New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to login as system:admin #5259

Closed
joeswaminathan opened this Issue Oct 20, 2015 · 15 comments

Comments

Projects
None yet
@joeswaminathan

joeswaminathan commented Oct 20, 2015

I using the tag v1.0.6 on Fedora 22

When I tried to login I get the following error. (I looked at #4650, but unable to understand why it doesnt use the certificates for me)

[kumo@os-master master]$ oc login -u system:admin -n default
Server [https://localhost:8443]:
2015-10-20 11:22:27.113009 I | http: TLS handshake error from 127.0.0.1:39396: remote error: bad certificate
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y

Authentication required for https://localhost:8443 (openshift)
Username: system:admin
Password:

I looked at the documentation it says, certain users are created by default. But when I issue "oc config view" I don't see any users

[kumo@os-master master]$ oc config view
apiVersion: v1
clusters: []
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []

@liggitt

This comment has been minimized.

Contributor

liggitt commented Oct 20, 2015

That user is the bootstrap cluster admin user, and is authenticated using a client certificate. Make sure you are using the admin.kubeconfig which already contains the system:admin credentials. oc config view should show a user stanza with the system admin credentials, in which case oc login -u system:admin just switches to use those credentials.

@deads2k

This comment has been minimized.

Contributor

deads2k commented Oct 20, 2015

That user is the bootstrap cluster admin user, and is authenticated using a client certificate. Make sure you are using the admin.kubeconfig which already contains the system:admin credentials. oc config view should show a user stanza with the system admin credentials, in which case oc login -u system:admin just switches to use those credentials.

Rather than always using the admin.kubeconfig, you can simply login as yourself, but when you need cluster-admin rights, you can use --config=path/to/admin.kubeconfig as an arg to the command.

@joeswaminathan

This comment has been minimized.

joeswaminathan commented Oct 20, 2015

Thanks for the quick response. Could you please clarify what you mean by "Make sure you are using the admin.kubeconfig". Where do I specify this

I do see admin.kubeconfig under /openshift.local.config/master. And I did start openshift as

openshift start --master-config=<homedir>/openshift.local.config/master/master-config.yaml --node-config=<homedir>/openshift.local.config/node-os-master/node-config.yaml
@joeswaminathan

This comment has been minimized.

joeswaminathan commented Oct 20, 2015

@deads2k Thanks that worked.

oc login -u system:admin -n default --config=<homedir>/openshift.local.config/master/admin.kubeconfig

exporting

KUBECONFIG=<homedir>/openshift.local.config/master/admin.kubeconfig  

seems to be a better way

@diatmpravin

This comment has been minimized.

diatmpravin commented Aug 30, 2016

I was not able to find master/admin.kubeconfig file. It's located in /etc/origin/master/admin.kubeconfig.

  • I have copied it to .kube
    cp /etc/origin/master/admin.kubeconfig /home/fedora/.kube/admin.kubeconfig
  • Change permission to fedora
    sudo chown fedora:fedora admin.kubeconfig
  • Now I can login
    oc login -u system:admin -n default --config=.kube/admin.kubeconfig
@rushins

This comment has been minimized.

rushins commented Apr 19, 2017

what is the default password for user "admin" on the webconsole .

@deads2k

This comment has been minimized.

Contributor

deads2k commented Apr 21, 2017

what is the default password for user "admin" on the webconsole .

Using openshift start, any password will work for authentication, but the "admin" user won't have any powers (can't get/list/watch/create anything). He can create a new project to work with though.

"admin" is different than "system:admin". "system:admin" is a certificate identified user.

@dnepangue

This comment has been minimized.

dnepangue commented Jul 13, 2017

Sorry to bring this old thread but how to login in web console with system:admin privilege? Should I create a user with cluster administrator access?

@jasonmacdonald

This comment has been minimized.

jasonmacdonald commented Sep 13, 2017

Same question, how do I actually access the webconsole with admin privileges?

@dnepangue

This comment has been minimized.

dnepangue commented Sep 14, 2017

@jasonmacdonald If you can login to system:admin in the terminal, you can create a user and give it a cluster admin access.

@jasonmacdonald

This comment has been minimized.

jasonmacdonald commented Sep 14, 2017

Yes, I eventually did just that. The instruction just lead me to believe that I would use the system:admin account to do that. Thanks!

@sureshpalemoni

This comment has been minimized.

sureshpalemoni commented Oct 8, 2017

I have installed htpasswd, and created a user and mapped identity provider as well. Still I am unable to login to the console or through cli "oc login"

@developerworks

This comment has been minimized.

developerworks commented Oct 22, 2017

If you just in test env, you could add cluster-admin role to user developer with this:

oc adm policy add-cluster-role-to-user cluster-admin developer
@wgui1

This comment has been minimized.

wgui1 commented Mar 6, 2018

in my local cluster launched by "oc cluster up", I can get KUBECONFIG from command 'docker inspect origin'
then you can run oc command with admin privilege

export KUBECONFIG=`docker inspect origin|grep KUBECONFIG|sed -e 's/.*KUBECONFIG=\(.*\)".*/\1/'`
oc get pod
NAME                            READY     STATUS      RESTARTS   AGE
docker-registry-1-np566         1/1       Running     0          43m
persistent-volume-setup-9zqfr   0/1       Completed   0          44m
router-1-54rjm                  1/1       Running     0          43m
@muheric

This comment has been minimized.

muheric commented Aug 15, 2018

Hello everyone,

When I connect to my openshift as system:admin, and try to check whoami, I get this error:
Error from server (Forbidden): User "system:anonymous" cannot get users at the cluster scope
I tried all the possible way to solve it but still the problem is still there, how can you help me? Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment