Message: Forbidden! User demo/192-168-64-25:8443 doesn't have permission..

[cmou...@redhat.com]

Hi,

I'm facing a strange issue when I try to create a Project. The "test" that I'm using to create the Config object required by the Kubernetes client is defined within my ~/.kube/config file as user and has a context

- context:
    cluster: 192-168-64-25:8443
    namespace: test
    user: admin/192-168-64-25:8443
- name: test/192-168-64-25:8443
  user:
    token: ht5VTElCs4nlpaTgNXSdDeZi1agXaS3nzVA0qInhQtA

But when, the following code is executed

config = new ConfigBuilder()
 .withMasterUrl(cmdArgs.url)
 .withTrustCerts(true)
 .withOauthToken(cmdArgs.token)
 .withNamespace(cmdArgs.namespace)
 .build();
 }

 KubernetesClient kubernetesClient = new DefaultKubernetesClient(config);
 OpenShiftClient client = kubernetesClient.adapt(OpenShiftClient.class);

 try {
 // Let's create the project if it doesn't exist
 ProjectRequest request = null;
 try {
 Project project = project = client.projects().withName(cmdArgs.namespace).get();
 } catch(KubernetesClientException kubex) {
 log("ERROR : The project " + cmdArgs.namespace + " doesn't exists for the current context !!!");
 request = client.projectrequests().createNew()
 .withNewMetadata()
 .withName(cmdArgs.namespace)
 .endMetadata()
 .done(); // LINE 102 -> FORBIDDEN IS RETURNED
 log("The project " + cmdArgs.namespace + " has been created !");

, I get this error

io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://192.168.64.25:8443/oapi/v1/projectrequests. Message: Forbidden! User demo/192-168-64-25:8443 doesn't have permission..
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:315)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:266)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:237)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:230)
        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleCreate(OperationSupport.java:208)
        at io.fabric8.openshift.client.dsl.internal.ProjectRequestsOperationImpl.create(ProjectRequestsOperationImpl.java:67)
        at io.fabric8.openshift.client.dsl.internal.ProjectRequestsOperationImpl$1.apply(ProjectRequestsOperationImpl.java:84)
        at io.fabric8.openshift.client.dsl.internal.ProjectRequestsOperationImpl$1.apply(ProjectRequestsOperationImpl.java:80)
        at io.fabric8.openshift.api.model.DoneableProjectRequest.done(DoneableProjectRequest.java:27)
        at org.jboss.OpenShiftCommand.main(OpenShiftCommand.java:102)

 As we can see the request is still issued by Kubernetes Client using the user coming from the "current-context: demo/192-168-64-25:8443/demo" instead of the user authenticated "test/test".

Is there a trick to resolve this issue ?

Regards,

Charles

[Ioannis Canellos]

The kubernetes-client in many cases will favor configuration found in .kube/config and possibly ignore stuff that are provided programmaticaly.

This is a known issue and we've also attempted to fix that in the past: https://github.com/fabric8io/kubernetes-client/pull/684 but we are still after a more 'to the point' solution.

The workaround is to remove .kube/config or update it so that it matches the configuration you are passing programatically.

--
You received this message because you are subscribed to the Google Groups "fabric8" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fabric8+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Ioannis Canellos

Blog: http://iocanel.blogspot.com

Twitter: iocanel

[Antonin Stefanutti]

Hi Charles,

As a workaround you can try switching the current context with:

kubectl config set-context NAME

See https://kubernetes.io/docs/user-guide/kubectl/kubectl_config_set-context/

Antonin

--
You received this message because you are subscribed to the Google Groups "fabric8" group.

To unsubscribe from this group and stop receiving emails from it, send an email to fabric8+u...@googlegroups.com.

[Charles Moulliard]

2 remarks/questions:

- Why is the method "OpenShiftOAuthInterceptor implements Interceptor {" of the class OpenShiftOAuthInterceptor not called when we try to create a namespace/project as this okhttp intercept should be called in order to authenticate the user when we use OpenShiftClient ?

- Is there a Java Util Method that I could use to change the context -> update yaml file as I can't use "oc or kubectl config set-context test" ?

To unsubscribe from this group and stop receiving emails from it, send an email to fabric8+unsubscribe@googlegroups.com.

[Ioannis Canellos]

The interceptor IS called and adds the OAUTH token as a header. The problem is that it uses the one found inside .kube/config. 

It doesn't try to authenticate, because technically you are already authenticated, but not to the project you are trying to access.

[cmou...@redhat.com]

I get the same error even if the current-context is changed to use the user "test" 

current-context

oc config current-context
test/192-168-64-25:8443/test

Error 

2017-03-23 12:47:38 INFO  OpenShiftCommand:179 - Username  : test

2017-03-23 12:47:38 INFO  OpenShiftCommand:179 - Namespace : test

2017-03-23 12:47:38 INFO  OpenShiftCommand:179 - Master URL : https://192.168.64.25:8443/

2017-03-23 12:47:38 INFO  OpenShiftCommand:179 - ==========================

2017-03-23 12:47:38 INFO  OpenShiftCommand:179 - ERROR : The project test doesn't exists for the current context !!!

io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://192.168.64.25:8443/oapi/v1/projectrequests. Message: Forbidden! User test/192-168-64-25:8443 doesn't have permission..

        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:315)

        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:266)

        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:237)

        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:230)

        at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleCreate(OperationSupport.java:208)

        at io.fabric8.openshift.client.dsl.internal.ProjectRequestsOperationImpl.create(ProjectRequestsOperationImpl.java:67)

        at io.fabric8.openshift.client.dsl.internal.ProjectRequestsOperationImpl$1.apply(ProjectRequestsOperationImpl.java:84)

        at io.fabric8.openshift.client.dsl.internal.ProjectRequestsOperationImpl$1.apply(ProjectRequestsOperationImpl.java:80)

        at io.fabric8.openshift.api.model.DoneableProjectRequest.done(DoneableProjectRequest.java:27)

        at org.jboss.OpenShiftCommand.main(OpenShiftCommand.java:102)

Whoami & project

oc whoami
test

oc project
Using project "test" on server "https://192.168.64.25:8443".

Code of the project is here : https://github.com/cmoulliard/jcommander-kubernetes/blob/master/src/main/java/org/jboss/OpenShiftCommand.java#L95-L103

[cmou...@redhat.com]

I have discovered a bug. When the following request are issued to check the project(s)

client.projects().list())

client.projects().withName(cmdArgs.namespace).get();

then the okhttp3 interceptor (OpenShiftOAuthInterceptor) adding the token bearer to call openshift is not included : https://www.dropbox.com/s/r372t4shk0u76b4/Screenshot%202017-03-23%2013.45.24.png?dl=0

while it is well included when such requests are executed

client.replicationControllers().inNamespace(cmdArgs.namespace).create(createReplicationController()));

client.replicationControllers().withLabel("server", "nginx").list());

client.replicationControllers().withoutLabel("server", "apache").list());

client.pods().list();

client.services().list();

https://www.dropbox.com/s/kq8pili7wxw1zfq/Screenshot%202017-03-23%2013.39.18.png?dl=0

If someone tell me what to do, I could fix it 

On Thursday, March 23, 2017 at 10:57:07 AM UTC+1, cmou...@redhat.com wrote:

[cmou...@redhat.com]

The solution is not to change the current-context but instead to use directly the DefaultOpenshiftClient 

https://github.com/cmoulliard/jcommander-kubernetes/blob/master/src/main/java/org/jboss/OpenShiftCommand.java#L85

as in this case the correct interceptor will be added to send the Authorization Bearer

https://github.com/fabric8io/kubernetes-client/blob/1e7a97ebe347b13d6bd49eca4e5c2c314da5f8f4/openshift-client/src/main/java/io/fabric8/openshift/client/DefaultOpenShiftClient.java#L158-L158

On Thursday, March 23, 2017 at 10:57:07 AM UTC+1, cmou...@redhat.com wrote:

[Ioannis Canellos]

Can you please raise an issue and mention that there is different behavior between direct openshift client instantiation and adaptation?

--
You received this message because you are subscribed to the Google Groups "fabric8" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fabric8+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[cmou...@redhat.com]

done : https://github.com/fabric8io/kubernetes-client/issues/710

On Thursday, March 23, 2017 at 10:57:07 AM UTC+1, cmou...@redhat.com wrote: