When I used oc get oauthaccesstokens, I can get a list of active tokens, and I tried to use any of the tokens in that list to revoke itself or other tokens, none of them works; This works in the older OCP versions: 4.5/4.4/4.3, but does not work OCP 4.6
However, I can use the token that I get from the token request page, or oc whoami -t, to revoke other tokens, including itself. I will call this token - working token below.
I am not sure if it is an API change or a defect, but I do not see that in the openshift API page,
4.6: https://docs.openshift.com/container-platform/4.6/rest_api/oauth_apis/oauthaccesstoken-oauth-openshift-io-v1.html
4.5: https://docs.openshift.com/container-platform/4.5/rest_api/oauth_apis/oauthaccesstoken-oauth-openshift-io-v1.html
I found the following when I compare OCP 4.6 and 4.5:
oauthaccesstokens object are different in versions
the oauthclient are different in versions - although they are created by the same yaml file, the same code.
the working token (from request page or oc whoami -t) is not listed in oc get oauthaccesstokens in OCP 4.6, but listed in 4.5
the working token has the client name openshift-browser-client, but if I use a token with the same name from the token list i.e. oc get oauthaccesstokens, it does not have permission to revoke any of the tokens including iself in OCP 4.6.
Probably my answer is not of interest for you anymore but oauthaccesstokens that don't start with sha256~ are deprecated since Openshift 4.6 apparently (noticed that from an alert in AlertManager). I believe it'll be removed in 4.8.
Related
I tried openshift redhat k8s distro and now there are 2 projects that i need to delete. I can only login as user 'erjcan', this is my primary acc and it seems not to be allowed to do admin actions.
The 'delete button' is inactive in gui console, i tried to create a role for myself but can't.
I tried to create admin-like role and assume it as a user, but it is not allowed either.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: all-stuff
namespace: erjcan-stage
rules:
- apiGroups:
- ''
resources:
- '*'
verbs:
- '*'
This code above gives me RBAC not allowed error:
An error occurred
roles.rbac.authorization.k8s.io "all-stuff" is forbidden: user "erjcan"
(groups=["system:authenticated:oauth" "system:authenticated"]) is
attempting to grant RBAC permissions
not currently held: {APIGroups:[""], Resources:["*"],
Verbs:["*"]}
I tried to delete via cli, but i can only login as erjcan user.
Logged into "https://api.sandbox-m2.ll9k.p1.openshiftapps.com:6443" as "erjcan" using the token provided.
You have access to the following projects and can switch between them with 'oc project <projectname>':
erjcan-dev
* erjcan-stage
Using project "erjcan-stage".
bash-4.4 ~ $
bash-4.4 ~ $ oc delete project erjan-dev
Error from server (Forbidden): projects.project.openshift.io "erjan-dev" is forbidden: User "erjcan" cannot delete resource "projects" in API group "project.openshift.io" in the namespace "erjan-dev"
bash-4.4 ~ $ oc delete project erjcan-dev
Error from server (Forbidden): projects.project.openshift.io "erjcan-dev" is forbidden: User "erjcan" cannot delete resource "projects" in API group "project.openshift.io" in the namespace "erjcan-dev"
How to delete a project in redhat openshift gui console?
You appear to be talking about using Red Hat's developer sandbox. Which, indeed, does not allow you to delete projects. There's no way around that: RBAC is specifically set up to not allow you to create or delete projects.
You don't say why you need to delete the projects. They will go away eventually do to inactivity. But, if you just want a clean slate, or just need to remove what you have inside that project you do have permission to delete everything in the project (just not the project itself).
oc delete all --all will remove everything inside the current project. Obviously use that command with strict care: there is no confirmation or warning. (BTW, the first "all" is saying all types of objects: pods/deployments/routes/etc, the second --all is saying "yes, I'm deliberately not providing a filter or any other subset, I really mean delete all of the objects I'm specifying".
Similarly, the following two commands should clean up both of your projects. (Although they will still exist.)
oc delete all --all -n erjcan-stage
oc delete all --all -n erjcan-dev
Im trying to test out this demo on my own windows machine: https://github.com/Autodesk-Forge/forge-bim360-clashissue
Ive successfully started had the template running with these commands.
npm install
set FORGE_CLIENT_ID=<<YOUR CLIENT ID FROM DEVELOPER PORTAL>>
set FORGE_CLIENT_SECRET=<<YOUR CLIENT SECRET>>
set FORGE_CALLBACK_URL=<<YOUR CALLBACK URL>>
npm run nodemon
Ive added a new app within the Forge My Apps interface.
Ive added the provisions for the the BIM 360 Account interface.
I can connect to my localhost, and when i press ALLOW to try to authenticate and login to the autodesk account, i get redirected to the following website with the following error:
http://localhost:3000/api/forge/oauth/callback?code=TOAq...
Cannot GET /api/forge/oauth/callback
How can i get past this error?
It looks like a configuration mismatch. You have configured the callback to be http://localhost:3000/api/forge/oauth/callback but according to https://github.com/Autodesk-Forge/forge-bim360-clashissue/blob/master/server/endpoints/oauth.endpoints.js#L72 your server actually expects the callback on a different URL: http://localhost:3000/api/forge/callback/oauth.
Im trying to learn Hyperledger Composer but seems to be a relatively new technology, i mean there are few tutorials and few solutions to a lot of questions, tutorial does not mention possible error case when following the commands and which means there are is also no solution for those errors.
I have joined the composer channel in their community chat, looks like its running in Discord or something, and asked the same question without a response, i have a better experience here in SO.
This is the problem: I have deployed my business network, installed it, started it, created my network admin card and imported it, then to test if everything is ok i have to command composer network ping --card NAME-OF-MY-ADMIN-CARD
And this error comes:
juan#JuanDeDios:~/proyectos/inovacion/a3-poliza-microservice$ composer network ping --card admin#a3-policy-microservice
Error: transaction returned with failure: AccessException: Participant 'org.hyperledger.composer.system.NetworkAdmin#admin' does not have 'READ' access to resource 'org.hyperledger.composer.system.Network#a3-policy-microservice#0.0.1'
Command failed
I think that it has to do something with the permission.acl file, and gave permission to everyone to everything so there would not be any restrictions to anyone, and tryied again, but failed.
So i thought i had to uninstall my business network and create it again, i deleted my .bna and my network.card files also so everything would be created again, but the same error result.
My other attempt was to update the business network, but didn't work, the same error happened and I'm sure i didn't miss any step from the tutorial. I do also followed the playground tutorial. What i have not done its to create another app with the Yeoman but i will do if i don't find a solution to this problem which would not require me to create another app.
This were my steps:
1-. Created my app with Yeoman
yo hyperledger-composer:businessnetwork
2-. Selected Apache-2.0 for my license
3-. Created a3-policy-microservice as the name of the business network
4-. Created org.microservice.policy (Yeah i switched names but Im totally aware)
5-. Generated my app with a template selecting the NO option
6-. Created my assets, participants and transactions
7-. Changed my permission rules to mine
8-. I generated the .bna file
composer archive create -t dir -n .
9-. Then installed my bna file
composer network install --card PeerAdmin#hlfv1 --archiveFile a3-policy-microservice#0.0.1.bna
10-. Then started my network and created my networkadmin card
composer network start --networkName a3-policy-network --networkVersion 0.0.1 --networkAdmin admin --networkAdminEnrollSecret adminpw --card PeerAdmin#hlfv1 --file networkadmin.card
11-. Imported my card
composer card import --file networkadmin.card
12-. Tried to ping my network
composer network ping --card admin#a3-poliza-microservice
And the error happens
Later i tried to create everything again shutting down my fabric and started it again and creating the network from the first step.
My other attempt was to change the permissions and upgrade my bna network, but it failed too. Im running out of options
Hope this description its not too long to ignore it. Thanks in advance
thanks for the question!
First possibility is that your network name is a3-policy-network but you're pinging a network called a3-poliza-microservice - once you do get the correct ACLs in place (currently, that's the error you're trying to resolve).
The procedure for upgrade would normally be the procedure below:
After your step 12 (where you can't ping the business network due to restrictive ACL conditions, assuming you are using the right network name) you would have:
Make the changes to to include your System ACLs this time eg.
/**
* Sample access control list.
*/
rule SystemACL {
description: "System ACL to permit all access"
participant: "org.hyperledger.composer.system.Participant"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
rule NetworkAdminUser {
description: "Grant business network administrators full access to user resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "**"
action: ALLOW
}
rule NetworkAdminSystem {
description: "Grant business network administrators full access to system resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
Update the "version" field in your existing package.json in your Business Network project directory (ie need to change it next increment - eg. update the version property from 0.0.1 to 0.0.2.)
From the same directory, run the following command:
composer archive create --sourceType dir --sourceName . -a a3-policy-network#0.0.2.bna
Now install the new business network code firstly:
composer network install --card PeerAdmin#hlfv1 --archiveFile a3-policy-network#0.0.2.bna
Then perform the requisite upgrade step (single '-' for short form of the parameter):
composer network upgrade -c PeerAdmin#hlfv1 -n a3-policy-network -V 0.0.2
After a few seconds, ping the network again to see ACL changes are now in effect:
composer network ping -c a3-policy-network
I've followed the example as shown in https://docs.openshift.com/enterprise/3.2/install_config/install/deploy_router.html#using-configmap-replace-template but when the new Pod crashed after start with a "Permission denied" to open the map files during templating (generation of haproxy-config and map files).
As soon as I remove the TEMPLATE_FILE env var, a new Pod is started and everything works again - almost seems like a different account is used if custom template is set
I0405 11:03:35.627827 1 template.go:260] Starting template router (v3.9.0-alpha.4+9ab7a71)
I0405 11:03:35.630984 1 metrics.go:157] Router health and metrics port listening at 0.0.0.0:1936
I0405 11:03:35.636222 1 router.go:228] Router is including routes in all namespaces
E0405 11:03:35.837826 1 limiter.go:137] error creating config file /var/lib/haproxy/conf/os_route_http_redirect.map: open /var/lib/haproxy/conf/os_route_http_redirect.map: permission denied
Can be either one of the two options:
You're using a 3.9 router and you looked up the instructions for a 3.2 release. In that document, it tells you how to copy the original configuration file from the router that matches your release. Make sure you use the appropriate router version.
There's a bug in that release (as you're using an alpha.4 release.
I would recommend you trying with the correct version for the router, since in 3.9 HAProxy has been upgraded, and if that still doesn't work, look in the openshift/origin GitHub issues and ask there.
I am using Jenkins with the source control plugin name UCM ClearCase.
It tries to create a view and fails with the error:
[onlysourcecode] $ cleartool mkview -snapshot -stream ROLE_Test_Project_DevSG#\Vobname -tag SYSTEM_master_Test_ROLE_001_hudson view
Selected Server Storage Location "Views".
cleartool: Error: unable to set access control list for \\server\viewstor\NT+AUTHORITY\SYSTEM\view.1.vws: Access is denied.
cleartool: Error: protection on \\server\viewstor\NT+AUTHORITY\SYSTEM\view.1.vws is out-of-synch with identity.sd and groups.sd
cleartool: Error: Failed to set identity on view: Permission denied
cleartool: Error: unable to set access control list for \\server\viewstor\NT+AUTHORITY\SYSTEM\view.1.vws: Access is denied.
cleartool: Error: \\server\viewstor\NT+AUTHORITY\SYSTEM\view.1.vws: Permission denied
cleartool: Error: Unable to create view "\\server\viewstor\NT+AUTHORITY\SYSTEM\view.1.vws".
FATAL: UCM ClearCase failed. exit code=1
Which basically means it does not have permissions to create a view. Now my questions:
Any ideas on what exactly is the problem here?
What ID is Jenkins using internally. Meaning I have a user ID on the DOMAIN controller where I log in to the machine and run Jenkins. If Jenkins uses that, then why this error as I can create views.
If not, then what ID does it use and how do I get Jenkins to use my domain ID, or else maybe get the internal ID to be a part of the ClearCase AD group.
I guess this is run on a Windows box as a service. Thus it is not run as a domain user.
It appears that jenkins is trying to create a view storage (.vws) in the default location, based on the clearcase configuration on the system.
Perhaps you should choose the Advanced... option in UCM Clearcase and explicitly specify the location for your view storage. There are
Windows view storage directory
Additional mkview arguments
I run jenkins on a linux box where I have specified an explicit location for the .vws file in Additional mkview arguments.
To add to Raghuram's answer, using the system account (NT+AUTHORITY) is tricky, because even if you specify a local view storage,:
that account won't have a CLEARCASE_PRIMARY_GROUP associated with its profile
even if it did, it wouldn't be part of the group referenced by CLEARCASE_PRIMATY_GROUP
That means it won't be able to access the vob storage of the Vob it will need to access within the view.
Anyway, at the very least you should try and configure Slave Service to Run as Domain User.