Re: service account for rest api

hello > El 20 oct 2017, a las 9:57, Frederic Giloux escribió: > > Hi Julio > > a couple of points here: > - oc policy add-role-to-user admin system:serviceaccounts:project1:inciga -n > project1 would have worked for the project. did not work :( trust me .. checked a lot

Re: service account for rest api

Hi Julio a couple of points here: - oc policy add-role-to-user admin system:serviceaccounts:project1:inciga -n project1 would have worked for the project. If you have used oadm policy add-cluster-role-to-user you should use a cluster role, which view or cluster-admin are and admin is not. - we

Re: service account for rest api

python problem solved too all working view role was the key :/ > El 20 oct 2017, a las 9:27, Julio Saura escribió: > > problem solved > > i do not know why but giving user role view instead of admin make the trick .. > > :/ > > now i am able to access using curl with

Re: service account for rest api

problem solved i do not know why but giving user role view instead of admin make the trick .. :/ now i am able to access using curl with the token, but not using python xD i get a 401 with long token, but i i use the short one that oc login gives works xD > El 20 oct 2017, a las 8:59,

Re: service account for rest api

Julio, have you tried the command with higer log level as per my previous email? # oc get rc -n project1 --as=system:serviceaccounts:project1:inciga --loglevel=8 This gives you the successful rest call, which is made by the OC client to the API server. You can then check whether it differs from

Re: service account for rest api

headers look ok in curl request * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS

Re: service account for rest api

compiled last stable curl version same problem { "kind": "Status", "apiVersion": "v1", "metadata": {}, "status": "Failure", "message": "User \"system:serviceaccount:project1:inciga\" cannot list replicationcontrollers in project \”project1\"", "reason": "Forbidden", "details": {

Re: service account for rest api

tried no luck :( Julio Saura Alejandre Responsable Servicios Gestionados hiberus TRAVEL Tel.: + 34 902 87 73 92 Ext. 659 Parque Empresarial PLAZA Edificio EXPOINNOVACIÓN C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza www.hiberus.com Crecemos contigo Este

Re: service account for rest api

Hello I tried with view and cluster-admin too. No luck Guess is the curl issue Ty! > El 19 oct 2017, a las 21:40, Luke Meyer escribió: > > > >> On Thu, Oct 19, 2017 at 10:58 AM, Julio Saura wrote: >> yes ofc >> >> oc create serviceaccount icinga -n

Re: service account for rest api

On Thu, Oct 19, 2017 at 10:58 AM, Julio Saura wrote: > yes ofc > > oc create serviceaccount icinga -n project1 > > oadm policy add-cluster-role-to-user admin system:serviceaccounts: > project1:icinga > There is no cluster role "admin" (... by default anyway, you could of

Re: service account for rest api

Yikes !! I will check tomorrow Ty! > El 19 oct 2017, a las 18:16, Cesar Wong escribió: > > > Julio, > > Depending on your version of curl, you may be hitting this: > https://bugzilla.redhat.com/show_bug.cgi?id=1260178 > > On Thu, Oct 19, 2017 at 12:11 PM, Julio Saura

Re: service account for rest api

Very good. The issue is with your curl. Next step run the same command with --loglevel=8 and check the queries that are sent to the API server. Regards, Frédéric On 19 Oct 2017 18:11, "Julio Saura" wrote: > umm that works … > > weird > > *Julio Saura Alejandre* >

Re: service account for rest api

Julio, Depending on your version of curl, you may be hitting this: https://bugzilla.redhat.com/show_bug.cgi?id=1260178 [https://bugzilla.redhat.com/show_bug.cgi?id=1260178] On Thu, Oct 19, 2017 at 12:11 PM, Julio Saura wrote: umm that works … weird Julio Saura Alejandre

Re: service account for rest api

umm that works … weird Julio Saura Alejandre Responsable Servicios Gestionados hiberus TRAVEL Tel.: + 34 902 87 73 92 Ext. 659 Parque Empresarial PLAZA Edificio EXPOINNOVACIÓN C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza www.hiberus.com Crecemos contigo

Re: service account for rest api

You can try the following: oc get rc -n project1 --as=system:serviceaccounts:project1:inciga On 19 Oct 2017 17:51, "Julio Saura" wrote: > typo yes sorry > > curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project1)" > -H "Content-Type: application/json"

Re: service account for rest api

typo yes sorry > curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project1)" -H > "Content-Type: application/json" > https://MASTER_BALANCER_IP:8443/api/v1/namespaces/project1/replicationcontrollers > >

Re: service account for rest api

Hi Julio, the following works for me: # oc new-project project1 # oc create serviceaccount inciga -n project1 # oc policy add-role-to-user admin system:serviceaccounts:project1:inciga -n project1 # curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project1)" -H "Content-Type:

Re: service account for rest api

yes ofc oc create serviceaccount icinga -n project1 oadm policy add-cluster-role-to-user admin system:serviceaccounts:project1:icinga oadm policy reconcile-cluster-roles —confirm and then dump the token oc serviceaccounts get-token icing ty frederic! i do login with curl but i get {

Re: service account for rest api

Hi Julio, Could you copy the commands you have used? Regards, Frédéric On 19 Oct 2017 11:43, "Julio Saura" wrote: > Hello > > i am trying to create a sa for accessing rest api with token .. > > i have followed the doc steps > > creating the account, applying admin role to