search

CCI-MOC / ops-issues

2 stars 0 forks source link

Research why my NERC OpenShift account will not allow me to do many things through the CL #858

Closed joachimweyl closed 1 year ago

joachimweyl commented 1 year ago

I can create a MySQL service and pods through the UI but not through the CL. Attempted to install mysql

$ oc new-app -e MYSQL_USER=<username> -e MYSQL_PASSWORD=<password> -e MYSQL_DATABASE=<database_name> mysql:5.6
--> Creating resources ...
    error: forbidden: User "joachimw@bu.edu" cannot post path "/oapi/v1/namespaces/openshift-testing-fc27a77/imagestreams"
    error: forbidden: User "joachimw@bu.edu" cannot post path "/oapi/v1/namespaces/openshift-testing-fc27a77/deploymentconfigs"
    service "mysql" created
--> Failed

When I try to see the verbose status of my project I have 3 warnings.

$ oc status -v
In project openshift-testing-fc27a77 on server https://api.nerc-ocp-prod.rc.fas.harvard.edu:6443

Warnings:
  * Unable to list deploymentConfigs resources.  Not all status relationships can be established.
  * Unable to list imageStreams resources.  Not all status relationships can be established.
  * Unable to list routes resources.  Not all status relationships can be established.

When I log into the oc with my token this is what I see, notice I apparently don't even have a default project I can access. I have to manually switch to my default project.

$ oc project
error: the project "default" specified in your config does not exist.

When trying to learn more about my user permissions/access

$ oc get users
Error from server (Forbidden): users.user.openshift.io is forbidden: User "joachimw@bu.edu" cannot list resource "users" in API group "user.openshift.io" at the cluster scope

When I attempt to check my own user

$ oc whoami
Error from server (NotFound): the server could not find the requested resource (get users ~)

When I log in using the login token command

$ oc login --token=sha256~<token> --server=https://api.shift.nerc.mghpcc.org:6443
Logged into "https://api.shift.nerc.mghpcc.org:6443" as "sha256~<token>" using the token provided.

Using "default".  You can switch projects with:

 'oc project <projectname>'
joachimweyl commented 1 year ago

same issue when I attempt to create a PostgreSQL container my user is forbidden to access imagestreams and deploymentconfigs.

larsks commented 1 year ago

@joachimweyl I'd like to take a look at this with you. Let me know when you're free.

Your user (joachimw@bu.edu) is bound to the edit role in the openshift-testing-fc27a77, and that role definitely has access to both imagestream and deploymentconfig resources.

The output of oc project you posted earlier seems suspicious; you should be using the openshift-testing-fc27a77 project. What if you run this; does it change the behavior?

oc project openshift-testing-fc27a77

Also, can you confirm that your authenticated user is in fact joachimw@bu.edu by running:

oc whoami
joachimweyl commented 1 year ago

@larsks I slacked you some times that would work for me. I also added you as a manager to my OpenShift project. I also added the output of oc whoami to the description of this issue.

joachimweyl commented 1 year ago

I was running version 1.x of oc command line tool. updated to 4.10.0-202302072301.p0.gdaed147.assembly.stream-daed147 and now everything is working as expected.