Re: service account for rest api

[Julio Saura]

hello


> El 20 oct 2017, a las 9:57, Frederic Giloux  escribió:
> 
> Hi Julio
> 
> a couple of points here:
> - oc policy add-role-to-user admin system:serviceaccounts:project1:inciga -n 
> project1 would have worked for the project.

did not work :( trust me .. checked a lot of times

same command with view role did the trick

> If you have used oadm policy add-cluster-role-to-user you should use a 
> cluster role, which view or cluster-admin are and admin is not.

also tried, no luck :(



> - we validated with oc get rc -n project1 
> --as=system:serviceaccounts:project1:inciga that the rights were sufficient 
> for queries specific to the project.

i know .. and i am still trying to understand why the view role did the trick 
for me using curl or python request and was not needed using oc get ..

> - when you say the token provided by oc login you probably mean the token of 
> a user account, which is shorter than the token of a service account. On the 
> other hand it will expire, which is not the case for a token of a service 
> account.

right! that is why i decided to move to service account
> 
> Happy that it works for you now.

me too :)

thanks all for the support.

> 
> Regards,
> 
> Frédéric
> 
> 
> On Fri, Oct 20, 2017 at 9:40 AM, Julio Saura  > wrote:
> python problem solved too
> 
> all working
> 
> view role was the key :/
> 
> 
> 
> 
>> El 20 oct 2017, a las 9:27, Julio Saura > > escribió:
>> 
>> problem solved
>> 
>> i do not know why but giving user role view instead of admin make the trick 
>> ..
>> 
>> :/
>> 
>> now i am able to access using curl with the token, but not using python xD i 
>> get a 401 with long token, but i i use the short one that oc login gives 
>> works xD
>> 
>> 
>> 
>> 
>>> El 20 oct 2017, a las 8:59, Frederic Giloux >> > escribió:
>>> 
>>> Julio,
>>> 
>>> have you tried the command with higer log level as per my previous email?
>>> # oc get rc -n project1 --as=system:serviceaccounts:project1:inciga 
>>> --loglevel=8
>>> This gives you the successful rest call, which is made by the OC client to 
>>> the API server. You can then check whether it differs from your curl.
>>> 
>>> Regards,
>>> 
>>> Frédéric
>>> 
>>> On Fri, Oct 20, 2017 at 8:30 AM, Julio Saura >> > wrote:
>>> headers look ok in curl request
>>> 
>>> * Cipher selection: 
>>> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
>>> * successfully set certificate verify locations:
>>> *   CAfile: /etc/ssl/certs/ca-certificates.crt
>>>   CApath: none
>>> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>>> * TLSv1.2 (IN), TLS handshake, Server hello (2):
>>> * NPN, negotiated HTTP1.1
>>> * TLSv1.2 (IN), TLS handshake, Certificate (11):
>>> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
>>> * TLSv1.2 (IN), TLS handshake, Request CERT (13):
>>> * TLSv1.2 (IN), TLS handshake, Server finished (14):
>>> * TLSv1.2 (OUT), TLS handshake, Certificate (11):
>>> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
>>> * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
>>> * TLSv1.2 (OUT), TLS handshake, Unknown (67):
>>> * TLSv1.2 (OUT), TLS handshake, Finished (20):
>>> * TLSv1.2 (IN), TLS change cipher, Client hello (1):
>>> * TLSv1.2 (IN), TLS handshake, Finished (20):
>>> * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
>>> * Server certificate:
>>> *  subject: CN=10.1.5.31
>>> *  start date: Sep 21 11:19:56 2017 GMT
>>> *  expire date: Sep 21 11:19:57 2019 GMT
>>> *  issuer: CN=openshift-signer@1505992768
>>> *  SSL certificate verify result: self signed certificate in certificate 
>>> chain (19), continuing anyway.
>>> > GET /api/v1/namespaces/project1/replicationcontrollers HTTP/1.1
>>> > Host: BALANCER:8443
>>> > User-Agent: curl/7.56.0
>>> > Accept: */*
>>> > Authorization: Bearer 
>>> > eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJsZHAiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiaW5jaWdhLXRva2VuLTBkNDcyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImluY2lnYSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjIyMjE0YTI4LWI0ZTMtMTFlNy1hZTBhLTAwNTA1NmE0M2M0MiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpsZHA6aW5jaWdhIn0.VfJa8fLQQjSYySjWO3d_hp0kGqVFAnhvFQ2R6jTcLmtFwiA2NouO0QJCI2KZqvhXigAzPsksOKP7-BP_v2c-93UH3UyXW7RhkYKMOO7d1EMZVMGnT6NBKhVkw45wa20kH221ggh98wdv4MZRAoNEOvmN9qXHmsUWEnxfT8uNIjIkAt_aydocQ22hIbYXzd6w5x6zmOWIVWllgF3qGtY8ArTgRf4WxhuwhUJRy_Gm31WhtKioovk2Hpt6XnlPhnfvHhioqtizZsTepVOD0A-yjearxiDBE7yuIzRsMHo014Dq3O2T_qIZ2P2wvEWBzfpi7i1to4ep3jcb_qDM2vQ0IQ
>>> > Content-Type: application/json
>>> >
>>> < HTTP/1.1 403 Forbidden
>>> < Cache-Control: no-store
>>> < Content-Type: application/json
>>> < Date: Fri, 

Re: service account for rest api

[Frederic Giloux]

Hi Julio

a couple of points here:
- oc policy add-role-to-user admin system:serviceaccounts:project1:inciga
-n project1 would have worked for the project. If you have used oadm policy
add-cluster-role-to-user you should use a cluster role, which view or
cluster-admin are and admin is not.
- we validated with oc get rc -n project1
--as=system:serviceaccounts:project1:inciga
that the rights were sufficient for queries specific to the project.
- when you say the token provided by oc login you probably mean the token
of a user account, which is shorter than the token of a service account. On
the other hand it will expire, which is not the case for a token of a
service account.

Happy that it works for you now.

Regards,

Frédéric


On Fri, Oct 20, 2017 at 9:40 AM, Julio Saura  wrote:

> python problem solved too
>
> all working
>
> view role was the key :/
>
>
>
>
> El 20 oct 2017, a las 9:27, Julio Saura  escribió:
>
> problem solved
>
> i do not know why but giving user role view instead of admin make the
> trick ..
>
> :/
>
> now i am able to access using curl with the token, but not using python xD
> i get a 401 with long token, but i i use the short one that oc login gives
> works xD
>
>
>
>
> El 20 oct 2017, a las 8:59, Frederic Giloux  escribió:
>
> Julio,
>
> have you tried the command with higer log level as per my previous email?
> # oc get rc -n project1 --as=system:serviceaccounts:project1:inciga
> --loglevel=8
> This gives you the successful rest call, which is made by the OC client to
> the API server. You can then check whether it differs from your curl.
>
> Regards,
>
> Frédéric
>
> On Fri, Oct 20, 2017 at 8:30 AM, Julio Saura  wrote:
>
>> headers look ok in curl request
>>
>> * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT5
>> 6:!aNULL:!LOW:!RC4:@STRENGTH
>> * successfully set certificate verify locations:
>> *   CAfile: /etc/ssl/certs/ca-certificates.crt
>>   CApath: none
>> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>> * TLSv1.2 (IN), TLS handshake, Server hello (2):
>> * NPN, negotiated HTTP1.1
>> * TLSv1.2 (IN), TLS handshake, Certificate (11):
>> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
>> * TLSv1.2 (IN), TLS handshake, Request CERT (13):
>> * TLSv1.2 (IN), TLS handshake, Server finished (14):
>> * TLSv1.2 (OUT), TLS handshake, Certificate (11):
>> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
>> * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
>> * TLSv1.2 (OUT), TLS handshake, Unknown (67):
>> * TLSv1.2 (OUT), TLS handshake, Finished (20):
>> * TLSv1.2 (IN), TLS change cipher, Client hello (1):
>> * TLSv1.2 (IN), TLS handshake, Finished (20):
>> * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
>> * Server certificate:
>> *  subject: CN=10.1.5.31
>> *  start date: Sep 21 11:19:56 2017 GMT
>> *  expire date: Sep 21 11:19:57 2019 GMT
>> *  issuer: CN=openshift-signer@1505992768
>> *  SSL certificate verify result: self signed certificate in certificate
>> chain (19), continuing anyway.
>> > GET /api/v1/namespaces/project1/replicationcontrollers HTTP/1.1
>> > Host: BALANCER:8443
>> > User-Agent: curl/7.56.0
>> > Accept: */*
>> *> Authorization: Bearer
>> eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJsZHAiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiaW5jaWdhLXRva2VuLTBkNDcyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImluY2lnYSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjIyMjE0YTI4LWI0ZTMtMTFlNy1hZTBhLTAwNTA1NmE0M2M0MiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpsZHA6aW5jaWdhIn0.VfJa8fLQQjSYySjWO3d_hp0kGqVFAnhvFQ2R6jTcLmtFwiA2NouO0QJCI2KZqvhXigAzPsksOKP7-BP_v2c-93UH3UyXW7RhkYKMOO7d1EMZVMGnT6NBKhVkw45wa20kH221ggh98wdv4MZRAoNEOvmN9qXHmsUWEnxfT8uNIjIkAt_aydocQ22hIbYXzd6w5x6zmOWIVWllgF3qGtY8ArTgRf4WxhuwhUJRy_Gm31WhtKioovk2Hpt6XnlPhnfvHhioqtizZsTepVOD0A-yjearxiDBE7yuIzRsMHo014Dq3O2T_qIZ2P2wvEWBzfpi7i1to4ep3jcb_qDM2vQ0IQ*
>> > Content-Type: application/json
>> >
>> < HTTP/1.1 403 Forbidden
>> < Cache-Control: no-store
>> < Content-Type: application/json
>> < Date: Fri, 20 Oct 2017 06:28:52 GMT
>> < Content-Length: 295
>> {
>>   "kind": "Status",
>>   "apiVersion": "v1",
>>   "metadata": {},
>>   "status": "Failure",
>>   "message": "User \"system:serviceaccount:ldp:inciga\" cannot list
>> replicationcontrollers in project \"ldp\"",
>>   "reason": "Forbidden",
>>   "details": {
>> "kind": "replicationcontrollers"
>>   },
>>   "code": 403
>> }
>>
>>
>>
>>
>> El 19 oct 2017, a las 18:17, Frederic Giloux 
>> escribió:
>>
>> Very good. The issue is with your curl. Next step run the same command
>> with --loglevel=8 and check the queries that are sent to the API server.
>>
>> Regards,
>>
>> Frédéric
>>
>> On 19 Oct 2017 18:11, "Julio Saura"  wrote:
>>
>>> umm that works 

Re: service account for rest api

[Julio Saura]

python problem solved too

all working

view role was the key :/




> El 20 oct 2017, a las 9:27, Julio Saura  escribió:
> 
> problem solved
> 
> i do not know why but giving user role view instead of admin make the trick ..
> 
> :/
> 
> now i am able to access using curl with the token, but not using python xD i 
> get a 401 with long token, but i i use the short one that oc login gives 
> works xD
> 
> 
> 
> 
>> El 20 oct 2017, a las 8:59, Frederic Giloux > > escribió:
>> 
>> Julio,
>> 
>> have you tried the command with higer log level as per my previous email?
>> # oc get rc -n project1 --as=system:serviceaccounts:project1:inciga 
>> --loglevel=8
>> This gives you the successful rest call, which is made by the OC client to 
>> the API server. You can then check whether it differs from your curl.
>> 
>> Regards,
>> 
>> Frédéric
>> 
>> On Fri, Oct 20, 2017 at 8:30 AM, Julio Saura > > wrote:
>> headers look ok in curl request
>> 
>> * Cipher selection: 
>> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
>> * successfully set certificate verify locations:
>> *   CAfile: /etc/ssl/certs/ca-certificates.crt
>>   CApath: none
>> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>> * TLSv1.2 (IN), TLS handshake, Server hello (2):
>> * NPN, negotiated HTTP1.1
>> * TLSv1.2 (IN), TLS handshake, Certificate (11):
>> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
>> * TLSv1.2 (IN), TLS handshake, Request CERT (13):
>> * TLSv1.2 (IN), TLS handshake, Server finished (14):
>> * TLSv1.2 (OUT), TLS handshake, Certificate (11):
>> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
>> * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
>> * TLSv1.2 (OUT), TLS handshake, Unknown (67):
>> * TLSv1.2 (OUT), TLS handshake, Finished (20):
>> * TLSv1.2 (IN), TLS change cipher, Client hello (1):
>> * TLSv1.2 (IN), TLS handshake, Finished (20):
>> * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
>> * Server certificate:
>> *  subject: CN=10.1.5.31
>> *  start date: Sep 21 11:19:56 2017 GMT
>> *  expire date: Sep 21 11:19:57 2019 GMT
>> *  issuer: CN=openshift-signer@1505992768
>> *  SSL certificate verify result: self signed certificate in certificate 
>> chain (19), continuing anyway.
>> > GET /api/v1/namespaces/project1/replicationcontrollers HTTP/1.1
>> > Host: BALANCER:8443
>> > User-Agent: curl/7.56.0
>> > Accept: */*
>> > Authorization: Bearer 
>> > eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJsZHAiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiaW5jaWdhLXRva2VuLTBkNDcyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImluY2lnYSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjIyMjE0YTI4LWI0ZTMtMTFlNy1hZTBhLTAwNTA1NmE0M2M0MiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpsZHA6aW5jaWdhIn0.VfJa8fLQQjSYySjWO3d_hp0kGqVFAnhvFQ2R6jTcLmtFwiA2NouO0QJCI2KZqvhXigAzPsksOKP7-BP_v2c-93UH3UyXW7RhkYKMOO7d1EMZVMGnT6NBKhVkw45wa20kH221ggh98wdv4MZRAoNEOvmN9qXHmsUWEnxfT8uNIjIkAt_aydocQ22hIbYXzd6w5x6zmOWIVWllgF3qGtY8ArTgRf4WxhuwhUJRy_Gm31WhtKioovk2Hpt6XnlPhnfvHhioqtizZsTepVOD0A-yjearxiDBE7yuIzRsMHo014Dq3O2T_qIZ2P2wvEWBzfpi7i1to4ep3jcb_qDM2vQ0IQ
>> > Content-Type: application/json
>> >
>> < HTTP/1.1 403 Forbidden
>> < Cache-Control: no-store
>> < Content-Type: application/json
>> < Date: Fri, 20 Oct 2017 06:28:52 GMT
>> < Content-Length: 295
>> {
>>   "kind": "Status",
>>   "apiVersion": "v1",
>>   "metadata": {},
>>   "status": "Failure",
>>   "message": "User \"system:serviceaccount:ldp:inciga\" cannot list 
>> replicationcontrollers in project \"ldp\"",
>>   "reason": "Forbidden",
>>   "details": {
>> "kind": "replicationcontrollers"
>>   },
>>   "code": 403
>> }
>> 
>> 
>> 
>> 
>>> El 19 oct 2017, a las 18:17, Frederic Giloux >> > escribió:
>>> 
>>> Very good. The issue is with your curl. Next step run the same command with 
>>> --loglevel=8 and check the queries that are sent to the API server. 
>>> 
>>> Regards, 
>>> 
>>> Frédéric 
>>> 
>>> On 19 Oct 2017 18:11, "Julio Saura" >> > wrote:
>>> umm that works …
>>> 
>>> weird
>>> 
>>> Julio Saura Alejandre
>>> Responsable Servicios Gestionados
>>> hiberus TRAVEL
>>> Tel.: + 34 902 87 73 92 Ext. 659 
>>> Parque Empresarial PLAZA
>>> Edificio EXPOINNOVACIÓN
>>> C/. Bari 25  
>>> Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
>>> www.hiberus.com 
>>> Crecemos contigo
>>> 
>>> Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje 
>>> y los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a 
>>> su destinatario y pueden contener información privilegiada o 

Re: service account for rest api

[Julio Saura]

problem solved

i do not know why but giving user role view instead of admin make the trick ..

:/

now i am able to access using curl with the token, but not using python xD i 
get a 401 with long token, but i i use the short one that oc login gives works 
xD




> El 20 oct 2017, a las 8:59, Frederic Giloux  escribió:
> 
> Julio,
> 
> have you tried the command with higer log level as per my previous email?
> # oc get rc -n project1 --as=system:serviceaccounts:project1:inciga 
> --loglevel=8
> This gives you the successful rest call, which is made by the OC client to 
> the API server. You can then check whether it differs from your curl.
> 
> Regards,
> 
> Frédéric
> 
> On Fri, Oct 20, 2017 at 8:30 AM, Julio Saura  > wrote:
> headers look ok in curl request
> 
> * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> *   CAfile: /etc/ssl/certs/ca-certificates.crt
>   CApath: none
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
> * NPN, negotiated HTTP1.1
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> * TLSv1.2 (IN), TLS handshake, Request CERT (13):
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> * TLSv1.2 (OUT), TLS handshake, Certificate (11):
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
> * TLSv1.2 (OUT), TLS handshake, Unknown (67):
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> * TLSv1.2 (IN), TLS change cipher, Client hello (1):
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
> * Server certificate:
> *  subject: CN=10.1.5.31
> *  start date: Sep 21 11:19:56 2017 GMT
> *  expire date: Sep 21 11:19:57 2019 GMT
> *  issuer: CN=openshift-signer@1505992768
> *  SSL certificate verify result: self signed certificate in certificate 
> chain (19), continuing anyway.
> > GET /api/v1/namespaces/project1/replicationcontrollers HTTP/1.1
> > Host: BALANCER:8443
> > User-Agent: curl/7.56.0
> > Accept: */*
> > Authorization: Bearer 
> > eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJsZHAiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiaW5jaWdhLXRva2VuLTBkNDcyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImluY2lnYSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjIyMjE0YTI4LWI0ZTMtMTFlNy1hZTBhLTAwNTA1NmE0M2M0MiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpsZHA6aW5jaWdhIn0.VfJa8fLQQjSYySjWO3d_hp0kGqVFAnhvFQ2R6jTcLmtFwiA2NouO0QJCI2KZqvhXigAzPsksOKP7-BP_v2c-93UH3UyXW7RhkYKMOO7d1EMZVMGnT6NBKhVkw45wa20kH221ggh98wdv4MZRAoNEOvmN9qXHmsUWEnxfT8uNIjIkAt_aydocQ22hIbYXzd6w5x6zmOWIVWllgF3qGtY8ArTgRf4WxhuwhUJRy_Gm31WhtKioovk2Hpt6XnlPhnfvHhioqtizZsTepVOD0A-yjearxiDBE7yuIzRsMHo014Dq3O2T_qIZ2P2wvEWBzfpi7i1to4ep3jcb_qDM2vQ0IQ
> > Content-Type: application/json
> >
> < HTTP/1.1 403 Forbidden
> < Cache-Control: no-store
> < Content-Type: application/json
> < Date: Fri, 20 Oct 2017 06:28:52 GMT
> < Content-Length: 295
> {
>   "kind": "Status",
>   "apiVersion": "v1",
>   "metadata": {},
>   "status": "Failure",
>   "message": "User \"system:serviceaccount:ldp:inciga\" cannot list 
> replicationcontrollers in project \"ldp\"",
>   "reason": "Forbidden",
>   "details": {
> "kind": "replicationcontrollers"
>   },
>   "code": 403
> }
> 
> 
> 
> 
>> El 19 oct 2017, a las 18:17, Frederic Giloux > > escribió:
>> 
>> Very good. The issue is with your curl. Next step run the same command with 
>> --loglevel=8 and check the queries that are sent to the API server. 
>> 
>> Regards, 
>> 
>> Frédéric 
>> 
>> On 19 Oct 2017 18:11, "Julio Saura" > > wrote:
>> umm that works …
>> 
>> weird
>> 
>> Julio Saura Alejandre
>> Responsable Servicios Gestionados
>> hiberus TRAVEL
>> Tel.: + 34 902 87 73 92 Ext. 659 
>> Parque Empresarial PLAZA
>> Edificio EXPOINNOVACIÓN
>> C/. Bari 25  
>> Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
>> www.hiberus.com 
>> Crecemos contigo
>> 
>> Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje 
>> y los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a 
>> su destinatario y pueden contener información privilegiada o confidencial. 
>> Si tú no eres el destinatario indicado, queda notificado de que la 
>> utilización, divulgación y/o copia sin autorización está prohibida en virtud 
>> de la legislación vigente. Por ello, se informa a quien lo reciba por error, 
>> que la información contenida en el mismo es reservada y su 

Re: service account for rest api

[Frederic Giloux]

Julio,

have you tried the command with higer log level as per my previous email?
# oc get rc -n project1 --as=system:serviceaccounts:project1:inciga
--loglevel=8
This gives you the successful rest call, which is made by the OC client to
the API server. You can then check whether it differs from your curl.

Regards,

Frédéric

On Fri, Oct 20, 2017 at 8:30 AM, Julio Saura  wrote:

> headers look ok in curl request
>
> * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@
> STRENGTH
> * successfully set certificate verify locations:
> *   CAfile: /etc/ssl/certs/ca-certificates.crt
>   CApath: none
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
> * NPN, negotiated HTTP1.1
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> * TLSv1.2 (IN), TLS handshake, Request CERT (13):
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> * TLSv1.2 (OUT), TLS handshake, Certificate (11):
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
> * TLSv1.2 (OUT), TLS handshake, Unknown (67):
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> * TLSv1.2 (IN), TLS change cipher, Client hello (1):
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
> * Server certificate:
> *  subject: CN=10.1.5.31
> *  start date: Sep 21 11:19:56 2017 GMT
> *  expire date: Sep 21 11:19:57 2019 GMT
> *  issuer: CN=openshift-signer@1505992768
> *  SSL certificate verify result: self signed certificate in certificate
> chain (19), continuing anyway.
> > GET /api/v1/namespaces/project1/replicationcontrollers HTTP/1.1
> > Host: BALANCER:8443
> > User-Agent: curl/7.56.0
> > Accept: */*
> *> Authorization: Bearer
> eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJsZHAiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiaW5jaWdhLXRva2VuLTBkNDcyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImluY2lnYSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjIyMjE0YTI4LWI0ZTMtMTFlNy1hZTBhLTAwNTA1NmE0M2M0MiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpsZHA6aW5jaWdhIn0.VfJa8fLQQjSYySjWO3d_hp0kGqVFAnhvFQ2R6jTcLmtFwiA2NouO0QJCI2KZqvhXigAzPsksOKP7-BP_v2c-93UH3UyXW7RhkYKMOO7d1EMZVMGnT6NBKhVkw45wa20kH221ggh98wdv4MZRAoNEOvmN9qXHmsUWEnxfT8uNIjIkAt_aydocQ22hIbYXzd6w5x6zmOWIVWllgF3qGtY8ArTgRf4WxhuwhUJRy_Gm31WhtKioovk2Hpt6XnlPhnfvHhioqtizZsTepVOD0A-yjearxiDBE7yuIzRsMHo014Dq3O2T_qIZ2P2wvEWBzfpi7i1to4ep3jcb_qDM2vQ0IQ*
> > Content-Type: application/json
> >
> < HTTP/1.1 403 Forbidden
> < Cache-Control: no-store
> < Content-Type: application/json
> < Date: Fri, 20 Oct 2017 06:28:52 GMT
> < Content-Length: 295
> {
>   "kind": "Status",
>   "apiVersion": "v1",
>   "metadata": {},
>   "status": "Failure",
>   "message": "User \"system:serviceaccount:ldp:inciga\" cannot list
> replicationcontrollers in project \"ldp\"",
>   "reason": "Forbidden",
>   "details": {
> "kind": "replicationcontrollers"
>   },
>   "code": 403
> }
>
>
>
>
> El 19 oct 2017, a las 18:17, Frederic Giloux 
> escribió:
>
> Very good. The issue is with your curl. Next step run the same command
> with --loglevel=8 and check the queries that are sent to the API server.
>
> Regards,
>
> Frédéric
>
> On 19 Oct 2017 18:11, "Julio Saura"  wrote:
>
>> umm that works …
>>
>> weird
>>
>> *Julio Saura Alejandre*
>> *Responsable Servicios Gestionados*
>> *hiberus* TRAVEL
>> Tel.: + 34 902 87 73 92 Ext. 659 <+34%20902%2087%2073%2092>
>> Parque Empresarial PLAZA
>> Edificio EXPOINNOVACIÓN
>> C/. Bari 25 
>> Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
>> www.hiberus.com
>>
>> Crecemos contigo
>> Este mensaje se envía desde la plataforma de correo de Hiberus Este
>> mensaje y los documentos que, en su caso, lleve anexos, se dirigen
>> exclusivamente a su destinatario y pueden contener información privilegiada
>> o confidencial. Si tú no eres el destinatario indicado, queda notificado de
>> que la utilización, divulgación y/o copia sin autorización está prohibida
>> en virtud de la legislación vigente. Por ello, se informa a quien lo reciba
>> por error, que la información contenida en el mismo es reservada y su uso
>> no autorizado está prohibido legalmente, por lo que en tal caso te rogamos
>> que nos lo comuniques vía e-mail o teléfono, te abstengas de realizar
>> copias del mensaje o remitirlo o entregarlo a terceras personas y procedas
>> a devolverlo a su emisor y/o destruirlo de inmediato.
>>
>> El 19 oct 2017, a las 18:01, Frederic Giloux 
>> escribió:
>>
>> oc get rc -n project1 --as=system:serviceaccounts:project1:inciga
>>
>>
>>
>


-- 
*Frédéric Giloux*
Senior Middleware Consultant
Red Hat 

Re: service account for rest api

[Julio Saura]

headers look ok in curl request

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*  subject: CN=10.1.5.31
*  start date: Sep 21 11:19:56 2017 GMT
*  expire date: Sep 21 11:19:57 2019 GMT
*  issuer: CN=openshift-signer@1505992768
*  SSL certificate verify result: self signed certificate in certificate chain 
(19), continuing anyway.
> GET /api/v1/namespaces/project1/replicationcontrollers HTTP/1.1
> Host: BALANCER:8443
> User-Agent: curl/7.56.0
> Accept: */*
> Authorization: Bearer 
> eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJsZHAiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiaW5jaWdhLXRva2VuLTBkNDcyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImluY2lnYSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjIyMjE0YTI4LWI0ZTMtMTFlNy1hZTBhLTAwNTA1NmE0M2M0MiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpsZHA6aW5jaWdhIn0.VfJa8fLQQjSYySjWO3d_hp0kGqVFAnhvFQ2R6jTcLmtFwiA2NouO0QJCI2KZqvhXigAzPsksOKP7-BP_v2c-93UH3UyXW7RhkYKMOO7d1EMZVMGnT6NBKhVkw45wa20kH221ggh98wdv4MZRAoNEOvmN9qXHmsUWEnxfT8uNIjIkAt_aydocQ22hIbYXzd6w5x6zmOWIVWllgF3qGtY8ArTgRf4WxhuwhUJRy_Gm31WhtKioovk2Hpt6XnlPhnfvHhioqtizZsTepVOD0A-yjearxiDBE7yuIzRsMHo014Dq3O2T_qIZ2P2wvEWBzfpi7i1to4ep3jcb_qDM2vQ0IQ
> Content-Type: application/json
>
< HTTP/1.1 403 Forbidden
< Cache-Control: no-store
< Content-Type: application/json
< Date: Fri, 20 Oct 2017 06:28:52 GMT
< Content-Length: 295
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "User \"system:serviceaccount:ldp:inciga\" cannot list 
replicationcontrollers in project \"ldp\"",
  "reason": "Forbidden",
  "details": {
"kind": "replicationcontrollers"
  },
  "code": 403
}




> El 19 oct 2017, a las 18:17, Frederic Giloux  escribió:
> 
> Very good. The issue is with your curl. Next step run the same command with 
> --loglevel=8 and check the queries that are sent to the API server. 
> 
> Regards, 
> 
> Frédéric 
> 
> On 19 Oct 2017 18:11, "Julio Saura"  > wrote:
> umm that works …
> 
> weird
> 
> Julio Saura Alejandre
> Responsable Servicios Gestionados
> hiberus TRAVEL
> Tel.: + 34 902 87 73 92 Ext. 659 
> Parque Empresarial PLAZA
> Edificio EXPOINNOVACIÓN
> C/. Bari 25  
> Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
> www.hiberus.com 
> Crecemos contigo
> 
> Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje y 
> los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a su 
> destinatario y pueden contener información privilegiada o confidencial. Si tú 
> no eres el destinatario indicado, queda notificado de que la utilización, 
> divulgación y/o copia sin autorización está prohibida en virtud de la 
> legislación vigente. Por ello, se informa a quien lo reciba por error, que la 
> información contenida en el mismo es reservada y su uso no autorizado está 
> prohibido legalmente, por lo que en tal caso te rogamos que nos lo comuniques 
> vía e-mail o teléfono, te abstengas de realizar copias del mensaje o 
> remitirlo o entregarlo a terceras personas y procedas a devolverlo a su 
> emisor y/o destruirlo de inmediato.
> 
>> El 19 oct 2017, a las 18:01, Frederic Giloux > > escribió:
>> 
>> oc get rc -n project1 --as=system:serviceaccounts:project1:inciga
> 

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

[Julio Saura]

compiled last stable curl version

same problem

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "User \"system:serviceaccount:project1:inciga\" cannot list 
replicationcontrollers in project \”project1\"",
  "reason": "Forbidden",
  "details": {
"kind": "replicationcontrollers"
  },
  "code": 403
}

curl-7.56.0

this is weird

> El 19 oct 2017, a las 19:23, Hiberus  escribió:
> 
> Yikes !!
> 
> I will check tomorrow 
> 
> Ty!
> 
> El 19 oct 2017, a las 18:16, Cesar Wong  > escribió:
> 
>> 
>> Julio, 
>> 
>> Depending on your version of curl, you may be hitting this:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1260178 
>> 
>> 
>> On Thu, Oct 19, 2017 at 12:11 PM, Julio Saura > > wrote:
>> umm that works …
>> 
>> weird
>> 
>> Julio Saura Alejandre
>> Responsable Servicios Gestionados
>> hiberus TRAVEL
>> Tel.: + 34 902 87 73 92 Ext. 659
>> Parque Empresarial PLAZA
>> Edificio EXPOINNOVACIÓN
>> C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
>> www.hiberus.com 
>> Crecemos contigo
>> 
>> Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje 
>> y los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a 
>> su destinatario y pueden contener información privilegiada o confidencial. 
>> Si tú no eres el destinatario indicado, queda notificado de que la 
>> utilización, divulgación y/o copia sin autorización está prohibida en virtud 
>> de la legislación vigente. Por ello, se informa a quien lo reciba por error, 
>> que la información contenida en el mismo es reservada y su uso no autorizado 
>> está prohibido legalmente, por lo que en tal caso te rogamos que nos lo 
>> comuniques vía e-mail o teléfono, te abstengas de realizar copias del 
>> mensaje o remitirlo o entregarlo a terceras personas y procedas a devolverlo 
>> a su emisor y/o destruirlo de inmediato.
>> 
>>> El 19 oct 2017, a las 18:01, Frederic Giloux >> > escribió:
>>> 
>>> oc get rc -n project1 --as=system:serviceaccounts:project1:inciga
>> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

[Julio Saura]

tried

no luck :(


Julio Saura Alejandre
Responsable Servicios Gestionados
hiberus TRAVEL
Tel.: + 34 902 87 73 92 Ext. 659
Parque Empresarial PLAZA
Edificio EXPOINNOVACIÓN
C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
www.hiberus.com 
Crecemos contigo

Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje y 
los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a su 
destinatario y pueden contener información privilegiada o confidencial. Si tú 
no eres el destinatario indicado, queda notificado de que la utilización, 
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente. Por ello, se informa a quien lo reciba por error, que la 
información contenida en el mismo es reservada y su uso no autorizado está 
prohibido legalmente, por lo que en tal caso te rogamos que nos lo comuniques 
vía e-mail o teléfono, te abstengas de realizar copias del mensaje o remitirlo 
o entregarlo a terceras personas y procedas a devolverlo a su emisor y/o 
destruirlo de inmediato.

> El 19 oct 2017, a las 21:40, Luke Meyer  escribió:
> 
> oc policy add-role-to-user admin

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

[Hiberus]

Hello

I tried with view and cluster-admin too. No luck

Guess is the curl issue

Ty!

> El 19 oct 2017, a las 21:40, Luke Meyer  escribió:
> 
> 
> 
>> On Thu, Oct 19, 2017 at 10:58 AM, Julio Saura  wrote:
>> yes ofc
>> 
>> oc create serviceaccount icinga -n project1
>> 
>> oadm policy add-cluster-role-to-user admin 
>> system:serviceaccounts:project1:icinga
> 
> There is no cluster role "admin" (... by default anyway, you could of course 
> create one).
> 
> You probably wanted `oc policy add-role-to-user admin ...` to make the user 
> an admin of the project.
> 
> Unless you actually wanted them to be an admin of the entire cluster, in 
> which case the role is cluster-admin not admin.
> 
>  
>> 
>> oadm policy reconcile-cluster-roles —confirm
>> 
>> and then dump the token
>> 
>> oc serviceaccounts get-token icing
>> 
>> 
>> ty frederic!
>> 
>> i do login with curl but i get 
>> 
>> {
>>   "kind": "Status",
>>   "apiVersion": "v1",
>>   "metadata": {},
>>   "status": "Failure",
>>   "message": "User \"system:serviceaccount:project1:icinga\" cannot list 
>> replicationcontrollers in project \”project1\"",
>>   "reason": "Forbidden",
>>   "details": {
>> "kind": "replicationcontrollers"
>>   },
>>   "code": 403
>> }
>> 
>> 
>> 
>> 
>> 
>>> El 19 oct 2017, a las 16:55, Frederic Giloux  escribió:
>>> 
>>> Hi Julio, 
>>> 
>>> Could you copy the commands you have used?
>>> 
>>> Regards, 
>>> 
>>> Frédéric 
>>> 
 On 19 Oct 2017 11:43, "Julio Saura"  wrote:
 Hello
 
 i am trying to create a sa for accessing rest api with token ..
 
 i have followed the doc steps
 
 creating the account, applying admin role to that account and getting the 
 token
 
 trying to access replicacioncontroller info with bearer in curl, i can 
 auth into but i get i have no permission to list rc on the project
 
 i also did a reconciliate role on cluster
 
 i also logged in with oc login passing token as parameter, i log in but it 
 says i have no projects ..
 
 what else i am missing?
 
 ty
 
 
 
 ___
 users mailing list
 users@lists.openshift.redhat.com
 http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>> 
>> 
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>> 
> 
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

[Luke Meyer]

On Thu, Oct 19, 2017 at 10:58 AM, Julio Saura  wrote:

> yes ofc
>
> oc create serviceaccount icinga -n project1
>
> oadm policy add-cluster-role-to-user admin system:serviceaccounts:
> project1:icinga
>

There is no cluster role "admin" (... by default anyway, you could of
course create one).

You probably wanted `oc policy add-role-to-user admin ...` to make the user
an admin of the project.

Unless you actually wanted them to be an admin of the entire cluster, in
which case the role is cluster-admin not admin.



>
> oadm policy reconcile-cluster-roles —confirm
>
> and then dump the token
>
> oc serviceaccounts get-token icing
>
>
> ty frederic!
>
> i do login with curl but i get
>
> {
>   "kind": "Status",
>   "apiVersion": "v1",
>   "metadata": {},
>   "status": "Failure",
>   "message": "User \"system:serviceaccount:project1:icinga\" cannot list
> replicationcontrollers in project \”project1\"",
>   "reason": "Forbidden",
>   "details": {
> "kind": "replicationcontrollers"
>   },
>   "code": 403
> }
>
>
>
>
>
> El 19 oct 2017, a las 16:55, Frederic Giloux 
> escribió:
>
> Hi Julio,
>
> Could you copy the commands you have used?
>
> Regards,
>
> Frédéric
>
> On 19 Oct 2017 11:43, "Julio Saura"  wrote:
>
>> Hello
>>
>> i am trying to create a sa for accessing rest api with token ..
>>
>> i have followed the doc steps
>>
>> creating the account, applying admin role to that account and getting the
>> token
>>
>> trying to access replicacioncontroller info with bearer in curl, i can
>> auth into but i get i have no permission to list rc on the project
>>
>> i also did a reconciliate role on cluster
>>
>> i also logged in with oc login passing token as parameter, i log in but
>> it says i have no projects ..
>>
>> what else i am missing?
>>
>> ty
>>
>>
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

[Hiberus]

Yikes !!

I will check tomorrow 

Ty!

> El 19 oct 2017, a las 18:16, Cesar Wong  escribió:
> 
> 
> Julio, 
> 
> Depending on your version of curl, you may be hitting this:
> https://bugzilla.redhat.com/show_bug.cgi?id=1260178
> 
> On Thu, Oct 19, 2017 at 12:11 PM, Julio Saura  wrote:
> umm that works …
> 
> weird
> 
> Julio Saura Alejandre
> Responsable Servicios Gestionados
> hiberus TRAVEL
> Tel.: + 34 902 87 73 92 Ext. 659
> Parque Empresarial PLAZA
> Edificio EXPOINNOVACIÓN
> C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
> www.hiberus.com
> Crecemos contigo
> 
> Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje y 
> los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a su 
> destinatario y pueden contener información privilegiada o confidencial. Si tú 
> no eres el destinatario indicado, queda notificado de que la utilización, 
> divulgación y/o copia sin autorización está prohibida en virtud de la 
> legislación vigente. Por ello, se informa a quien lo reciba por error, que la 
> información contenida en el mismo es reservada y su uso no autorizado está 
> prohibido legalmente, por lo que en tal caso te rogamos que nos lo comuniques 
> vía e-mail o teléfono, te abstengas de realizar copias del mensaje o 
> remitirlo o entregarlo a terceras personas y procedas a devolverlo a su 
> emisor y/o destruirlo de inmediato.
> 
>> El 19 oct 2017, a las 18:01, Frederic Giloux  escribió:
>> 
>> oc get rc -n project1 --as=system:serviceaccounts:project1:inciga
> 
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

[Frederic Giloux]

Very good. The issue is with your curl. Next step run the same command with
--loglevel=8 and check the queries that are sent to the API server.

Regards,

Frédéric

On 19 Oct 2017 18:11, "Julio Saura"  wrote:

> umm that works …
>
> weird
>
> *Julio Saura Alejandre*
> *Responsable Servicios Gestionados*
> *hiberus* TRAVEL
> Tel.: + 34 902 87 73 92 Ext. 659 <+34%20902%2087%2073%2092>
> Parque Empresarial PLAZA
> Edificio EXPOINNOVACIÓN
> C/. Bari 25 
> Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
> www.hiberus.com
>
> Crecemos contigo
> Este mensaje se envía desde la plataforma de correo de Hiberus Este
> mensaje y los documentos que, en su caso, lleve anexos, se dirigen
> exclusivamente a su destinatario y pueden contener información privilegiada
> o confidencial. Si tú no eres el destinatario indicado, queda notificado de
> que la utilización, divulgación y/o copia sin autorización está prohibida
> en virtud de la legislación vigente. Por ello, se informa a quien lo reciba
> por error, que la información contenida en el mismo es reservada y su uso
> no autorizado está prohibido legalmente, por lo que en tal caso te rogamos
> que nos lo comuniques vía e-mail o teléfono, te abstengas de realizar
> copias del mensaje o remitirlo o entregarlo a terceras personas y procedas
> a devolverlo a su emisor y/o destruirlo de inmediato.
>
> El 19 oct 2017, a las 18:01, Frederic Giloux 
> escribió:
>
> oc get rc -n project1 --as=system:serviceaccounts:project1:inciga
>
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

[Cesar Wong]

Julio,

Depending on your version of curl, you may be hitting this: 
https://bugzilla.redhat.com/show_bug.cgi?id=1260178 
[https://bugzilla.redhat.com/show_bug.cgi?id=1260178]
On Thu, Oct 19, 2017 at 12:11 PM, Julio Saura  wrote:
umm that works …
weird
Julio Saura Alejandre Responsable Servicios Gestionados hiberus TRAVEL Tel.: + 
34 902 87 73 92 Ext. 659 Parque Empresarial PLAZA Edificio EXPOINNOVACIÓN C/. 
Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza www.hiberus.com 
[http://www.hiberus.com]Crecemos contigo

Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje y 
los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a su 
destinatario y pueden contener información privilegiada o confidencial. Si tú 
no eres el destinatario indicado, queda notificado de que la utilización, 
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente. Por ello, se informa a quien lo reciba por error, que la 
información contenida en el mismo es reservada y su uso no autorizado está 
prohibido legalmente, por lo que en tal caso te rogamos que nos lo comuniques 
vía e-mail o teléfono, te abstengas de realizar copias del mensaje o remitirlo 
o entregarlo a terceras personas y procedas a devolverlo a su emisor y/o 
destruirlo de inmediato.
El 19 oct 2017, a las 18:01, Frederic Giloux < fgil...@redhat.com 
[fgil...@redhat.com] > escribió:
oc get rc -n project1 --as=system:serviceaccounts:project1:inciga___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

[Julio Saura]

umm that works …

weird

Julio Saura Alejandre
Responsable Servicios Gestionados
hiberus TRAVEL
Tel.: + 34 902 87 73 92 Ext. 659
Parque Empresarial PLAZA
Edificio EXPOINNOVACIÓN
C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
www.hiberus.com 
Crecemos contigo

Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje y 
los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a su 
destinatario y pueden contener información privilegiada o confidencial. Si tú 
no eres el destinatario indicado, queda notificado de que la utilización, 
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente. Por ello, se informa a quien lo reciba por error, que la 
información contenida en el mismo es reservada y su uso no autorizado está 
prohibido legalmente, por lo que en tal caso te rogamos que nos lo comuniques 
vía e-mail o teléfono, te abstengas de realizar copias del mensaje o remitirlo 
o entregarlo a terceras personas y procedas a devolverlo a su emisor y/o 
destruirlo de inmediato.

> El 19 oct 2017, a las 18:01, Frederic Giloux  escribió:
> 
> oc get rc -n project1 --as=system:serviceaccounts:project1:inciga

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

[Frederic Giloux]

You can try the following: oc get rc -n project1
--as=system:serviceaccounts:project1:inciga

On 19 Oct 2017 17:51, "Julio Saura"  wrote:

> typo yes sorry
>
> curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project1)"
>  -H "Content-Type: application/json" https://MASTER_BALANCER_IP:8443/api/
> v1/namespaces/project1/replicationcontrollers
> 
>  —insecure
>
>
>
> is not project1 really i change the project name when i write the email
> sorry
>
>
>
> *Julio Saura Alejandre*
> *Responsable Servicios Gestionados*
> *hiberus* TRAVEL
> Tel.: + 34 902 87 73 92 Ext. 659 <+34%20902%2087%2073%2092>
> Parque Empresarial PLAZA
> Edificio EXPOINNOVACIÓN
> C/. Bari 25 
> Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
> www.hiberus.com
>
> Crecemos contigo
> Este mensaje se envía desde la plataforma de correo de Hiberus Este
> mensaje y los documentos que, en su caso, lleve anexos, se dirigen
> exclusivamente a su destinatario y pueden contener información privilegiada
> o confidencial. Si tú no eres el destinatario indicado, queda notificado de
> que la utilización, divulgación y/o copia sin autorización está prohibida
> en virtud de la legislación vigente. Por ello, se informa a quien lo reciba
> por error, que la información contenida en el mismo es reservada y su uso
> no autorizado está prohibido legalmente, por lo que en tal caso te rogamos
> que nos lo comuniques vía e-mail o teléfono, te abstengas de realizar
> copias del mensaje o remitirlo o entregarlo a terceras personas y procedas
> a devolverlo a su emisor y/o destruirlo de inmediato.
>
> El 19 oct 2017, a las 17:49, Frederic Giloux 
> escribió:
>
> Hi Julio
>
> I don't know whether that's a typo when you wrote the email but you get
> the sa token from project and request rc from project1.
>
> Regards,
>
> Frédéric
>
>
> On 19 Oct 2017 17:41, "Julio Saura"  wrote:
>
> typed same command than you
>
> still not working
>
> i have 3 masters balanced .. maybe is that
>
> i am doing the curl against the balancer..
>
> curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project)"
>  -H "Content-Type: application/json" https://MASTER_BALANCER_IP:844
> 3/api/v1/namespaces/project1/replicationcontrollers
> 
> --insecure
> {
>   "kind": "Status",
>   "apiVersion": "v1",
>   "metadata": {},
>   "status": "Failure",
>   "message": "User \"system:serviceaccount:project1:inciga\" cannot list
> replicationcontrollers in project \"project1\"",
>   "reason": "Forbidden",
>   "details": {
> "kind": "replicationcontrollers"
>   },
>   "code": 403
> }
>
>
> *Julio Saura Alejandre*
> *Responsable Servicios Gestionados*
> *hiberus* TRAVEL
> Tel.: + 34 902 87 73 92 Ext. 659 <+34%20902%2087%2073%2092>
> Parque Empresarial PLAZA
> Edificio EXPOINNOVACIÓN
> C/. Bari 25 
> Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
> www.hiberus.com
>
> Crecemos contigo
> Este mensaje se envía desde la plataforma de correo de Hiberus Este
> mensaje y los documentos que, en su caso, lleve anexos, se dirigen
> exclusivamente a su destinatario y pueden contener información privilegiada
> o confidencial. Si tú no eres el destinatario indicado, queda notificado de
> que la utilización, divulgación y/o copia sin autorización está prohibida
> en virtud de la legislación vigente. Por ello, se informa a quien lo reciba
> por error, que la información contenida en el mismo es reservada y su uso
> no autorizado está prohibido legalmente, por lo que en tal caso te rogamos
> que nos lo comuniques vía e-mail o teléfono, te abstengas de realizar
> copias del mensaje o remitirlo o entregarlo a terceras personas y procedas
> a devolverlo a su emisor y/o destruirlo de inmediato.
>
> El 19 oct 2017, a las 17:29, Frederic Giloux 
> escribió:
>
> curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project1)"
> -H "Content-Type: application/json" https://192.
> 168.42.199:8443/api/v1/namespaces/project1/replicationcontrollers
>
>
>
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

[Julio Saura]

typo yes sorry

> curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project1)"  -H 
> "Content-Type: application/json" 
> https://MASTER_BALANCER_IP:8443/api/v1/namespaces/project1/replicationcontrollers
>  
> 
>  —insecure


is not project1 really i change the project name when i write the email sorry



Julio Saura Alejandre
Responsable Servicios Gestionados
hiberus TRAVEL
Tel.: + 34 902 87 73 92 Ext. 659
Parque Empresarial PLAZA
Edificio EXPOINNOVACIÓN
C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
www.hiberus.com 
Crecemos contigo

Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje y 
los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a su 
destinatario y pueden contener información privilegiada o confidencial. Si tú 
no eres el destinatario indicado, queda notificado de que la utilización, 
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente. Por ello, se informa a quien lo reciba por error, que la 
información contenida en el mismo es reservada y su uso no autorizado está 
prohibido legalmente, por lo que en tal caso te rogamos que nos lo comuniques 
vía e-mail o teléfono, te abstengas de realizar copias del mensaje o remitirlo 
o entregarlo a terceras personas y procedas a devolverlo a su emisor y/o 
destruirlo de inmediato.

> El 19 oct 2017, a las 17:49, Frederic Giloux  escribió:
> 
> Hi Julio
> 
> I don't know whether that's a typo when you wrote the email but you get the 
> sa token from project and request rc from project1.
> 
> Regards, 
> 
> Frédéric 
> 
> 
> On 19 Oct 2017 17:41, "Julio Saura"  > wrote:
> typed same command than you
> 
> still not working
> 
> i have 3 masters balanced .. maybe is that
> 
> i am doing the curl against the balancer..
> 
> curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project)"  -H 
> "Content-Type: application/json" 
> https://MASTER_BALANCER_IP:8443/api/v1/namespaces/project1/replicationcontrollers
>  
> 
>  --insecure
> {
>   "kind": "Status",
>   "apiVersion": "v1",
>   "metadata": {},
>   "status": "Failure",
>   "message": "User \"system:serviceaccount:project1:inciga\" cannot list 
> replicationcontrollers in project \"project1\"",
>   "reason": "Forbidden",
>   "details": {
> "kind": "replicationcontrollers"
>   },
>   "code": 403
> }
> 
> 
> Julio Saura Alejandre
> Responsable Servicios Gestionados
> hiberus TRAVEL
> Tel.: + 34 902 87 73 92 Ext. 659 
> Parque Empresarial PLAZA
> Edificio EXPOINNOVACIÓN
> C/. Bari 25  
> Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
> www.hiberus.com 
> Crecemos contigo
> 
> Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje y 
> los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a su 
> destinatario y pueden contener información privilegiada o confidencial. Si tú 
> no eres el destinatario indicado, queda notificado de que la utilización, 
> divulgación y/o copia sin autorización está prohibida en virtud de la 
> legislación vigente. Por ello, se informa a quien lo reciba por error, que la 
> información contenida en el mismo es reservada y su uso no autorizado está 
> prohibido legalmente, por lo que en tal caso te rogamos que nos lo comuniques 
> vía e-mail o teléfono, te abstengas de realizar copias del mensaje o 
> remitirlo o entregarlo a terceras personas y procedas a devolverlo a su 
> emisor y/o destruirlo de inmediato.
> 
>> El 19 oct 2017, a las 17:29, Frederic Giloux > > escribió:
>> 
>> curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project1)"  -H 
>> "Content-Type: application/json" 
>> https://192.168.42.199:8443/api/v1/namespaces/project1/replicationcontrollers
>>  
>> 
> 

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

[Frederic Giloux]

Hi Julio,

the following works for me:
# oc new-project project1
# oc create serviceaccount inciga -n project1
# oc policy add-role-to-user admin system:serviceaccounts:project1:inciga
-n project1
# curl -k -H "Authorization: Bearer $(oc sa get-token inciga -n project1)"
-H "Content-Type: application/json"
https://192.168.42.199:8443/api/v1/namespaces/project1/replicationcontrollers

Regards,

Frédéric

On Thu, Oct 19, 2017 at 4:58 PM, Julio Saura  wrote:

> yes ofc
>
> oc create serviceaccount icinga -n project1
>
> oadm policy add-cluster-role-to-user admin system:serviceaccounts:
> project1:icinga
>
> oadm policy reconcile-cluster-roles —confirm
>
> and then dump the token
>
> oc serviceaccounts get-token icing
>
>
> ty frederic!
>
> i do login with curl but i get
>
> {
>   "kind": "Status",
>   "apiVersion": "v1",
>   "metadata": {},
>   "status": "Failure",
>   "message": "User \"system:serviceaccount:project1:icinga\" cannot list
> replicationcontrollers in project \”project1\"",
>   "reason": "Forbidden",
>   "details": {
> "kind": "replicationcontrollers"
>   },
>   "code": 403
> }
>
>
>
>
>
> El 19 oct 2017, a las 16:55, Frederic Giloux 
> escribió:
>
> Hi Julio,
>
> Could you copy the commands you have used?
>
> Regards,
>
> Frédéric
>
> On 19 Oct 2017 11:43, "Julio Saura"  wrote:
>
>> Hello
>>
>> i am trying to create a sa for accessing rest api with token ..
>>
>> i have followed the doc steps
>>
>> creating the account, applying admin role to that account and getting the
>> token
>>
>> trying to access replicacioncontroller info with bearer in curl, i can
>> auth into but i get i have no permission to list rc on the project
>>
>> i also did a reconciliate role on cluster
>>
>> i also logged in with oc login passing token as parameter, i log in but
>> it says i have no projects ..
>>
>> what else i am missing?
>>
>> ty
>>
>>
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
>


-- 
*Frédéric Giloux*
Senior Middleware Consultant
Red Hat Germany

fgil...@redhat.com M: +49-174-172-4661

redhat.com | TRIED. TESTED. TRUSTED. | redhat.com/trusted

Red Hat GmbH, http://www.de.redhat.com/ Sitz: Grasbrunn,
Handelsregister: Amtsgericht München, HRB 153243
Geschäftsführer: Paul Argiry, Charles Cachera, Michael Cunningham, Michael
O'Neill
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

[Julio Saura]

yes ofc

oc create serviceaccount icinga -n project1

oadm policy add-cluster-role-to-user admin 
system:serviceaccounts:project1:icinga

oadm policy reconcile-cluster-roles —confirm

and then dump the token

oc serviceaccounts get-token icing


ty frederic!

i do login with curl but i get 

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "User \"system:serviceaccount:project1:icinga\" cannot list 
replicationcontrollers in project \”project1\"",
  "reason": "Forbidden",
  "details": {
"kind": "replicationcontrollers"
  },
  "code": 403
}





> El 19 oct 2017, a las 16:55, Frederic Giloux  escribió:
> 
> Hi Julio, 
> 
> Could you copy the commands you have used?
> 
> Regards, 
> 
> Frédéric 
> 
> On 19 Oct 2017 11:43, "Julio Saura"  > wrote:
> Hello
> 
> i am trying to create a sa for accessing rest api with token ..
> 
> i have followed the doc steps
> 
> creating the account, applying admin role to that account and getting the 
> token
> 
> trying to access replicacioncontroller info with bearer in curl, i can auth 
> into but i get i have no permission to list rc on the project
> 
> i also did a reconciliate role on cluster
> 
> i also logged in with oc login passing token as parameter, i log in but it 
> says i have no projects ..
> 
> what else i am missing?
> 
> ty
> 
> 
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com 
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
> 

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: service account for rest api

[Frederic Giloux]

Hi Julio,

Could you copy the commands you have used?

Regards,

Frédéric

On 19 Oct 2017 11:43, "Julio Saura"  wrote:

> Hello
>
> i am trying to create a sa for accessing rest api with token ..
>
> i have followed the doc steps
>
> creating the account, applying admin role to that account and getting the
> token
>
> trying to access replicacioncontroller info with bearer in curl, i can
> auth into but i get i have no permission to list rc on the project
>
> i also did a reconciliate role on cluster
>
> i also logged in with oc login passing token as parameter, i log in but it
> says i have no projects ..
>
> what else i am missing?
>
> ty
>
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users