Chicken or the egg causality dilemma (Authorization Policies)

Tue, 05 Jul 2016 01:00:38 -0700 

Hi,
I added a first user over the htpasswd file. So far so good. Now I like to add this user to the cluster-admin role. But I don't have permissions. So what is the right way? 

Best regards,

Olaf


--------------[ snip ]---------------

[root@os-master ~]# oc login
Authentication required for https://192.168.122.249:8443 (openshift)
Username: admin
Password:
Login successful.

Using project "meteocontrol-testing".

[root@os-master ~]# oc describe clusterPolicy default

Error from server: User "admin" cannot get clusterpolicies at the 
cluster scope


[root@os-master ~]# oadm policy add-role-to-user cluster-admin admin

error: You must be logged in to the server (attempt to grant extra 
privileges: [PolicyRule{Verbs:[*], APIGroups:[*], Resources:[*], 
ResourceNames:[], Restrictions:<nil>}] user=&{admin 
fcd285f3-3cfe-11e6-8c1a-525400e34c10 [system:authenticated:oauth 
system:authenticated]} ownerrules=[PolicyRule{Verbs:[create delete 
deletecollection get list patch update watch], APIGroups:[], 
Resources:[configmaps endpoints persistentvolumeclaims pods pods/attach 
pods/exec pods/log pods/portforward pods/proxy replicationcontrollers 
replicationcontrollers/scale secrets serviceaccounts services 
services/proxy], ResourceNames:[], Restrictions:<nil>} 
PolicyRule{Verbs:[create delete deletecollection get list patch update 
watch], APIGroups:[], Resources:[buildconfigs buildconfigs/instantiate 
buildconfigs/instantiatebinary buildconfigs/webhooks buildlogs builds 
builds/clone builds/log deploymentconfigrollbacks deploymentconfigs 
deploymentconfigs/log deploymentconfigs/scale deployments 
generatedeploymentconfigs imagestreamimages imagestreamimports 
imagestreammappings imagestreams imagestreams/secrets imagestreamtags 
localresourceaccessreviews localsubjectaccessreviews processedtemplates 
projects resourceaccessreviews rolebindings roles routes 
subjectaccessreviews templateconfigs templates], ResourceNames:[], 
Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get 
list patch update watch], APIGroups:[autoscaling], 
Resources:[horizontalpodautoscalers], ResourceNames:[], 
Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get 
list patch update watch], APIGroups:[batch], Resources:[jobs], 
ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete 
deletecollection get list patch update watch], APIGroups:[extensions], 
Resources:[horizontalpodautoscalers jobs replicationcontrollers/scale], 
ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get list watch], 
APIGroups:[extensions], Resources:[daemonsets], ResourceNames:[], 
Restrictions:<nil>} PolicyRule{Verbs:[get list watch], APIGroups:[], 
Resources:[bindings configmaps endpoints events imagestreams/status 
limitranges minions namespaces namespaces/status nodes 
persistentvolumeclaims persistentvolumes pods pods/log pods/status 
policies policybindings replicationcontrollers 
replicationcontrollers/status resourcequotas resourcequotas/status 
resourcequotausages routes/status securitycontextconstraints 
serviceaccounts services], ResourceNames:[], Restrictions:<nil>} 
PolicyRule{Verbs:[get update], APIGroups:[], 
Resources:[imagestreams/layers], ResourceNames:[], Restrictions:<nil>} 
PolicyRule{Verbs:[update], APIGroups:[], Resources:[routes/status], 
ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], 
APIGroups:[], Resources:[], ResourceNames:[], Restrictions:<nil>} 
PolicyRule{Verbs:[create get], APIGroups:[], 
Resources:[buildconfigs/webhooks], ResourceNames:[], Restrictions:<nil>} 
PolicyRule{Verbs:[get], APIGroups:[], Resources:[], ResourceNames:[], 
Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], 
Resources:[builds/source], ResourceNames:[], Restrictions:<nil>} 
PolicyRule{Verbs:[create], APIGroups:[], Resources:[projectrequests], 
ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], 
APIGroups:[], Resources:[builds/docker], ResourceNames:[], 
Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], 
Resources:[builds/custom], ResourceNames:[], Restrictions:<nil>} 
PolicyRule{Verbs:[get], APIGroups:[], Resources:[users], 
ResourceNames:[~], Restrictions:<nil>} PolicyRule{Verbs:[list], 
APIGroups:[], Resources:[projectrequests], ResourceNames:[], 
Restrictions:<nil>} PolicyRule{Verbs:[get list], APIGroups:[], 
Resources:[clusterroles], ResourceNames:[], Restrictions:<nil>} 
PolicyRule{Verbs:[list], APIGroups:[], Resources:[projects], 
ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], 
APIGroups:[], Resources:[localsubjectaccessreviews 
subjectaccessreviews], ResourceNames:[], Restrictions:&{{ }}} 
PolicyRule{Verbs:[delete], APIGroups:[], Resources:[oauthaccesstokens 
oauthauthorizetokens], ResourceNames:[], Restrictions:<nil>}] 
ruleResolutionErrors=[])

[root@os-master ~]# oadm policy add-scc-to-user privileged admin

Error from server: User "admin" cannot get securitycontextconstraints at 
the cluster scope

[root@os-master ~]#


--------------[ snap ]---------------

--
Mit freundlichen Grüßen / Best regards

Olaf Radicke

---

meteocontrol GmbH
Energy & Weather Services

Spicherer Strasse 48
86157 Augsburg, Germany
Phone +49 821 34666-265
Fax +49 821 34666-9032
Email [email protected]
Web: http://www.meteocontrol.de

Management Board: Martin Schneider, Robert Pfatischer, Jing Nealis
Register Court: Amtsgericht Augsburg, HRB 16 415

_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users






















					Reply via email to