The created user info is as below, [root@host-10-1-236-92 ~]# oc describe user hello Name: hello Created: 24 minutes ago Labels: <none> Annotations: <none> Identities: allow_all:hello
Is the issue caused by allow_all? Thanks, Jared, (韦煜) Software developer Interested in open source software, big data, Linux ________________________________ From: [email protected] <[email protected]> on behalf of Yu Wei <[email protected]> Sent: Monday, December 18, 2017 11:48:46 PM To: Clayton Coleman Cc: [email protected]; [email protected] Subject: Re: Several questions about authorization I guessed that some configurations was not proper. When I create a new user, it is always added to project "aura" by default. Cluster is setup on OpenShift Origin 3.6. [root@host-10-1-236-92 ~]# oc describe project aura Name: aura Created: 7 weeks ago Labels: <none> Annotations: openshift.io/description= openshift.io/display-name= openshift.io/requester=aura openshift.io/sa.scc.mcs=s0:c9,c4 openshift.io/sa.scc.supplemental-groups=1000080000/10000 openshift.io/sa.scc.uid-range=1000080000/10000 Display Name: <none> Description: <none> Status: Active Node Selector: <none> Quota: <none> Resource limits: <none> [root@host-10-1-236-92 ~]# oc login Authentication required for https://10.1.241.54:8443 (openshift) Username: hello Password: Login successful. You have one project on this server: "aura" Using project "aura". Where should I start to fix the problem? Any advice? Thanks, Jared, (韦煜) Software developer Interested in open source software, big data, Linux ________________________________ From: Clayton Coleman <[email protected]> Sent: Monday, December 18, 2017 10:41:30 PM To: Yu Wei Cc: [email protected]; [email protected] Subject: Re: Several questions about authorization On Mon, Dec 18, 2017 at 5:17 AM, Yu Wei <[email protected]<mailto:[email protected]>> wrote: Hi, I have several questions about user and authorization management. 1, How could I remove user from project? [root@host-10-1-236-92 gpu-test]# oc login -u test1 -p test1 Login successful. You have access to the following projects and can switch between them with 'oc project <projectname>': * aura test1 Using project "aura". [root@host-10-1-236-92 gpu-test]# oc project aura Already on project "aura" on server "https://10.1.241.54:8443";. [root@host-10-1-236-92 gpu-test]# oc get rolebindings Error from server (Forbidden): User "test1" cannot list rolebindings in project "aura" How should I remove user "test1" from project "aura"? How did you get added to the "aura" project? If you can't view role bindings, then you likely don't have the "view" role and you have been given a more constrained role. You'd need to ask the person who added you in that case. And how could I find which users belongs to project "aura"? You can see which users have been added with explicit roles by doing "oc get rolebindings". You can see who can view the namespace by running "oc policy who-can get namespace aura" if you have sufficient permissions. 2, basic-user When should "basic-user" be used? It seems that basic-user is cluster wide. Is my understanding right? There are two types of role bindings - namespace scoped role bindings (rolebindings) and cluster scoped role bindings (clusterrolebindings). If you add someone to a clusterrolebinding they have that role on all namespaces in the cluster. If you add someone with a rolebinding, they only have that permission on the namespace the rolebinding is created in. 3, user created automatically When issues the instructions "oc login -u test2 -p test2", user "test2" is to be created automatically. After user creation, which project does created user belong to? None, unless you grant a clusterrolebinding to a group and the new user is in that group. Thanks, Jared, (韦煜) Software developer Interested in open source software, big data, Linux _______________________________________________ users mailing list [email protected]<mailto:[email protected]> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
