so i'll need to query each group and look for the user in question to be a member?
On Thu, Jun 16, 2016 at 4:24 PM, Jordan Liggitt <[email protected]> wrote: > There's not an efficient API query to determine that today. Internally, > the API server maintains a reverse index of username to group names by > watching updates to the Group API objects > > On Thu, Jun 16, 2016 at 4:03 PM, Marc Boorshtein <[email protected]> > wrote: > >> oh, if the groups field on the user is deprecated how would I know what >> groups a specific user has? >> >> On Thu, Jun 16, 2016 at 3:57 PM, Jordan Liggitt <[email protected]> >> wrote: >> >>> Your command looks correct. Specifying groups directly on a user via the >>> groups field is deprecated. `oc get group cluster-administrators -o yaml` >>> would show that your command is effective. >>> >>> When a user makes an API request, their effective groups are determined >>> by combining the names of the Group objects containing their username, the >>> contents of the deprecated groups field on their User object, and virtual >>> groups like "system:authenticated". >>> >>> On Thu, Jun 16, 2016 at 3:53 PM, Marc Boorshtein <[email protected]> >>> wrote: >>> >>>> I can't seem to add a user to a group. I have a user: >>>> >>>> $ curl -k -v -XGET -H "User-Agent: oc/v1.1.2 (darwin/amd64) >>>> openshift/2711160" -H "Authorization: Bearer >>>> PDqIrEiOTqtwJvHDcTB-snC5FpcpnCz5fIrz7S6ORCI" >>>> https://openshift.rheldemo.lan:8443/oapi/v1/users/0b126172-33e9-11e6-9c91-525400d4fbc4 >>>> * Trying 192.168.2.191... >>>> * Connected to openshift.rheldemo.lan (192.168.2.191) port 8443 (#0) >>>> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>>> * Server certificate: 172.30.0.1 >>>> * Server certificate: openshift-signer@1465933076 >>>> > GET /oapi/v1/users/0b126172-33e9-11e6-9c91-525400d4fbc4 HTTP/1.1 >>>> > Host: openshift.rheldemo.lan:8443 >>>> > Accept: */* >>>> > User-Agent: oc/v1.1.2 (darwin/amd64) openshift/2711160 >>>> > Authorization: Bearer PDqIrEiOTqtwJvHDcTB-snC5FpcpnCz5fIrz7S6ORCI >>>> > >>>> < HTTP/1.1 200 OK >>>> < Cache-Control: no-store >>>> < Content-Type: application/json >>>> < Date: Thu, 16 Jun 2016 19:47:05 GMT >>>> < Content-Length: 381 >>>> < >>>> {"kind":"User","apiVersion":"v1","metadata":{"name":"0b126172-33e9-11e6-9c91-525400d4fbc4","selfLink":"/oapi/v1/users/0b126172-33e9-11e6-9c91-525400d4fbc4","uid":"4c403e86-33f4-11e6-b368-fa163ef48e94","resourceVersion":"17244","creationTimestamp":"2016-06-16T18:58:22Z"},"fullName":"OpenShift >>>> Admin","identities":["unison_ldap:0b126172-33e9-11e6-9c91-525400d4fbc4"],"groups":null} >>>> >>>> then I run oadm to add the user to a group: >>>> >>>> [root@openshift ~]# oadm --loglevel 9 groups add-users >>>> cluster-administrators 0b126172-33e9-11e6-9c91-525400d4fbc4 >>>> >>>> >>>> ================================================================================ >>>> ATTENTION: You are running oadm via a wrapper around 'docker run >>>> openshift/origin:v1.3.0-alpha.1'. >>>> This wrapper is intended only to be used to bootstrap an environment. >>>> Please >>>> install client tools on another host once you have granted cluster-admin >>>> privileges to a user. >>>> See >>>> https://docs.openshift.org/latest/cli_reference/get_started_cli.html >>>> >>>> ================================================================================= >>>> >>>> Usage of loopback devices is strongly discouraged for production use. >>>> Either use `--storage-opt dm.thinpooldev` or use `--storage-opt >>>> dm.no_warn_on_loop_devices=true` to suppress this warning. >>>> I0616 19:50:26.085449 1 loader.go:242] Config loaded from file >>>> /root/.kube/config >>>> I0616 19:50:26.087794 1 round_trippers.go:299] curl -k -v -XGET >>>> -H "Accept: application/json, */*" -H "User-Agent: oadm/v1.3.0 >>>> (linux/amd64) kubernetes/6e83535" >>>> https://openshift.rheldemo.lan:8443/api >>>> I0616 19:50:26.125647 1 round_trippers.go:318] GET >>>> https://openshift.rheldemo.lan:8443/api 200 OK in 37 milliseconds >>>> I0616 19:50:26.125669 1 round_trippers.go:324] Response Headers: >>>> I0616 19:50:26.125677 1 round_trippers.go:327] Date: Thu, 16 >>>> Jun 2016 19:50:26 GMT >>>> I0616 19:50:26.125685 1 round_trippers.go:327] >>>> Content-Length: 135 >>>> I0616 19:50:26.125691 1 round_trippers.go:327] Cache-Control: >>>> no-store >>>> I0616 19:50:26.125696 1 round_trippers.go:327] Content-Type: >>>> application/json >>>> I0616 19:50:26.125765 1 request.go:870] Response Body: >>>> {"kind":"APIVersions","versions":["v1"],"serverAddressByClientCIDRs":[{"clientCIDR":" >>>> 0.0.0.0/0","serverAddress":"192.168.100.6:443"}]} >>>> I0616 19:50:26.126056 1 round_trippers.go:299] curl -k -v -XGET >>>> -H "Accept: application/json, */*" -H "User-Agent: oadm/v1.3.0 >>>> (linux/amd64) kubernetes/6e83535" >>>> https://openshift.rheldemo.lan:8443/apis >>>> I0616 19:50:26.126838 1 round_trippers.go:318] GET >>>> https://openshift.rheldemo.lan:8443/apis 200 OK in 0 milliseconds >>>> I0616 19:50:26.126866 1 round_trippers.go:324] Response Headers: >>>> I0616 19:50:26.126872 1 round_trippers.go:327] Content-Type: >>>> application/json >>>> I0616 19:50:26.126877 1 round_trippers.go:327] Date: Thu, 16 >>>> Jun 2016 19:50:26 GMT >>>> I0616 19:50:26.126883 1 round_trippers.go:327] >>>> Content-Length: 775 >>>> I0616 19:50:26.126888 1 round_trippers.go:327] Cache-Control: >>>> no-store >>>> I0616 19:50:26.126922 1 request.go:870] Response Body: >>>> {"kind":"APIGroupList","groups":[{"name":"autoscaling","versions":[{"groupVersion":"autoscaling/v1","version":"v1"}],"preferredVersion":{"groupVersion":"autoscaling/v1","version":"v1"},"serverAddressByClientCIDRs":[{"clientCIDR":" >>>> 0.0.0.0/0","serverAddress":"192.168.100.6:443 >>>> "}]},{"name":"batch","versions":[{"groupVersion":"batch/v1","version":"v1"}],"preferredVersion":{"groupVersion":"batch/v1","version":"v1"},"serverAddressByClientCIDRs":[{"clientCIDR":" >>>> 0.0.0.0/0","serverAddress":"192.168.100.6:443 >>>> "}]},{"name":"extensions","versions":[{"groupVersion":"extensions/v1beta1","version":"v1beta1"}],"preferredVersion":{"groupVersion":"extensions/v1beta1","version":"v1beta1"},"serverAddressByClientCIDRs":[{"clientCIDR":" >>>> 0.0.0.0/0","serverAddress":"192.168.100.6:443"}]}]} >>>> I0616 19:50:26.132811 1 round_trippers.go:299] curl -k -v -XGET >>>> -H "User-Agent: oadm/v1.3.0 (linux/amd64) openshift/6e83535" -H "Accept: >>>> application/json, */*" https://openshift.rheldemo.lan:8443/oapi >>>> I0616 19:50:26.133409 1 round_trippers.go:318] GET >>>> https://openshift.rheldemo.lan:8443/oapi 200 OK in 0 milliseconds >>>> I0616 19:50:26.133428 1 round_trippers.go:324] Response Headers: >>>> I0616 19:50:26.133433 1 round_trippers.go:327] Cache-Control: >>>> no-store >>>> I0616 19:50:26.133439 1 round_trippers.go:327] Content-Type: >>>> application/json >>>> I0616 19:50:26.133450 1 round_trippers.go:327] Date: Thu, 16 >>>> Jun 2016 19:50:26 GMT >>>> I0616 19:50:26.133455 1 round_trippers.go:327] >>>> Content-Length: 93 >>>> I0616 19:50:26.133489 1 request.go:870] Response Body: >>>> {"kind":"APIVersions","apiVersion":"v1","versions":["v1"],"serverAddressByClientCIDRs":null} >>>> I0616 19:50:26.133763 1 round_trippers.go:299] curl -k -v -XGET >>>> -H "Accept: application/json, */*" -H "User-Agent: oadm/v1.3.0 >>>> (linux/amd64) openshift/6e83535" >>>> https://openshift.rheldemo.lan:8443/oapi/v1/groups/cluster-administrators >>>> I0616 19:50:26.135065 1 round_trippers.go:318] GET >>>> https://openshift.rheldemo.lan:8443/oapi/v1/groups/cluster-administrators >>>> 200 OK in 1 milliseconds >>>> I0616 19:50:26.135084 1 round_trippers.go:324] Response Headers: >>>> I0616 19:50:26.135090 1 round_trippers.go:327] Cache-Control: >>>> no-store >>>> I0616 19:50:26.135095 1 round_trippers.go:327] Content-Type: >>>> application/json >>>> I0616 19:50:26.135101 1 round_trippers.go:327] Date: Thu, 16 >>>> Jun 2016 19:50:26 GMT >>>> I0616 19:50:26.135106 1 round_trippers.go:327] >>>> Content-Length: 295 >>>> I0616 19:50:26.135143 1 request.go:870] Response Body: >>>> {"kind":"Group","apiVersion":"v1","metadata":{"name":"cluster-administrators","selfLink":"/oapi/v1/groups/cluster-administrators","uid":"52a7c5fa-3339-11e6-93e7-fa163ef48e94","resourceVersion":"17554","creationTimestamp":"2016-06-15T20:39:57Z"},"users":["0b126172-33e9-11e6-9c91-525400d4fbc4"]} >>>> I0616 19:50:26.135544 1 request.go:555] Request Body: >>>> {"kind":"Group","apiVersion":"v1","metadata":{"name":"cluster-administrators","selfLink":"/oapi/v1/groups/cluster-administrators","uid":"52a7c5fa-3339-11e6-93e7-fa163ef48e94","resourceVersion":"17554","creationTimestamp":"2016-06-15T20:39:57Z"},"users":["0b126172-33e9-11e6-9c91-525400d4fbc4"]} >>>> I0616 19:50:26.135594 1 round_trippers.go:299] curl -k -v -XPUT >>>> -H "Content-Type: application/json" -H "User-Agent: oadm/v1.3.0 >>>> (linux/amd64) openshift/6e83535" -H "Accept: application/json, */*" >>>> https://openshift.rheldemo.lan:8443/oapi/v1/groups/cluster-administrators >>>> I0616 19:50:26.137081 1 round_trippers.go:318] PUT >>>> https://openshift.rheldemo.lan:8443/oapi/v1/groups/cluster-administrators >>>> 200 OK in 1 milliseconds >>>> I0616 19:50:26.137102 1 round_trippers.go:324] Response Headers: >>>> I0616 19:50:26.137109 1 round_trippers.go:327] Date: Thu, 16 >>>> Jun 2016 19:50:26 GMT >>>> I0616 19:50:26.137114 1 round_trippers.go:327] >>>> Content-Length: 295 >>>> I0616 19:50:26.137120 1 round_trippers.go:327] Cache-Control: >>>> no-store >>>> I0616 19:50:26.137125 1 round_trippers.go:327] Content-Type: >>>> application/json >>>> I0616 19:50:26.137161 1 request.go:870] Response Body: >>>> {"kind":"Group","apiVersion":"v1","metadata":{"name":"cluster-administrators","selfLink":"/oapi/v1/groups/cluster-administrators","uid":"52a7c5fa-3339-11e6-93e7-fa163ef48e94","resourceVersion":"17554","creationTimestamp":"2016-06-15T20:39:57Z"},"users":["0b126172-33e9-11e6-9c91-525400d4fbc4"]} >>>> >>>> Then I check the user again: >>>> >>>> $ curl -k -v -XGET -H "User-Agent: oc/v1.1.2 (darwin/amd64) >>>> openshift/2711160" -H "Authorization: Bearer >>>> PDqIrEiOTqtwJvHDcTB-snC5FpcpnCz5fIrz7S6ORCI" >>>> https://openshift.rheldemo.lan:8443/oapi/v1/users/0b126172-33e9-11e6-9c91-525400d4fbc4 >>>> * Trying 192.168.2.191... >>>> * Connected to openshift.rheldemo.lan (192.168.2.191) port 8443 (#0) >>>> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>>> * Server certificate: 172.30.0.1 >>>> * Server certificate: openshift-signer@1465933076 >>>> > GET /oapi/v1/users/0b126172-33e9-11e6-9c91-525400d4fbc4 HTTP/1.1 >>>> > Host: openshift.rheldemo.lan:8443 >>>> > Accept: */* >>>> > User-Agent: oc/v1.1.2 (darwin/amd64) openshift/2711160 >>>> > Authorization: Bearer PDqIrEiOTqtwJvHDcTB-snC5FpcpnCz5fIrz7S6ORCI >>>> > >>>> < HTTP/1.1 200 OK >>>> < Cache-Control: no-store >>>> < Content-Type: application/json >>>> < Date: Thu, 16 Jun 2016 19:52:56 GMT >>>> < Content-Length: 381 >>>> < >>>> {"kind":"User","apiVersion":"v1","metadata":{"name":"0b126172-33e9-11e6-9c91-525400d4fbc4","selfLink":"/oapi/v1/users/0b126172-33e9-11e6-9c91-525400d4fbc4","uid":"4c403e86-33f4-11e6-b368-fa163ef48e94","resourceVersion":"17244","creationTimestamp":"2016-06-16T18:58:22Z"},"fullName":"OpenShift >>>> Admin","identities":["unison_ldap:0b126172-33e9-11e6-9c91-525400d4fbc4"],"groups":null} >>>> >>>> Notice that the user's groups are still null....am I missing something? >>>> >>>> Thanks >>>> Marc >>>> >>>> _______________________________________________ >>>> users mailing list >>>> [email protected] >>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>> >>>> >>> >> >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
