Hi Julio
a couple of points here:
- oc policy add-role-to-user admin system:serviceaccounts:project1:inciga
-n project1 would have worked for the project. If you have used oadm policy
add-cluster-role-to-user you should use a cluster role, which view or
cluster-admin are and admin is not.
- we validated with oc get rc -n project1
--as=system:serviceaccounts:project1:inciga
that the rights were sufficient for queries specific to the project.
- when you say the token provided by oc login you probably mean the token
of a user account, which is shorter than the token of a service account. On
the other hand it will expire, which is not the case for a token of a
service account.
Happy that it works for you now.
Regards,
Frédéric
On Fri, Oct 20, 2017 at 9:40 AM, Julio Saura <jsa...@hiberus.com> wrote:
> python problem solved too
>
> all working
>
> view role was the key :/
>
>
>
>
> El 20 oct 2017, a las 9:27, Julio Saura <jsa...@hiberus.com> escribió:
>
> problem solved
>
> i do not know why but giving user role view instead of admin make the
> trick ..
>
> :/
>
> now i am able to access using curl with the token, but not using python xD
> i get a 401 with long token, but i i use the short one that oc login gives
> works xD
>
>
>
>
> El 20 oct 2017, a las 8:59, Frederic Giloux <fgil...@redhat.com> escribió:
>
> Julio,
>
> have you tried the command with higer log level as per my previous email?
> # oc get rc -n project1 --as=system:serviceaccounts:project1:inciga
> --loglevel=8
> This gives you the successful rest call, which is made by the OC client to
> the API server. You can then check whether it differs from your curl.
>
> Regards,
>
> Frédéric
>
> On Fri, Oct 20, 2017 at 8:30 AM, Julio Saura <jsa...@hiberus.com> wrote:
>
>> headers look ok in curl request
>>
>> * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT5
>> 6:!aNULL:!LOW:!RC4:@STRENGTH
>> * successfully set certificate verify locations:
>> * CAfile: /etc/ssl/certs/ca-certificates.crt
>> CApath: none
>> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>> * TLSv1.2 (IN), TLS handshake, Server hello (2):
>> * NPN, negotiated HTTP1.1
>> * TLSv1.2 (IN), TLS handshake, Certificate (11):
>> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
>> * TLSv1.2 (IN), TLS handshake, Request CERT (13):
>> * TLSv1.2 (IN), TLS handshake, Server finished (14):
>> * TLSv1.2 (OUT), TLS handshake, Certificate (11):
>> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
>> * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
>> * TLSv1.2 (OUT), TLS handshake, Unknown (67):
>> * TLSv1.2 (OUT), TLS handshake, Finished (20):
>> * TLSv1.2 (IN), TLS change cipher, Client hello (1):
>> * TLSv1.2 (IN), TLS handshake, Finished (20):
>> * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
>> * Server certificate:
>> * subject: CN=10.1.5.31
>> * start date: Sep 21 11:19:56 2017 GMT
>> * expire date: Sep 21 11:19:57 2019 GMT
>> * issuer: CN=openshift-signer@1505992768
>> * SSL certificate verify result: self signed certificate in certificate
>> chain (19), continuing anyway.
>> > GET /api/v1/namespaces/project1/replicationcontrollers HTTP/1.1
>> > Host: BALANCER:8443
>> > User-Agent: curl/7.56.0
>> > Accept: */*
>> *> Authorization: Bearer
>> eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJsZHAiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiaW5jaWdhLXRva2VuLTBkNDcyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImluY2lnYSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjIyMjE0YTI4LWI0ZTMtMTFlNy1hZTBhLTAwNTA1NmE0M2M0MiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpsZHA6aW5jaWdhIn0.VfJa8fLQQjSYySjWO3d_hp0kGqVFAnhvFQ2R6jTcLmtFwiA2NouO0QJCI2KZqvhXigAzPsksOKP7-BP_v2c-93UH3UyXW7RhkYKMOO7d1EMZVMGnT6NBKhVkw45wa20kH221ggh98wdv4MZRAoNEOvmN9qXHmsUWEnxfT8uNIjIkAt_aydocQ22hIbYXzd6w5x6zmOWIVWllgF3qGtY8ArTgRf4WxhuwhUJRy_Gm31WhtKioovk2Hpt6XnlPhnfvHhioqtizZsTepVOD0A-yjearxiDBE7yuIzRsMHo014Dq3O2T_qIZ2P2wvEWBzfpi7i1to4ep3jcb_qDM2vQ0IQ*
>> > Content-Type: application/json
>> >
>> < HTTP/1.1 403 Forbidden
>> < Cache-Control: no-store
>> < Content-Type: application/json
>> < Date: Fri, 20 Oct 2017 06:28:52 GMT
>> < Content-Length: 295
>> {
>> "kind": "Status",
>> "apiVersion": "v1",
>> "metadata": {},
>> "status": "Failure",
>> "message": "User \"system:serviceaccount:ldp:inciga\" cannot list
>> replicationcontrollers in project \"ldp\"",
>> "reason": "Forbidden",
>> "details": {
>> "kind": "replicationcontrollers"
>> },
>> "code": 403
>> }
>>
>>
>>
>>
>> El 19 oct 2017, a las 18:17, Frederic Giloux <fgil...@redhat.com>
>> escribió:
>>
>> Very good. The issue is with your curl. Next step run the same command
>> with --loglevel=8 and check the queries that are sent to the API server.
>>
>> Regards,
>>
>> Frédéric
>>
>> On 19 Oct 2017 18:11, "Julio Saura" <jsa...@hiberus.com> wrote:
>>
>>> umm that works …
>>>
>>> weird
>>>
>>> *Julio Saura Alejandre*
>>> *Responsable Servicios Gestionados*
>>> *hiberus* TRAVEL
>>> Tel.: + 34 902 87 73 92 Ext. 659 <+34%20902%2087%2073%2092>
>>> Parque Empresarial PLAZA
>>> Edificio EXPOINNOVACIÓN
>>> C/. Bari 25
>>> <https://maps.google.com/?q=C/.+Bari+25&entry=gmail&source=g>
>>> Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
>>> www.hiberus.com
>>>
>>> Crecemos contigo
>>> Este mensaje se envía desde la plataforma de correo de Hiberus Este
>>> mensaje y los documentos que, en su caso, lleve anexos, se dirigen
>>> exclusivamente a su destinatario y pueden contener información privilegiada
>>> o confidencial. Si tú no eres el destinatario indicado, queda notificado de
>>> que la utilización, divulgación y/o copia sin autorización está prohibida
>>> en virtud de la legislación vigente. Por ello, se informa a quien lo reciba
>>> por error, que la información contenida en el mismo es reservada y su uso
>>> no autorizado está prohibido legalmente, por lo que en tal caso te rogamos
>>> que nos lo comuniques vía e-mail o teléfono, te abstengas de realizar
>>> copias del mensaje o remitirlo o entregarlo a terceras personas y procedas
>>> a devolverlo a su emisor y/o destruirlo de inmediato.
>>>
>>> El 19 oct 2017, a las 18:01, Frederic Giloux <fgil...@redhat.com>
>>> escribió:
>>>
>>> oc get rc -n project1 --as=system:serviceaccounts:project1:inciga
>>>
>>>
>>>
>>
>
>
> --
> *Frédéric Giloux*
> Senior Middleware Consultant
> Red Hat Germany
>
> fgil...@redhat.com M: +49-174-172-4661
>
> redhat.com | TRIED. TESTED. TRUSTED. | redhat.com/trusted
> ________________________________________________________________________
> Red Hat GmbH, http://www.de.redhat.com/ Sitz: Grasbrunn,
> Handelsregister: Amtsgericht München, HRB 153243
> Geschäftsführer: Paul Argiry, Charles Cachera, Michael Cunningham, Michael
> O'Neill
>
>
> _______________________________________________
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
>
--
*Frédéric Giloux*
Senior Middleware Consultant
Red Hat Germany
fgil...@redhat.com M: +49-174-172-4661
redhat.com | TRIED. TESTED. TRUSTED. | redhat.com/trusted
________________________________________________________________________
Red Hat GmbH, http://www.de.redhat.com/ Sitz: Grasbrunn,
Handelsregister: Amtsgericht München, HRB 153243
Geschäftsführer: Paul Argiry, Charles Cachera, Michael Cunningham, Michael
O'Neill
_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
