Hey Olaf -- You can do this as the system:admin user, which is the built-in cluster "superuser". In order to login as system:admin, you have to be SSH'd into (one of) your master(s) as the root user:
[[email protected] ~] oc login -u system:admin This account has no password but is only available from the shell of a master with you as the root user. Once you've done that, you can run the add-role-to-user command that you were attempting. Regards, Harrison On Tue, Jul 5, 2016 at 3:56 AM, Olaf Radicke <[email protected]> wrote: > Hi, > > I added a first user over the htpasswd file. So far so good. Now I like to > add this user to the cluster-admin role. But I don't have permissions. So > what is the right way? > > Best regards, > > Olaf > > > --------------[ snip ]--------------- > > [root@os-master ~]# oc login > Authentication required for https://192.168.122.249:8443 (openshift) > Username: admin > Password: > Login successful. > > Using project "meteocontrol-testing". > > [root@os-master ~]# oc describe clusterPolicy default > Error from server: User "admin" cannot get clusterpolicies at the cluster > scope > > [root@os-master ~]# oadm policy add-role-to-user cluster-admin admin > error: You must be logged in to the server (attempt to grant extra > privileges: [PolicyRule{Verbs:[*], APIGroups:[*], Resources:[*], > ResourceNames:[], Restrictions:<nil>}] user=&{admin > fcd285f3-3cfe-11e6-8c1a-525400e34c10 [system:authenticated:oauth > system:authenticated]} ownerrules=[PolicyRule{Verbs:[create delete > deletecollection get list patch update watch], APIGroups:[], > Resources:[configmaps endpoints persistentvolumeclaims pods pods/attach > pods/exec pods/log pods/portforward pods/proxy replicationcontrollers > replicationcontrollers/scale secrets serviceaccounts services > services/proxy], ResourceNames:[], Restrictions:<nil>} > PolicyRule{Verbs:[create delete deletecollection get list patch update > watch], APIGroups:[], Resources:[buildconfigs buildconfigs/instantiate > buildconfigs/instantiatebinary buildconfigs/webhooks buildlogs builds > builds/clone builds/log deploymentconfigrollbacks deploymentconfigs > deploymentconfigs/log deploymentconfigs/scale deployments > generatedeploymentconfigs imagestreamimages imagestreamimports > imagestreammappings imagestreams imagestreams/secrets imagestreamtags > localresourceaccessreviews localsubjectaccessreviews processedtemplates > projects resourceaccessreviews rolebindings roles routes > subjectaccessreviews templateconfigs templates], ResourceNames:[], > Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get > list patch update watch], APIGroups:[autoscaling], > Resources:[horizontalpodautoscalers], ResourceNames:[], Restrictions:<nil>} > PolicyRule{Verbs:[create delete deletecollection get list patch update > watch], APIGroups:[batch], Resources:[jobs], ResourceNames:[], > Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get > list patch update watch], APIGroups:[extensions], > Resources:[horizontalpodautoscalers jobs replicationcontrollers/scale], > ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get list watch], > APIGroups:[extensions], Resources:[daemonsets], ResourceNames:[], > Restrictions:<nil>} PolicyRule{Verbs:[get list watch], APIGroups:[], > Resources:[bindings configmaps endpoints events imagestreams/status > limitranges minions namespaces namespaces/status nodes > persistentvolumeclaims persistentvolumes pods pods/log pods/status policies > policybindings replicationcontrollers replicationcontrollers/status > resourcequotas resourcequotas/status resourcequotausages routes/status > securitycontextconstraints serviceaccounts services], ResourceNames:[], > Restrictions:<nil>} PolicyRule{Verbs:[get update], APIGroups:[], > Resources:[imagestreams/layers], ResourceNames:[], Restrictions:<nil>} > PolicyRule{Verbs:[update], APIGroups:[], Resources:[routes/status], > ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], > Resources:[], ResourceNames:[], Restrictions:<nil>} > PolicyRule{Verbs:[create get], APIGroups:[], > Resources:[buildconfigs/webhooks], ResourceNames:[], Restrictions:<nil>} > PolicyRule{Verbs:[get], APIGroups:[], Resources:[], ResourceNames:[], > Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], > Resources:[builds/source], ResourceNames:[], Restrictions:<nil>} > PolicyRule{Verbs:[create], APIGroups:[], Resources:[projectrequests], > ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], > APIGroups:[], Resources:[builds/docker], ResourceNames:[], > Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], > Resources:[builds/custom], ResourceNames:[], Restrictions:<nil>} > PolicyRule{Verbs:[get], APIGroups:[], Resources:[users], ResourceNames:[~], > Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], > Resources:[projectrequests], ResourceNames:[], Restrictions:<nil>} > PolicyRule{Verbs:[get list], APIGroups:[], Resources:[clusterroles], > ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], > APIGroups:[], Resources:[projects], ResourceNames:[], Restrictions:<nil>} > PolicyRule{Verbs:[create], APIGroups:[], > Resources:[localsubjectaccessreviews subjectaccessreviews], > ResourceNames:[], Restrictions:&{{ }}} PolicyRule{Verbs:[delete], > APIGroups:[], Resources:[oauthaccesstokens oauthauthorizetokens], > ResourceNames:[], Restrictions:<nil>}] ruleResolutionErrors=[]) > [root@os-master ~]# oadm policy add-scc-to-user privileged admin > Error from server: User "admin" cannot get securitycontextconstraints at > the cluster scope > [root@os-master ~]# > > > --------------[ snap ]--------------- > > -- > Mit freundlichen Grüßen / Best regards > > Olaf Radicke > > --- > > meteocontrol GmbH > Energy & Weather Services > > Spicherer Strasse 48 > 86157 Augsburg, Germany > Phone +49 821 34666-265 > Fax +49 821 34666-9032 > Email [email protected] > Web: http://www.meteocontrol.de > > Management Board: Martin Schneider, Robert Pfatischer, Jing Nealis > Register Court: Amtsgericht Augsburg, HRB 16 415 > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
