Your command looks correct. Specifying groups directly on a user via the groups field is deprecated. `oc get group cluster-administrators -o yaml` would show that your command is effective.
When a user makes an API request, their effective groups are determined by combining the names of the Group objects containing their username, the contents of the deprecated groups field on their User object, and virtual groups like "system:authenticated". On Thu, Jun 16, 2016 at 3:53 PM, Marc Boorshtein <mboorsht...@gmail.com> wrote: > I can't seem to add a user to a group. I have a user: > > $ curl -k -v -XGET -H "User-Agent: oc/v1.1.2 (darwin/amd64) > openshift/2711160" -H "Authorization: Bearer > PDqIrEiOTqtwJvHDcTB-snC5FpcpnCz5fIrz7S6ORCI" > https://openshift.rheldemo.lan:8443/oapi/v1/users/0b126172-33e9-11e6-9c91-525400d4fbc4 > * Trying 192.168.2.191... > * Connected to openshift.rheldemo.lan (192.168.2.191) port 8443 (#0) > * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > * Server certificate: 172.30.0.1 > * Server certificate: openshift-signer@1465933076 > > GET /oapi/v1/users/0b126172-33e9-11e6-9c91-525400d4fbc4 HTTP/1.1 > > Host: openshift.rheldemo.lan:8443 > > Accept: */* > > User-Agent: oc/v1.1.2 (darwin/amd64) openshift/2711160 > > Authorization: Bearer PDqIrEiOTqtwJvHDcTB-snC5FpcpnCz5fIrz7S6ORCI > > > < HTTP/1.1 200 OK > < Cache-Control: no-store > < Content-Type: application/json > < Date: Thu, 16 Jun 2016 19:47:05 GMT > < Content-Length: 381 > < > {"kind":"User","apiVersion":"v1","metadata":{"name":"0b126172-33e9-11e6-9c91-525400d4fbc4","selfLink":"/oapi/v1/users/0b126172-33e9-11e6-9c91-525400d4fbc4","uid":"4c403e86-33f4-11e6-b368-fa163ef48e94","resourceVersion":"17244","creationTimestamp":"2016-06-16T18:58:22Z"},"fullName":"OpenShift > Admin","identities":["unison_ldap:0b126172-33e9-11e6-9c91-525400d4fbc4"],"groups":null} > > then I run oadm to add the user to a group: > > [root@openshift ~]# oadm --loglevel 9 groups add-users > cluster-administrators 0b126172-33e9-11e6-9c91-525400d4fbc4 > > > ================================================================================ > ATTENTION: You are running oadm via a wrapper around 'docker run > openshift/origin:v1.3.0-alpha.1'. > This wrapper is intended only to be used to bootstrap an environment. > Please > install client tools on another host once you have granted cluster-admin > privileges to a user. > See https://docs.openshift.org/latest/cli_reference/get_started_cli.html > > ================================================================================= > > Usage of loopback devices is strongly discouraged for production use. > Either use `--storage-opt dm.thinpooldev` or use `--storage-opt > dm.no_warn_on_loop_devices=true` to suppress this warning. > I0616 19:50:26.085449 1 loader.go:242] Config loaded from file > /root/.kube/config > I0616 19:50:26.087794 1 round_trippers.go:299] curl -k -v -XGET -H > "Accept: application/json, */*" -H "User-Agent: oadm/v1.3.0 (linux/amd64) > kubernetes/6e83535" https://openshift.rheldemo.lan:8443/api > I0616 19:50:26.125647 1 round_trippers.go:318] GET > https://openshift.rheldemo.lan:8443/api 200 OK in 37 milliseconds > I0616 19:50:26.125669 1 round_trippers.go:324] Response Headers: > I0616 19:50:26.125677 1 round_trippers.go:327] Date: Thu, 16 Jun > 2016 19:50:26 GMT > I0616 19:50:26.125685 1 round_trippers.go:327] Content-Length: > 135 > I0616 19:50:26.125691 1 round_trippers.go:327] Cache-Control: > no-store > I0616 19:50:26.125696 1 round_trippers.go:327] Content-Type: > application/json > I0616 19:50:26.125765 1 request.go:870] Response Body: > {"kind":"APIVersions","versions":["v1"],"serverAddressByClientCIDRs":[{"clientCIDR":" > 0.0.0.0/0","serverAddress":"192.168.100.6:443"}]} > I0616 19:50:26.126056 1 round_trippers.go:299] curl -k -v -XGET -H > "Accept: application/json, */*" -H "User-Agent: oadm/v1.3.0 (linux/amd64) > kubernetes/6e83535" https://openshift.rheldemo.lan:8443/apis > I0616 19:50:26.126838 1 round_trippers.go:318] GET > https://openshift.rheldemo.lan:8443/apis 200 OK in 0 milliseconds > I0616 19:50:26.126866 1 round_trippers.go:324] Response Headers: > I0616 19:50:26.126872 1 round_trippers.go:327] Content-Type: > application/json > I0616 19:50:26.126877 1 round_trippers.go:327] Date: Thu, 16 Jun > 2016 19:50:26 GMT > I0616 19:50:26.126883 1 round_trippers.go:327] Content-Length: > 775 > I0616 19:50:26.126888 1 round_trippers.go:327] Cache-Control: > no-store > I0616 19:50:26.126922 1 request.go:870] Response Body: > {"kind":"APIGroupList","groups":[{"name":"autoscaling","versions":[{"groupVersion":"autoscaling/v1","version":"v1"}],"preferredVersion":{"groupVersion":"autoscaling/v1","version":"v1"},"serverAddressByClientCIDRs":[{"clientCIDR":" > 0.0.0.0/0","serverAddress":"192.168.100.6:443 > "}]},{"name":"batch","versions":[{"groupVersion":"batch/v1","version":"v1"}],"preferredVersion":{"groupVersion":"batch/v1","version":"v1"},"serverAddressByClientCIDRs":[{"clientCIDR":" > 0.0.0.0/0","serverAddress":"192.168.100.6:443 > "}]},{"name":"extensions","versions":[{"groupVersion":"extensions/v1beta1","version":"v1beta1"}],"preferredVersion":{"groupVersion":"extensions/v1beta1","version":"v1beta1"},"serverAddressByClientCIDRs":[{"clientCIDR":" > 0.0.0.0/0","serverAddress":"192.168.100.6:443"}]}]} > I0616 19:50:26.132811 1 round_trippers.go:299] curl -k -v -XGET -H > "User-Agent: oadm/v1.3.0 (linux/amd64) openshift/6e83535" -H "Accept: > application/json, */*" https://openshift.rheldemo.lan:8443/oapi > I0616 19:50:26.133409 1 round_trippers.go:318] GET > https://openshift.rheldemo.lan:8443/oapi 200 OK in 0 milliseconds > I0616 19:50:26.133428 1 round_trippers.go:324] Response Headers: > I0616 19:50:26.133433 1 round_trippers.go:327] Cache-Control: > no-store > I0616 19:50:26.133439 1 round_trippers.go:327] Content-Type: > application/json > I0616 19:50:26.133450 1 round_trippers.go:327] Date: Thu, 16 Jun > 2016 19:50:26 GMT > I0616 19:50:26.133455 1 round_trippers.go:327] Content-Length: 93 > I0616 19:50:26.133489 1 request.go:870] Response Body: > {"kind":"APIVersions","apiVersion":"v1","versions":["v1"],"serverAddressByClientCIDRs":null} > I0616 19:50:26.133763 1 round_trippers.go:299] curl -k -v -XGET -H > "Accept: application/json, */*" -H "User-Agent: oadm/v1.3.0 (linux/amd64) > openshift/6e83535" > https://openshift.rheldemo.lan:8443/oapi/v1/groups/cluster-administrators > I0616 19:50:26.135065 1 round_trippers.go:318] GET > https://openshift.rheldemo.lan:8443/oapi/v1/groups/cluster-administrators > 200 OK in 1 milliseconds > I0616 19:50:26.135084 1 round_trippers.go:324] Response Headers: > I0616 19:50:26.135090 1 round_trippers.go:327] Cache-Control: > no-store > I0616 19:50:26.135095 1 round_trippers.go:327] Content-Type: > application/json > I0616 19:50:26.135101 1 round_trippers.go:327] Date: Thu, 16 Jun > 2016 19:50:26 GMT > I0616 19:50:26.135106 1 round_trippers.go:327] Content-Length: > 295 > I0616 19:50:26.135143 1 request.go:870] Response Body: > {"kind":"Group","apiVersion":"v1","metadata":{"name":"cluster-administrators","selfLink":"/oapi/v1/groups/cluster-administrators","uid":"52a7c5fa-3339-11e6-93e7-fa163ef48e94","resourceVersion":"17554","creationTimestamp":"2016-06-15T20:39:57Z"},"users":["0b126172-33e9-11e6-9c91-525400d4fbc4"]} > I0616 19:50:26.135544 1 request.go:555] Request Body: > {"kind":"Group","apiVersion":"v1","metadata":{"name":"cluster-administrators","selfLink":"/oapi/v1/groups/cluster-administrators","uid":"52a7c5fa-3339-11e6-93e7-fa163ef48e94","resourceVersion":"17554","creationTimestamp":"2016-06-15T20:39:57Z"},"users":["0b126172-33e9-11e6-9c91-525400d4fbc4"]} > I0616 19:50:26.135594 1 round_trippers.go:299] curl -k -v -XPUT -H > "Content-Type: application/json" -H "User-Agent: oadm/v1.3.0 (linux/amd64) > openshift/6e83535" -H "Accept: application/json, */*" > https://openshift.rheldemo.lan:8443/oapi/v1/groups/cluster-administrators > I0616 19:50:26.137081 1 round_trippers.go:318] PUT > https://openshift.rheldemo.lan:8443/oapi/v1/groups/cluster-administrators > 200 OK in 1 milliseconds > I0616 19:50:26.137102 1 round_trippers.go:324] Response Headers: > I0616 19:50:26.137109 1 round_trippers.go:327] Date: Thu, 16 Jun > 2016 19:50:26 GMT > I0616 19:50:26.137114 1 round_trippers.go:327] Content-Length: > 295 > I0616 19:50:26.137120 1 round_trippers.go:327] Cache-Control: > no-store > I0616 19:50:26.137125 1 round_trippers.go:327] Content-Type: > application/json > I0616 19:50:26.137161 1 request.go:870] Response Body: > {"kind":"Group","apiVersion":"v1","metadata":{"name":"cluster-administrators","selfLink":"/oapi/v1/groups/cluster-administrators","uid":"52a7c5fa-3339-11e6-93e7-fa163ef48e94","resourceVersion":"17554","creationTimestamp":"2016-06-15T20:39:57Z"},"users":["0b126172-33e9-11e6-9c91-525400d4fbc4"]} > > Then I check the user again: > > $ curl -k -v -XGET -H "User-Agent: oc/v1.1.2 (darwin/amd64) > openshift/2711160" -H "Authorization: Bearer > PDqIrEiOTqtwJvHDcTB-snC5FpcpnCz5fIrz7S6ORCI" > https://openshift.rheldemo.lan:8443/oapi/v1/users/0b126172-33e9-11e6-9c91-525400d4fbc4 > * Trying 192.168.2.191... > * Connected to openshift.rheldemo.lan (192.168.2.191) port 8443 (#0) > * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > * Server certificate: 172.30.0.1 > * Server certificate: openshift-signer@1465933076 > > GET /oapi/v1/users/0b126172-33e9-11e6-9c91-525400d4fbc4 HTTP/1.1 > > Host: openshift.rheldemo.lan:8443 > > Accept: */* > > User-Agent: oc/v1.1.2 (darwin/amd64) openshift/2711160 > > Authorization: Bearer PDqIrEiOTqtwJvHDcTB-snC5FpcpnCz5fIrz7S6ORCI > > > < HTTP/1.1 200 OK > < Cache-Control: no-store > < Content-Type: application/json > < Date: Thu, 16 Jun 2016 19:52:56 GMT > < Content-Length: 381 > < > {"kind":"User","apiVersion":"v1","metadata":{"name":"0b126172-33e9-11e6-9c91-525400d4fbc4","selfLink":"/oapi/v1/users/0b126172-33e9-11e6-9c91-525400d4fbc4","uid":"4c403e86-33f4-11e6-b368-fa163ef48e94","resourceVersion":"17244","creationTimestamp":"2016-06-16T18:58:22Z"},"fullName":"OpenShift > Admin","identities":["unison_ldap:0b126172-33e9-11e6-9c91-525400d4fbc4"],"groups":null} > > Notice that the user's groups are still null....am I missing something? > > Thanks > Marc > > _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
