subject:"Several questions about authorization"

Re: Several questions about authorization

2017-12-18 Thread Yu Wei

The created user info is as below,

[root@host-10-1-236-92 ~]# oc describe user hello
Name:hello
Created:24 minutes ago
Labels:
Annotations:
Identities:allow_all:hello

Is the issue caused by allow_all?


Thanks,

Jared, (韦煜）
Software developer
Interested in open source software, big data, Linux


From: users-boun...@lists.openshift.redhat.com 
<users-boun...@lists.openshift.redhat.com> on behalf of Yu Wei 
<yu20...@hotmail.com>
Sent: Monday, December 18, 2017 11:48:46 PM
To: Clayton Coleman
Cc: users@lists.openshift.redhat.com; d...@lists.openshift.redhat.com
Subject: Re: Several questions about authorization


I guessed that some configurations was not proper.

When I create a new user, it is always added to project "aura" by default.

Cluster is setup on OpenShift Origin 3.6.

[root@host-10-1-236-92 ~]# oc describe project aura
Name:aura
Created:7 weeks ago
Labels:
Annotations:openshift.io/description=
openshift.io/display-name=
openshift.io/requester=aura
openshift.io/sa.scc.mcs=s0:c9,c4
openshift.io/sa.scc.supplemental-groups=18/1
openshift.io/sa.scc.uid-range=18/1
Display Name:
Description:
Status:Active
Node Selector:
Quota:
Resource limits:
[root@host-10-1-236-92 ~]# oc login
Authentication required for https://10.1.241.54:8443 (openshift)
Username: hello
Password:
Login successful.

You have one project on this server: "aura"

Using project "aura".

Where should I start to fix the problem? Any advice?


Thanks,

Jared, (韦煜）
Software developer
Interested in open source software, big data, Linux


From: Clayton Coleman <ccole...@redhat.com>
Sent: Monday, December 18, 2017 10:41:30 PM
To: Yu Wei
Cc: users@lists.openshift.redhat.com; d...@lists.openshift.redhat.com
Subject: Re: Several questions about authorization



On Mon, Dec 18, 2017 at 5:17 AM, Yu Wei 
<yu20...@hotmail.com<mailto:yu20...@hotmail.com>> wrote:

Hi,

I have several questions about user and authorization management.

1, How could I remove user from project?



[root@host-10-1-236-92 gpu-test]# oc login -u test1 -p test1
Login successful.

You have access to the following projects and can switch between them with 'oc 
project ':

  * aura
test1

Using project "aura".
[root@host-10-1-236-92 gpu-test]# oc project aura
Already on project "aura" on server "https://10.1.241.54:8443;.
[root@host-10-1-236-92 gpu-test]# oc get rolebindings
Error from server (Forbidden): User "test1" cannot list rolebindings in project 
"aura"

How should I remove user "test1" from project "aura"?

How did you get added to the "aura" project?  If you can't view role bindings, 
then you likely don't have the "view" role and you have been given a more 
constrained role.  You'd need to ask the person who added you in that case.


And how could I find which users belongs to project "aura"?

You can see which users have been added with explicit roles by doing "oc get 
rolebindings".  You can see who can view the namespace by running "oc policy 
who-can get namespace aura" if you have sufficient permissions.



2, basic-user

When should "basic-user" be used? It seems that basic-user is cluster wide. 
Is my understanding right?

There are two types of role bindings - namespace scoped role bindings 
(rolebindings) and cluster scoped role bindings (clusterrolebindings).  If you 
add someone to a clusterrolebinding they have that role on all namespaces in 
the cluster.  If you add someone with a rolebinding, they only have that 
permission on the namespace the rolebinding is created in.



3, user created automatically

When issues the instructions "oc login -u test2 -p test2", user "test2" is 
to be created automatically.

After user creation, which project does created user belong to?

None, unless you grant a clusterrolebinding to a group and the new user is in 
that group.



Thanks,

Jared, (韦煜）
Software developer
Interested in open source software, big data, Linux

___
users mailing list
users@lists.openshift.redhat.com<mailto:users@lists.openshift.redhat.com>
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Several questions about authorization

2017-12-18 Thread Yu Wei

I guessed that some configurations was not proper.

When I create a new user, it is always added to project "aura" by default.

Cluster is setup on OpenShift Origin 3.6.

[root@host-10-1-236-92 ~]# oc describe project aura
Name:aura
Created:7 weeks ago
Labels:
Annotations:openshift.io/description=
openshift.io/display-name=
openshift.io/requester=aura
openshift.io/sa.scc.mcs=s0:c9,c4
openshift.io/sa.scc.supplemental-groups=18/1
openshift.io/sa.scc.uid-range=18/1
Display Name:
Description:
Status:Active
Node Selector:
Quota:
Resource limits:
[root@host-10-1-236-92 ~]# oc login
Authentication required for https://10.1.241.54:8443 (openshift)
Username: hello
Password:
Login successful.

You have one project on this server: "aura"

Using project "aura".

Where should I start to fix the problem? Any advice?


Thanks,

Jared, (韦煜）
Software developer
Interested in open source software, big data, Linux


From: Clayton Coleman <ccole...@redhat.com>
Sent: Monday, December 18, 2017 10:41:30 PM
To: Yu Wei
Cc: users@lists.openshift.redhat.com; d...@lists.openshift.redhat.com
Subject: Re: Several questions about authorization



On Mon, Dec 18, 2017 at 5:17 AM, Yu Wei 
<yu20...@hotmail.com<mailto:yu20...@hotmail.com>> wrote:

Hi,

I have several questions about user and authorization management.

1, How could I remove user from project?



[root@host-10-1-236-92 gpu-test]# oc login -u test1 -p test1
Login successful.

You have access to the following projects and can switch between them with 'oc 
project ':

  * aura
test1

Using project "aura".
[root@host-10-1-236-92 gpu-test]# oc project aura
Already on project "aura" on server "https://10.1.241.54:8443;.
[root@host-10-1-236-92 gpu-test]# oc get rolebindings
Error from server (Forbidden): User "test1" cannot list rolebindings in project 
"aura"

How should I remove user "test1" from project "aura"?

How did you get added to the "aura" project?  If you can't view role bindings, 
then you likely don't have the "view" role and you have been given a more 
constrained role.  You'd need to ask the person who added you in that case.


And how could I find which users belongs to project "aura"?

You can see which users have been added with explicit roles by doing "oc get 
rolebindings".  You can see who can view the namespace by running "oc policy 
who-can get namespace aura" if you have sufficient permissions.



2, basic-user

When should "basic-user" be used? It seems that basic-user is cluster wide. 
Is my understanding right?

There are two types of role bindings - namespace scoped role bindings 
(rolebindings) and cluster scoped role bindings (clusterrolebindings).  If you 
add someone to a clusterrolebinding they have that role on all namespaces in 
the cluster.  If you add someone with a rolebinding, they only have that 
permission on the namespace the rolebinding is created in.



3, user created automatically

When issues the instructions "oc login -u test2 -p test2", user "test2" is 
to be created automatically.

After user creation, which project does created user belong to?

None, unless you grant a clusterrolebinding to a group and the new user is in 
that group.



Thanks,

Jared, (韦煜）
Software developer
Interested in open source software, big data, Linux

___
users mailing list
users@lists.openshift.redhat.com<mailto:users@lists.openshift.redhat.com>
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Several questions about authorization

2017-12-18 Thread Clayton Coleman

On Mon, Dec 18, 2017 at 5:17 AM, Yu Wei  wrote:

> Hi,
>
> I have several questions about user and authorization management.
>
> 1, How could I remove user from project?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *[root@host-10-1-236-92 gpu-test]# oc login -u test1 -p test1 Login
> successful. You have access to the following projects and can switch
> between them with 'oc project ':   * aura test1 Using
> project "aura". [root@host-10-1-236-92 gpu-test]# oc project aura Already
> on project "aura" on server "https://10.1.241.54:8443
> ". [root@host-10-1-236-92 gpu-test]# oc get
> rolebindings Error from server (Forbidden): User "test1" cannot list
> rolebindings in project "aura"*
>
> How should I remove user "test1" from project "aura"?
>

How did you get added to the "aura" project?  If you can't view role
bindings, then you likely don't have the "view" role and you have been
given a more constrained role.  You'd need to ask the person who added you
in that case.

> And how could I find which users belongs to project "aura"?
>

You can see which users have been added with explicit roles by doing "oc
get rolebindings".  You can see who can view the namespace by running "oc
policy who-can get namespace aura" if you have sufficient permissions.

>
> 2, basic-user
>
> When should "basic-user" be used? It seems that basic-user is cluster
> wide. Is my understanding right?
>

There are two types of role bindings - namespace scoped role bindings
(rolebindings) and cluster scoped role bindings (clusterrolebindings).  If
you add someone to a clusterrolebinding they have that role on all
namespaces in the cluster.  If you add someone with a rolebinding, they
only have that permission on the namespace the rolebinding is created in.

>
> 3, user created automatically
>
> When issues the instructions "oc login -u test2 -p test2", user
> "test2" is to be created automatically.
>
> After user creation, which project does created user belong to?
>

None, unless you grant a clusterrolebinding to a group and the new user is
in that group.

>
> Thanks,
>
> Jared, (韦煜）
> Software developer
> Interested in open source software, big data, Linux
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Several questions about authorization

2017-12-18 Thread Yu Wei

Hi,

I have several questions about user and authorization management.

1, How could I remove user from project?



[root@host-10-1-236-92 gpu-test]# oc login -u test1 -p test1
Login successful.

You have access to the following projects and can switch between them with 'oc 
project ':

  * aura
test1

Using project "aura".
[root@host-10-1-236-92 gpu-test]# oc project aura
Already on project "aura" on server "https://10.1.241.54:8443;.
[root@host-10-1-236-92 gpu-test]# oc get rolebindings
Error from server (Forbidden): User "test1" cannot list rolebindings in project 
"aura"

How should I remove user "test1" from project "aura"?

And how could I find which users belongs to project "aura"?


2, basic-user

When should "basic-user" be used? It seems that basic-user is cluster wide. 
Is my understanding right?


3, user created automatically

When issues the instructions "oc login -u test2 -p test2", user "test2" is 
to be created automatically.

After user creation, which project does created user belong to?


Thanks,

Jared, (韦煜）
Software developer
Interested in open source software, big data, Linux
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Several questions about authorization

Re: Several questions about authorization

Re: Several questions about authorization

Several questions about authorization

4 matches

Site Navigation

Mail list logo

Footer information