On Fri, May 20, 2016 at 3:35 PM, Dan Mace <dm...@redhat.com> wrote: > Replies inline. cc’ing Jordan who can correct any inaccuracies on my part > related to authentication. > > On Fri, May 20, 2016 at 9:19 AM, Charles Moulliard <cmoul...@redhat.com> > wrote: > >> Hi, >> >> I have installed and configured Openshiftv 1.3.0-alpha.0-581-gcf6465c >> with Keycloak 1.9.2.Final as identity provider >> >> I can log to the openshift server with the user admin or default created >> within the Openshift Realm of Keycloak >> >> ./oc login https://192.168.99.100:8443 -u admin -p admin >>> Login successful. >>> You don't have any projects. You can try to create a new project, by >>> running >>> $ oc new-project <projectname> >> >> >> >> But the user doesn't belong to the cluster-admin role even if it has been >> added to keycloak realm and passed within the OpenID Token >> >> See the screenshot here : >> https://www.dropbox.com/s/c2n7a671jdkbhs9/Screenshot%202016-05-20%2015.16.56.png?dl=0 >> >> ./oc project default >> error: You are not a member of project "default". >> You are not a member of any projects. You can request a project to be >> created with the 'new-project' command. >> >> ./oc new-project default >> Error from server: project "default" already exists >> >> ./oc describe clusterPolicy default >> Error from server: User "admin" cannot get clusterpolicies at the cluster >> scope >> >> Questions : >> - Is the role passed within the OpenID Token used ? >> > > Origin does not currently support mapping identity information to Origin > groups[1]. The role claim on your token is ignored by the system. > > > https://docs.openshift.org/latest/install_config/configuring_authentication.html#mapping-identities-to-users > > - How can we add for a user the cluster-admin role as we can't connect to >> the platform using user 'system:admin' - error: username system:admin is >> invalid for basic auth ? >> > > I believe the `oadm policy add-cluster-role-to-user` command targeting > that new user will do what you’re looking for. >
>> I can't issue this command ./oc adm policy add-cluster-role-to-user cluster-admin admin Error from server: User "admin" cannot get clusterpolicybindings at the cluster scope But thanks to Jimmy Dyson as he gives me the right trick (see the --config option) oc adm policy add-cluster-role-to-user cluster-admin admin > --config=admin.kubeconfig > root@openshift:/var/lib/origin/openshift.local.config/master# oc login > Authentication required for https://192.168.99.100:8443 (openshift) > Username: admin > Password: > Login successful. > You have access to the following projects and can switch between them with > 'oc project <projectname>': > * default > * demo (current) > * openshift > * openshift-infra
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
