Hi Julio a couple of points here: - oc policy add-role-to-user admin system:serviceaccounts:project1:inciga -n project1 would have worked for the project. If you have used oadm policy add-cluster-role-to-user you should use a cluster role, which view or cluster-admin are and admin is not. - we validated with oc get rc -n project1 --as=system:serviceaccounts:project1:inciga that the rights were sufficient for queries specific to the project. - when you say the token provided by oc login you probably mean the token of a user account, which is shorter than the token of a service account. On the other hand it will expire, which is not the case for a token of a service account.
Happy that it works for you now. Regards, Frédéric On Fri, Oct 20, 2017 at 9:40 AM, Julio Saura <jsa...@hiberus.com> wrote: > python problem solved too > > all working > > view role was the key :/ > > > > > El 20 oct 2017, a las 9:27, Julio Saura <jsa...@hiberus.com> escribió: > > problem solved > > i do not know why but giving user role view instead of admin make the > trick .. > > :/ > > now i am able to access using curl with the token, but not using python xD > i get a 401 with long token, but i i use the short one that oc login gives > works xD > > > > > El 20 oct 2017, a las 8:59, Frederic Giloux <fgil...@redhat.com> escribió: > > Julio, > > have you tried the command with higer log level as per my previous email? > # oc get rc -n project1 --as=system:serviceaccounts:project1:inciga > --loglevel=8 > This gives you the successful rest call, which is made by the OC client to > the API server. You can then check whether it differs from your curl. > > Regards, > > Frédéric > > On Fri, Oct 20, 2017 at 8:30 AM, Julio Saura <jsa...@hiberus.com> wrote: > >> headers look ok in curl request >> >> * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT5 >> 6:!aNULL:!LOW:!RC4:@STRENGTH >> * successfully set certificate verify locations: >> * CAfile: /etc/ssl/certs/ca-certificates.crt >> CApath: none >> * TLSv1.2 (OUT), TLS handshake, Client hello (1): >> * TLSv1.2 (IN), TLS handshake, Server hello (2): >> * NPN, negotiated HTTP1.1 >> * TLSv1.2 (IN), TLS handshake, Certificate (11): >> * TLSv1.2 (IN), TLS handshake, Server key exchange (12): >> * TLSv1.2 (IN), TLS handshake, Request CERT (13): >> * TLSv1.2 (IN), TLS handshake, Server finished (14): >> * TLSv1.2 (OUT), TLS handshake, Certificate (11): >> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): >> * TLSv1.2 (OUT), TLS change cipher, Client hello (1): >> * TLSv1.2 (OUT), TLS handshake, Unknown (67): >> * TLSv1.2 (OUT), TLS handshake, Finished (20): >> * TLSv1.2 (IN), TLS change cipher, Client hello (1): >> * TLSv1.2 (IN), TLS handshake, Finished (20): >> * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 >> * Server certificate: >> * subject: CN=10.1.5.31 >> * start date: Sep 21 11:19:56 2017 GMT >> * expire date: Sep 21 11:19:57 2019 GMT >> * issuer: CN=openshift-signer@1505992768 >> * SSL certificate verify result: self signed certificate in certificate >> chain (19), continuing anyway. >> > GET /api/v1/namespaces/project1/replicationcontrollers HTTP/1.1 >> > Host: BALANCER:8443 >> > User-Agent: curl/7.56.0 >> > Accept: */* >> *> Authorization: Bearer >> eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJsZHAiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiaW5jaWdhLXRva2VuLTBkNDcyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImluY2lnYSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjIyMjE0YTI4LWI0ZTMtMTFlNy1hZTBhLTAwNTA1NmE0M2M0MiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpsZHA6aW5jaWdhIn0.VfJa8fLQQjSYySjWO3d_hp0kGqVFAnhvFQ2R6jTcLmtFwiA2NouO0QJCI2KZqvhXigAzPsksOKP7-BP_v2c-93UH3UyXW7RhkYKMOO7d1EMZVMGnT6NBKhVkw45wa20kH221ggh98wdv4MZRAoNEOvmN9qXHmsUWEnxfT8uNIjIkAt_aydocQ22hIbYXzd6w5x6zmOWIVWllgF3qGtY8ArTgRf4WxhuwhUJRy_Gm31WhtKioovk2Hpt6XnlPhnfvHhioqtizZsTepVOD0A-yjearxiDBE7yuIzRsMHo014Dq3O2T_qIZ2P2wvEWBzfpi7i1to4ep3jcb_qDM2vQ0IQ* >> > Content-Type: application/json >> > >> < HTTP/1.1 403 Forbidden >> < Cache-Control: no-store >> < Content-Type: application/json >> < Date: Fri, 20 Oct 2017 06:28:52 GMT >> < Content-Length: 295 >> { >> "kind": "Status", >> "apiVersion": "v1", >> "metadata": {}, >> "status": "Failure", >> "message": "User \"system:serviceaccount:ldp:inciga\" cannot list >> replicationcontrollers in project \"ldp\"", >> "reason": "Forbidden", >> "details": { >> "kind": "replicationcontrollers" >> }, >> "code": 403 >> } >> >> >> >> >> El 19 oct 2017, a las 18:17, Frederic Giloux <fgil...@redhat.com> >> escribió: >> >> Very good. The issue is with your curl. Next step run the same command >> with --loglevel=8 and check the queries that are sent to the API server. >> >> Regards, >> >> Frédéric >> >> On 19 Oct 2017 18:11, "Julio Saura" <jsa...@hiberus.com> wrote: >> >>> umm that works … >>> >>> weird >>> >>> *Julio Saura Alejandre* >>> *Responsable Servicios Gestionados* >>> *hiberus* TRAVEL >>> Tel.: + 34 902 87 73 92 Ext. 659 <+34%20902%2087%2073%2092> >>> Parque Empresarial PLAZA >>> Edificio EXPOINNOVACIÓN >>> C/. Bari 25 >>> <https://maps.google.com/?q=C/.+Bari+25&entry=gmail&source=g> >>> Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza >>> www.hiberus.com >>> >>> Crecemos contigo >>> Este mensaje se envía desde la plataforma de correo de Hiberus Este >>> mensaje y los documentos que, en su caso, lleve anexos, se dirigen >>> exclusivamente a su destinatario y pueden contener información privilegiada >>> o confidencial. Si tú no eres el destinatario indicado, queda notificado de >>> que la utilización, divulgación y/o copia sin autorización está prohibida >>> en virtud de la legislación vigente. Por ello, se informa a quien lo reciba >>> por error, que la información contenida en el mismo es reservada y su uso >>> no autorizado está prohibido legalmente, por lo que en tal caso te rogamos >>> que nos lo comuniques vía e-mail o teléfono, te abstengas de realizar >>> copias del mensaje o remitirlo o entregarlo a terceras personas y procedas >>> a devolverlo a su emisor y/o destruirlo de inmediato. >>> >>> El 19 oct 2017, a las 18:01, Frederic Giloux <fgil...@redhat.com> >>> escribió: >>> >>> oc get rc -n project1 --as=system:serviceaccounts:project1:inciga >>> >>> >>> >> > > > -- > *Frédéric Giloux* > Senior Middleware Consultant > Red Hat Germany > > fgil...@redhat.com M: +49-174-172-4661 > > redhat.com | TRIED. TESTED. TRUSTED. | redhat.com/trusted > ________________________________________________________________________ > Red Hat GmbH, http://www.de.redhat.com/ Sitz: Grasbrunn, > Handelsregister: Amtsgericht München, HRB 153243 > Geschäftsführer: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > O'Neill > > > _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > > -- *Frédéric Giloux* Senior Middleware Consultant Red Hat Germany fgil...@redhat.com M: +49-174-172-4661 redhat.com | TRIED. TESTED. TRUSTED. | redhat.com/trusted ________________________________________________________________________ Red Hat GmbH, http://www.de.redhat.com/ Sitz: Grasbrunn, Handelsregister: Amtsgericht München, HRB 153243 Geschäftsführer: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users