
text/plain; charset=utf-8

I0326 22:58:33.018611   38291 round_trippers.go:414] Content-Length: 100
I0326 22:58:33.018621   38291 round_trippers.go:414] Connection: 
keep-alive
error: Internal 

Re: Some frustrations with OpenShift

[Clayton Coleman]

On Mon, Mar 26, 2018 at 11:50 AM, Alfredo Palhares 
wrote:

> Hello everyone,
>
>
> I would like to share some of the frustations that I currently have with
> openshift, which is making me not consider this a base to our container
> infrastcture.
> - No visualization of the cluster out of the box
>

Generally that has been a responsibility of CloudForms / manageiq.  What
sorts of visualizations are you looking for?


>  To me this seems a bit weird that there is no clear way of having
> visualization of te cluster status out, i am strugggling following the
> documentation
>  , my
> ansible playbook is breaking, and I have a simple 1 master and 3 nodes
> setup.
> - Not having the possibility to use kubernestes directly
>

By "use kubernetes" directly do you mean, "Using the kubernetes API's
directly?" or "Using an existing Kubernetes cluster?"  If the former, we
support all kubernetes GA level APIs, so you shouldn't be blocked there.
For the latter, most of the OpenShift security model requires protections
that are compiled into the kube binaries (multi-tenancy, protecting users
from escaping their namespaces), so today if you tried to run openshift on
top of raw kube you would not have any of the security model.


> Since I am running on metal, the idea of openshift would be more to get
> the supporting services of and then using kubernetes deployments.
> - The openshift-ansible is a bit confusing to me
> Altough I see that on the newer versions it is getting better.
>
>
> Just wanted to share some tough, I am not bashing on anything, I do still
> think its a great platform, just getting into it is a bit hard if you are
> not paying for support or deploying on the cloud.
>

We appreciate the feedback


>
> Regards,
> Alfredo Palhares
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Some frustrations with OpenShift

[Alfredo Palhares]

Hello everyone,


I would like to share some of the frustations that I currently have with
openshift, which is making me not consider this a base to our container
infrastcture.
- No visualization of the cluster out of the box
 To me this seems a bit weird that there is no clear way of having
visualization of te cluster status out, i am strugggling following the
documentation
 , my
ansible playbook is breaking, and I have a simple 1 master and 3 nodes
setup.
- Not having the possibility to use kubernestes directly
Since I am running on metal, the idea of openshift would be more to get the
supporting services of and then using kubernetes deployments.
- The openshift-ansible is a bit confusing to me
Altough I see that on the newer versions it is getting better.


Just wanted to share some tough, I am not bashing on anything, I do still
think its a great platform, just getting into it is a bit hard if you are
not paying for support or deploying on the cloud.

Regards,
Alfredo Palhares
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users