The problem is that we can't connect to openshift using system:admin when we use an identity provider
oc login -u system:admin > Authentication required for https://192.168.99.100:8443 (openshift) > Username: system:admin > Password: > error: username system:admin is invalid for basic auth > I can connect with my user admin (defined within keycloak) > root@openshift:/mnt/sda1/tmp/kubectl# oc login -u admin -p admin > Login successful. > You have access to the following projects and can switch between them with > 'oc project <projectname>': > * default > * demo (current) > * openshift > * openshift-infra FYI : The workaround that I have used to add the cluster-admin role to my user admin is oc adm policy add-cluster-role-to-user cluster-admin admin --config=admin.kubeconfig and now I can execute admin commands oc describe clusterPolicy default Name: default Created: 2 hours ago Labels: <none> Annotations: <none> Last Modified: 2016-05-20 12:30:25 +0000 UTC ... REMARK : That should be documented within the user/admin guide of Openshift On Fri, May 20, 2016 at 4:35 PM, Jordan Liggitt <[email protected]> wrote: > The admin.kubeconfig generated at startup contains client-certificate > credentials for the system:admin user, which has full access to the system. > Acting as that user, you can grant permissions (including cluster-admin) to > other users > > > > On Fri, May 20, 2016 at 8:05 AM, Charles Moulliard <[email protected]> > wrote: > >> Is there a by default user that we could use to configure roles, ... for >> the users authenticated by the identity provider ? If i try to log on using >> this command >> >> ./oc login https://192.168.99.100:8443 -u system:admin >> >> that fails >> >> Login failed (401 Unauthorized) >> You must obtain an API token by visiting >> https://192.168.99.100:8443/oauth/token/request >> >> On Fri, May 20, 2016 at 1:55 PM, Skarbek, John <[email protected]> >> wrote: >> >>> Charles, >>> >>> You’ve created a new user in the system, and by default he’s not going >>> to inherit any permissions. You’ll need to add a role to the user to access >>> any projects. A command such as this should provide you admin access to the >>> default project: >>> >>> oc policy add-role-to-user admin admin -n default >>> >>> That command would need to be run by a user that already has access to >>> manage users/policies. >>> >>> https://docs.openshift.org/latest/admin_guide/manage_users.html >>> https://docs.openshift.org/latest/admin_guide/manage_authorization_policy.html >>> >>> >>> >>> -- >>> John Skarbek >>> >>> On May 20, 2016 at 07:26:12, Charles Moulliard ([email protected]) >>> wrote: >>> >>> Hi, >>> >>> I have configured Openshift Origin (version 18 of May 2016) with an >>> external identoty provider. The user (admin/admin) can be authenticated and >>> I get an openshift token that I can use with the oc client >>> >>> Example : >>> >>> oc login https://192.168.99.100:8443 >>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__192.168.99.100-3A8443_&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=4eKzKQcdruAb8UKtxZlpQDMyFNWvQPRX9tkRyp2HdmA&s=TBXLX44CvebArboUT84P8RtnKiaAQjIemE8VqZRRY14&e=> >>> --token=g-4GsryPAdD6kttH6JV295xr3exXr46IsKtZjLt0gx4 >>> Logged into "https://192.168.99.100:8443 >>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__192.168.99.100-3A8443_&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=4eKzKQcdruAb8UKtxZlpQDMyFNWvQPRX9tkRyp2HdmA&s=TBXLX44CvebArboUT84P8RtnKiaAQjIemE8VqZRRY14&e=>" >>> as "admin" using the token provided. >>> >>> You don't have any projects. You can try to create a new project, by >>> running >>> >>> $ oc new-project <projectname> >>> >>> As we can see, I'm connected and authenticated to the platform but no >>> projects are assigned to the user 'admin' >>> >>> If I try to access the project default or create it, then that fails >>> >>> ./oc project default >>> error: You are not a member of project "default". >>> >>> ./oc new-project default >>> Error from server: project "default" already exists >>> >>> What should I do to get/access the projects ? >>> >>> Regards, >>> >>> Charles >>> _______________________________________________ >>> users mailing list >>> [email protected] >>> >>> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openshift.redhat.com_openshiftmm_listinfo_users&d=DQICAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=4eKzKQcdruAb8UKtxZlpQDMyFNWvQPRX9tkRyp2HdmA&s=X6YK_Wk_emk5ygZW67RJ96aX-ROo-43r40o8Pf5Nfio&e= >>> >>> >> >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >> >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
