I guessed that some configurations was not proper.
When I create a new user, it is always added to project "aura" by default.
Cluster is setup on OpenShift Origin 3.6.
[root@host-10-1-236-92 ~]# oc describe project aura
Name: aura
Created: 7 weeks ago
Labels: <none>
Annotations: openshift.io/description=
openshift.io/display-name=
openshift.io/requester=aura
openshift.io/sa.scc.mcs=s0:c9,c4
openshift.io/sa.scc.supplemental-groups=1000080000/10000
openshift.io/sa.scc.uid-range=1000080000/10000
Display Name: <none>
Description: <none>
Status: Active
Node Selector: <none>
Quota: <none>
Resource limits: <none>
[root@host-10-1-236-92 ~]# oc login
Authentication required for https://10.1.241.54:8443 (openshift)
Username: hello
Password:
Login successful.
You have one project on this server: "aura"
Using project "aura".
Where should I start to fix the problem? Any advice?
Thanks,
Jared, (韦煜)
Software developer
Interested in open source software, big data, Linux
________________________________
From: Clayton Coleman <[email protected]>
Sent: Monday, December 18, 2017 10:41:30 PM
To: Yu Wei
Cc: [email protected]; [email protected]
Subject: Re: Several questions about authorization
On Mon, Dec 18, 2017 at 5:17 AM, Yu Wei
<[email protected]<mailto:[email protected]>> wrote:
Hi,
I have several questions about user and authorization management.
1, How could I remove user from project?
[root@host-10-1-236-92 gpu-test]# oc login -u test1 -p test1
Login successful.
You have access to the following projects and can switch between them with 'oc
project <projectname>':
* aura
test1
Using project "aura".
[root@host-10-1-236-92 gpu-test]# oc project aura
Already on project "aura" on server "https://10.1.241.54:8443";.
[root@host-10-1-236-92 gpu-test]# oc get rolebindings
Error from server (Forbidden): User "test1" cannot list rolebindings in project
"aura"
How should I remove user "test1" from project "aura"?
How did you get added to the "aura" project? If you can't view role bindings,
then you likely don't have the "view" role and you have been given a more
constrained role. You'd need to ask the person who added you in that case.
And how could I find which users belongs to project "aura"?
You can see which users have been added with explicit roles by doing "oc get
rolebindings". You can see who can view the namespace by running "oc policy
who-can get namespace aura" if you have sufficient permissions.
2, basic-user
When should "basic-user" be used? It seems that basic-user is cluster wide.
Is my understanding right?
There are two types of role bindings - namespace scoped role bindings
(rolebindings) and cluster scoped role bindings (clusterrolebindings). If you
add someone to a clusterrolebinding they have that role on all namespaces in
the cluster. If you add someone with a rolebinding, they only have that
permission on the namespace the rolebinding is created in.
3, user created automatically
When issues the instructions "oc login -u test2 -p test2", user "test2" is
to be created automatically.
After user creation, which project does created user belong to?
None, unless you grant a clusterrolebinding to a group and the new user is in
that group.
Thanks,
Jared, (韦煜)
Software developer
Interested in open source software, big data, Linux
_______________________________________________
users mailing list
[email protected]<mailto:[email protected]>
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
