hello
> El 20 oct 2017, a las 9:57, Frederic Giloux <[email protected]> escribió: > > Hi Julio > > a couple of points here: > - oc policy add-role-to-user admin system:serviceaccounts:project1:inciga -n > project1 would have worked for the project. did not work :( trust me .. checked a lot of times same command with view role did the trick > If you have used oadm policy add-cluster-role-to-user you should use a > cluster role, which view or cluster-admin are and admin is not. also tried, no luck :( > - we validated with oc get rc -n project1 > --as=system:serviceaccounts:project1:inciga that the rights were sufficient > for queries specific to the project. i know .. and i am still trying to understand why the view role did the trick for me using curl or python request and was not needed using oc get .. > - when you say the token provided by oc login you probably mean the token of > a user account, which is shorter than the token of a service account. On the > other hand it will expire, which is not the case for a token of a service > account. right! that is why i decided to move to service account > > Happy that it works for you now. me too :) thanks all for the support. > > Regards, > > Frédéric > > > On Fri, Oct 20, 2017 at 9:40 AM, Julio Saura <[email protected] > <mailto:[email protected]>> wrote: > python problem solved too > > all working > > view role was the key :/ > > > > >> El 20 oct 2017, a las 9:27, Julio Saura <[email protected] >> <mailto:[email protected]>> escribió: >> >> problem solved >> >> i do not know why but giving user role view instead of admin make the trick >> .. >> >> :/ >> >> now i am able to access using curl with the token, but not using python xD i >> get a 401 with long token, but i i use the short one that oc login gives >> works xD >> >> >> >> >>> El 20 oct 2017, a las 8:59, Frederic Giloux <[email protected] >>> <mailto:[email protected]>> escribió: >>> >>> Julio, >>> >>> have you tried the command with higer log level as per my previous email? >>> # oc get rc -n project1 --as=system:serviceaccounts:project1:inciga >>> --loglevel=8 >>> This gives you the successful rest call, which is made by the OC client to >>> the API server. You can then check whether it differs from your curl. >>> >>> Regards, >>> >>> Frédéric >>> >>> On Fri, Oct 20, 2017 at 8:30 AM, Julio Saura <[email protected] >>> <mailto:[email protected]>> wrote: >>> headers look ok in curl request >>> >>> * Cipher selection: >>> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH >>> * successfully set certificate verify locations: >>> * CAfile: /etc/ssl/certs/ca-certificates.crt >>> CApath: none >>> * TLSv1.2 (OUT), TLS handshake, Client hello (1): >>> * TLSv1.2 (IN), TLS handshake, Server hello (2): >>> * NPN, negotiated HTTP1.1 >>> * TLSv1.2 (IN), TLS handshake, Certificate (11): >>> * TLSv1.2 (IN), TLS handshake, Server key exchange (12): >>> * TLSv1.2 (IN), TLS handshake, Request CERT (13): >>> * TLSv1.2 (IN), TLS handshake, Server finished (14): >>> * TLSv1.2 (OUT), TLS handshake, Certificate (11): >>> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): >>> * TLSv1.2 (OUT), TLS change cipher, Client hello (1): >>> * TLSv1.2 (OUT), TLS handshake, Unknown (67): >>> * TLSv1.2 (OUT), TLS handshake, Finished (20): >>> * TLSv1.2 (IN), TLS change cipher, Client hello (1): >>> * TLSv1.2 (IN), TLS handshake, Finished (20): >>> * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 >>> * Server certificate: >>> * subject: CN=10.1.5.31 >>> * start date: Sep 21 11:19:56 2017 GMT >>> * expire date: Sep 21 11:19:57 2019 GMT >>> * issuer: CN=openshift-signer@1505992768 >>> * SSL certificate verify result: self signed certificate in certificate >>> chain (19), continuing anyway. >>> > GET /api/v1/namespaces/project1/replicationcontrollers HTTP/1.1 >>> > Host: BALANCER:8443 >>> > User-Agent: curl/7.56.0 >>> > Accept: */* >>> > Authorization: Bearer >>> > eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJsZHAiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiaW5jaWdhLXRva2VuLTBkNDcyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImluY2lnYSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjIyMjE0YTI4LWI0ZTMtMTFlNy1hZTBhLTAwNTA1NmE0M2M0MiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpsZHA6aW5jaWdhIn0.VfJa8fLQQjSYySjWO3d_hp0kGqVFAnhvFQ2R6jTcLmtFwiA2NouO0QJCI2KZqvhXigAzPsksOKP7-BP_v2c-93UH3UyXW7RhkYKMOO7d1EMZVMGnT6NBKhVkw45wa20kH221ggh98wdv4MZRAoNEOvmN9qXHmsUWEnxfT8uNIjIkAt_aydocQ22hIbYXzd6w5x6zmOWIVWllgF3qGtY8ArTgRf4WxhuwhUJRy_Gm31WhtKioovk2Hpt6XnlPhnfvHhioqtizZsTepVOD0A-yjearxiDBE7yuIzRsMHo014Dq3O2T_qIZ2P2wvEWBzfpi7i1to4ep3jcb_qDM2vQ0IQ >>> > Content-Type: application/json >>> > >>> < HTTP/1.1 403 Forbidden >>> < Cache-Control: no-store >>> < Content-Type: application/json >>> < Date: Fri, 20 Oct 2017 06:28:52 GMT >>> < Content-Length: 295 >>> { >>> "kind": "Status", >>> "apiVersion": "v1", >>> "metadata": {}, >>> "status": "Failure", >>> "message": "User \"system:serviceaccount:ldp:inciga\" cannot list >>> replicationcontrollers in project \"ldp\"", >>> "reason": "Forbidden", >>> "details": { >>> "kind": "replicationcontrollers" >>> }, >>> "code": 403 >>> } >>> >>> >>> >>> >>>> El 19 oct 2017, a las 18:17, Frederic Giloux <[email protected] >>>> <mailto:[email protected]>> escribió: >>>> >>>> Very good. The issue is with your curl. Next step run the same command >>>> with --loglevel=8 and check the queries that are sent to the API server. >>>> >>>> Regards, >>>> >>>> Frédéric >>>> >>>> On 19 Oct 2017 18:11, "Julio Saura" <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> umm that works … >>>> >>>> weird >>>> >>>> Julio Saura Alejandre >>>> Responsable Servicios Gestionados >>>> hiberus TRAVEL >>>> Tel.: + 34 902 87 73 92 Ext. 659 <tel:+34%20902%2087%2073%2092> >>>> Parque Empresarial PLAZA >>>> Edificio EXPOINNOVACIÓN >>>> C/. Bari 25 <https://maps.google.com/?q=C/.+Bari+25&entry=gmail&source=g> >>>> Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza >>>> www.hiberus.com <http://www.hiberus.com/> >>>> Crecemos contigo >>>> >>>> Este mensaje se envía desde la plataforma de correo de Hiberus Este >>>> mensaje y los documentos que, en su caso, lleve anexos, se dirigen >>>> exclusivamente a su destinatario y pueden contener información >>>> privilegiada o confidencial. Si tú no eres el destinatario indicado, queda >>>> notificado de que la utilización, divulgación y/o copia sin autorización >>>> está prohibida en virtud de la legislación vigente. Por ello, se informa a >>>> quien lo reciba por error, que la información contenida en el mismo es >>>> reservada y su uso no autorizado está prohibido legalmente, por lo que en >>>> tal caso te rogamos que nos lo comuniques vía e-mail o teléfono, te >>>> abstengas de realizar copias del mensaje o remitirlo o entregarlo a >>>> terceras personas y procedas a devolverlo a su emisor y/o destruirlo de >>>> inmediato. >>>> >>>>> El 19 oct 2017, a las 18:01, Frederic Giloux <[email protected] >>>>> <mailto:[email protected]>> escribió: >>>>> >>>>> oc get rc -n project1 --as=system:serviceaccounts:project1:inciga >>>> >>> >>> >>> >>> >>> -- >>> Frédéric Giloux >>> Senior Middleware Consultant >>> Red Hat Germany >>> >>> [email protected] <mailto:[email protected]> M: +49-174-172-4661 >>> <tel:+49-174-172-4661> >>> >>> redhat.com <http://edhat.com/> | TRIED. TESTED. TRUSTED. | >>> redhat.com/trusted <http://redhat.com/trusted> >>> ________________________________________________________________________ >>> Red Hat GmbH, http://www.de.redhat.com/ <http://www.de.redhat.com/> Sitz: >>> Grasbrunn, >>> Handelsregister: Amtsgericht München, HRB 153243 >>> Geschäftsführer: Paul Argiry, Charles Cachera, Michael Cunningham, Michael >>> O'Neill >> >> _______________________________________________ >> users mailing list >> [email protected] <mailto:[email protected]> >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> <http://lists.openshift.redhat.com/openshiftmm/listinfo/users> > > > > > -- > Frédéric Giloux > Senior Middleware Consultant > Red Hat Germany > > [email protected] <mailto:[email protected]> M: +49-174-172-4661 > <tel:+49-174-172-4661> > > redhat.com <http://edhat.com/> | TRIED. TESTED. TRUSTED. | redhat.com/trusted > <http://redhat.com/trusted> > ________________________________________________________________________ > Red Hat GmbH, http://www.de.redhat.com/ <http://www.de.redhat.com/> Sitz: > Grasbrunn, > Handelsregister: Amtsgericht München, HRB 153243 > Geschäftsführer: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > O'Neill
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
