Our goal is to change the “default permissions” as documented in https://docs.openshift.com/container-platform/3.6/admin_solutions/user_role_mgmt.html#leveraging-default-groups .
The groups system:authenticated , system:authenticated:oauth, system:unauthenticated
should not be able to access the API. One use case is: An ldap user who is not in the administrator group is not allowed to log into the web console. This is also how we test it.
Commands such as
oadm policy remove-cluster-role-from-user basic-user system:authenticated
oadm policy remove-cluster-role-from-user system:basic-user system:authenticated
return without error. However, we couldn’t see any effect, either. The output of oc get clusterrolebindings and oc get rolebindings remains the same, and our test user still can log on.
Are we trying the wrong commands? Or are further actions needed?
This worked:
oadm policy remove-cluster-role-from-group basic-user system:authenticated
So system:authenticated is a group, not a user. And it was the wrong command.
Thanks Red Hat Support.
Though - the cluster didn't work after running the above command, and
oadm policy remove-cluster-role-from-group basic-user system:unauthenticated
We had to revert it. I wonder if it was only the second command that wrought havoc. After nearly a week of downtime, though, the rest of the team isn't too keen on testing what happens if you only revoke basic-user from system:authenticated.
Related
I tried openshift redhat k8s distro and now there are 2 projects that i need to delete. I can only login as user 'erjcan', this is my primary acc and it seems not to be allowed to do admin actions.
The 'delete button' is inactive in gui console, i tried to create a role for myself but can't.
I tried to create admin-like role and assume it as a user, but it is not allowed either.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: all-stuff
namespace: erjcan-stage
rules:
- apiGroups:
- ''
resources:
- '*'
verbs:
- '*'
This code above gives me RBAC not allowed error:
An error occurred
roles.rbac.authorization.k8s.io "all-stuff" is forbidden: user "erjcan"
(groups=["system:authenticated:oauth" "system:authenticated"]) is
attempting to grant RBAC permissions
not currently held: {APIGroups:[""], Resources:["*"],
Verbs:["*"]}
I tried to delete via cli, but i can only login as erjcan user.
Logged into "https://api.sandbox-m2.ll9k.p1.openshiftapps.com:6443" as "erjcan" using the token provided.
You have access to the following projects and can switch between them with 'oc project <projectname>':
erjcan-dev
* erjcan-stage
Using project "erjcan-stage".
bash-4.4 ~ $
bash-4.4 ~ $ oc delete project erjan-dev
Error from server (Forbidden): projects.project.openshift.io "erjan-dev" is forbidden: User "erjcan" cannot delete resource "projects" in API group "project.openshift.io" in the namespace "erjan-dev"
bash-4.4 ~ $ oc delete project erjcan-dev
Error from server (Forbidden): projects.project.openshift.io "erjcan-dev" is forbidden: User "erjcan" cannot delete resource "projects" in API group "project.openshift.io" in the namespace "erjcan-dev"
How to delete a project in redhat openshift gui console?
You appear to be talking about using Red Hat's developer sandbox. Which, indeed, does not allow you to delete projects. There's no way around that: RBAC is specifically set up to not allow you to create or delete projects.
You don't say why you need to delete the projects. They will go away eventually do to inactivity. But, if you just want a clean slate, or just need to remove what you have inside that project you do have permission to delete everything in the project (just not the project itself).
oc delete all --all will remove everything inside the current project. Obviously use that command with strict care: there is no confirmation or warning. (BTW, the first "all" is saying all types of objects: pods/deployments/routes/etc, the second --all is saying "yes, I'm deliberately not providing a filter or any other subset, I really mean delete all of the objects I'm specifying".
Similarly, the following two commands should clean up both of your projects. (Although they will still exist.)
oc delete all --all -n erjcan-stage
oc delete all --all -n erjcan-dev
Im trying to learn Hyperledger Composer but seems to be a relatively new technology, i mean there are few tutorials and few solutions to a lot of questions, tutorial does not mention possible error case when following the commands and which means there are is also no solution for those errors.
I have joined the composer channel in their community chat, looks like its running in Discord or something, and asked the same question without a response, i have a better experience here in SO.
This is the problem: I have deployed my business network, installed it, started it, created my network admin card and imported it, then to test if everything is ok i have to command composer network ping --card NAME-OF-MY-ADMIN-CARD
And this error comes:
juan#JuanDeDios:~/proyectos/inovacion/a3-poliza-microservice$ composer network ping --card admin#a3-policy-microservice
Error: transaction returned with failure: AccessException: Participant 'org.hyperledger.composer.system.NetworkAdmin#admin' does not have 'READ' access to resource 'org.hyperledger.composer.system.Network#a3-policy-microservice#0.0.1'
Command failed
I think that it has to do something with the permission.acl file, and gave permission to everyone to everything so there would not be any restrictions to anyone, and tryied again, but failed.
So i thought i had to uninstall my business network and create it again, i deleted my .bna and my network.card files also so everything would be created again, but the same error result.
My other attempt was to update the business network, but didn't work, the same error happened and I'm sure i didn't miss any step from the tutorial. I do also followed the playground tutorial. What i have not done its to create another app with the Yeoman but i will do if i don't find a solution to this problem which would not require me to create another app.
This were my steps:
1-. Created my app with Yeoman
yo hyperledger-composer:businessnetwork
2-. Selected Apache-2.0 for my license
3-. Created a3-policy-microservice as the name of the business network
4-. Created org.microservice.policy (Yeah i switched names but Im totally aware)
5-. Generated my app with a template selecting the NO option
6-. Created my assets, participants and transactions
7-. Changed my permission rules to mine
8-. I generated the .bna file
composer archive create -t dir -n .
9-. Then installed my bna file
composer network install --card PeerAdmin#hlfv1 --archiveFile a3-policy-microservice#0.0.1.bna
10-. Then started my network and created my networkadmin card
composer network start --networkName a3-policy-network --networkVersion 0.0.1 --networkAdmin admin --networkAdminEnrollSecret adminpw --card PeerAdmin#hlfv1 --file networkadmin.card
11-. Imported my card
composer card import --file networkadmin.card
12-. Tried to ping my network
composer network ping --card admin#a3-poliza-microservice
And the error happens
Later i tried to create everything again shutting down my fabric and started it again and creating the network from the first step.
My other attempt was to change the permissions and upgrade my bna network, but it failed too. Im running out of options
Hope this description its not too long to ignore it. Thanks in advance
thanks for the question!
First possibility is that your network name is a3-policy-network but you're pinging a network called a3-poliza-microservice - once you do get the correct ACLs in place (currently, that's the error you're trying to resolve).
The procedure for upgrade would normally be the procedure below:
After your step 12 (where you can't ping the business network due to restrictive ACL conditions, assuming you are using the right network name) you would have:
Make the changes to to include your System ACLs this time eg.
/**
* Sample access control list.
*/
rule SystemACL {
description: "System ACL to permit all access"
participant: "org.hyperledger.composer.system.Participant"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
rule NetworkAdminUser {
description: "Grant business network administrators full access to user resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "**"
action: ALLOW
}
rule NetworkAdminSystem {
description: "Grant business network administrators full access to system resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
Update the "version" field in your existing package.json in your Business Network project directory (ie need to change it next increment - eg. update the version property from 0.0.1 to 0.0.2.)
From the same directory, run the following command:
composer archive create --sourceType dir --sourceName . -a a3-policy-network#0.0.2.bna
Now install the new business network code firstly:
composer network install --card PeerAdmin#hlfv1 --archiveFile a3-policy-network#0.0.2.bna
Then perform the requisite upgrade step (single '-' for short form of the parameter):
composer network upgrade -c PeerAdmin#hlfv1 -n a3-policy-network -V 0.0.2
After a few seconds, ping the network again to see ACL changes are now in effect:
composer network ping -c a3-policy-network
My Windows Store app keeps getting rejected from certification testing and I managed to reproduce a consequent crash when running appverif's LuaPriv-check. I get this output though:
AVRF: failed to create verifier log file \??\C:\Users\xx\AppVerifierLogs\yy.exe.0.dat (status C0000022)
Process Monitor tells me yy.exe got ACCESS DENIED on a CreateFile operation in this folder. I have set full access to all users (the user reported in the log was the same as the owner of the folder). I am running Visual Studio and Application Verifier as Administrator, but this does not seem to apply. What is the correct way of giving user xx full access to this folder on win8? I have attempted to use different log folders for appverify but with no success. Anyone else able to use this tool with Store-apps?
This post describes similar issues. Attempting to run AppVerif –sppath C:\MyLogsLocation as in the suggested workaround gives AVRF: Error: Incorrect image name: <
So does running appverif -enable handles locks -for myapp.exe -sppath c:\MyLogsLocation
It might be a bug in app verifier.
Have a look at these links:
http://social.technet.microsoft.com/Forums/en-US/5ed560c0-76af-401d-8150-8cd1e69d0b8a/why-app-verifier-can-not-create-log-file?forum=windowssdk
http://blogs.msdn.com/b/dougste/archive/2010/01/11/generating-application-verifier-logs-for-web-applications.aspx
0xc000022 is STATUS_ACCESS_DENIED. The process doesn't actually have write permissions, even if it looks like it should. This MSDN blog explains there is a bug in App Verifier so even if you specify -sppath the value won't be honoured unless you first delete the %WINDIR%\system32\config\AppVerifierLogs\ folder.
I have a batch file that calls "MSIExec /X {MyGUID} /qn". This runs successfully when run with my admin user. When I run it as a Window Batch command from a Hudson job it fails with "T�h�e� �i�n�s�t�a�l�l�a�t�i�o�n� �s�o�u�r�c�e� �f�o�r� �t�h�i�s� �p�r�o�d�u�c�t� �i�s� �n�o�t� �a�v�a�i�l�a�b�l�e�.� � �V�e�r�i�f�y� �t�h�a�t� �t�h�e� �s�o�u�r�c�e� �e�x�i�s�t�s� �a�n�d� �t�h�a�t� �y�o�u� �c�a�n� �a�c�c�e�s�s� �i�t�.�
"
I am inclined to think that the issue is that the job is started by the "anonymous" user rather than my admin user.
How in hudson do I "tie" the job to be run under the admin user?
Thanks in advance.
Regards,
Andrew
You have two options, the first one is, running Hudson under an Admin user (usually a bad idea) or use the runas command. To avoid entering a password you might need to use the /savecred option.
BTW, did you read the error message? Here is the readable version of it:
"The installation source for this
product is not available. Verify that
the source exists and that you can
access it. "
I am facing some odd situation that when I select/deselect the features in the feature customization wizard, it sometimes crashes the window. It does not give any clue at all. It also not happens consistently.
Do you have any idea or faced such kind of issue? I am able to even trace the root cause using install log.
You may be able to get closer to isolating the problem if you turn on the Debug policy. Do this by setting HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer's Debug value to (dword) 7 in as described on the Windows Installer team blog. You will then need to use a tool like DebugView to view the extra output that Windows Installer will generate. Note you may have to restart the "msiserver" service for the policy to take effect. Best luck making sense of what it shows; often it's just a lot of SQL query dumps.
You can sometimes grab MSI exceptions from out of the event log, but they won't always tell you much.
Instead what you can do is turn on logging of the MSI, this can be done either via the registry, or via the command line. To find out about the registry option, visit this MS Support article. To do it from the command line you can use the same switches, but they obviously will only last for that one install. This is a snapshot as gathered from msiexec:
Logging Options
/l[i|w|e|a|r|u|c|m|o|p|v|x|+|!|*] <LogFile>
i - Status messages
w - Nonfatal warnings
e - All error messages
a - Start up of actions
r - Action-specific records
u - User requests
c - Initial UI parameters
m - Out-of-memory or fatal exit information
o - Out-of-disk-space messages
p - Terminal properties
v - Verbose output
x - Extra debugging information
+ - Append to existing log file
! - Flush each line to the log
* - Log all information, except for v and x options
/log <LogFile>
Equivalent of /l* <LogFile>
To take advantage of these options, use msiexec directly:
msiexec.exe [path to your msi] /l [your options]