【发布时间】:2018-06-13 14:56:34
【问题描述】:
我想使用 OpenShift REST api 从单独的门户进行查询。我们首先使用以下步骤创建了一个服务帐户(其中 my-id 是项目中的管理员):
C:\openshift>oc login
Authentication required for https://openshift-test.foo.com:8443 (openshift)
Username: my-id
Password:
Login successful.
You have access to the following projects and can switch between them with 'oc project <projectname>':
* datalake-replication-consumers
datalake-replication-demo
Using project "datalake-replication-consumers".
C:\openshift>oc create serviceaccount gmi-registry
serviceaccount "gmi-registry" created
C:\openshift>oc policy add-role-to-user admin system:serviceaccounts:datalake-replication-consumers:gmi-registry
role "admin" added: "system:serviceaccounts:datalake-replication-consumers:gmi-registry"
C:\openshift>oc serviceaccounts get-token gmi-registry
<token here>
然后我将该令牌作为不记名令牌粘贴到 Postman 中以进行一些 api 调用。由于我将我的服务帐户添加到项目中的管理员角色中,因此我认为这会起作用,但我们却得到了 403。
获取豆荚:
https://openshift-test.foo.com:8443/api/v1/namespaces/datalake-replication-consumers/pods
回复:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "User \"system:serviceaccount:datalake-replication-consumers:gmi-registry\" cannot list pods in project \"datalake-replication-consumers\"",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
}
获取特定部署:
https://openshift-test.foo.com:8443/oapi/v1/namespaces/datalake-replication-consumers/deploymentconfigs/entity-65869977-9d56-49a5-afa2-4a547df82d5c
回复:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "User \"system:serviceaccount:datalake-replication-consumers:gmi-registry\" cannot get deploymentconfigs in project \"datalake-replication-consumers\"",
"reason": "Forbidden",
"details": {
"name": "entity-65869977-9d56-49a5-afa2-4a547df82d5c",
"kind": "deploymentconfigs"
},
"code": 403
}
我们在这里缺少什么服务帐户权限?
UDPATE:我还应该补充一点,我从 CLI 中提取了自己的不记名令牌并将其用于两个调用。那行得通。
【问题讨论】:
标签: api permissions openshift