cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
bibbinator
Cadet
Cadet
‎07-24-2023 09:30 PM
  • 1,686 Views

system:authenticated:oauth - DO280 ch03s05

Jump to solution

In Chapter 3 Section 5 - "Configuring Authentication and Authorization" - how do you find the groups so you can do part 4? Specifically where can I get the group name 'system:authenticated:oauth' used in 4.2?

Join the discussion
2 Solutions

Accepted Solutions
Chetan_Tiwary_
Community Manager
Community Manager
‎07-24-2023 09:55 PM
  • 1,680 Views

Jump to solution

Hello @bibbinator !

Thanks for reaching out !

Please refer here : https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 

Chetan_Tiwary__0-1690231909467.png

This is the group from which the self-provisioner cluster role will be removed. system:authenticated:oauth is a virtual group that represents all users who have been authenticated using OAuth.

In the step 4 in ch03s05 : the system:authenticated:oauth group name is used to specify the group that the self-provisioner cluster role should be removed from. This means that users who are members of the system:authenticated:oauth group will no longer be able to use the self-provisioner cluster role.

You can check the same in your system( as a cluster-admin)  using the command :

oc describe clusterrolebinding.rbac self-provisioner

Chetan_Tiwary__0-1690232357346.png

 

View solution in original post

0 Kudos
alexcorcoles
Flight Engineer
Flight Engineer
‎07-24-2023 10:01 PM
  • 1,679 Views

Jump to solution

In the previous GE, in step 2.1 you examine the self-provisioners cluster role binding, and there you learn that the self-provisioner cluster role is assigned to the system:authenticated:oauth group.

However, although the lecture shows the self-provisioner role, you may consider that the lecture does not provide enough detail to complete the review lab if you didn't do the GE, so there might be a small gap there.

I would suggest, though, that if you want further discussion, open a separate topic (so it's easier for others to see your comment), or use the feedback button in the course to report an issue (I found no existing issue about topic).

View solution in original post

0 Kudos
4 Replies
Chetan_Tiwary_
Community Manager
Community Manager
‎07-24-2023 09:55 PM
  • 1,681 Views

Jump to solution

Hello @bibbinator !

Thanks for reaching out !

Please refer here : https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 

Chetan_Tiwary__0-1690231909467.png

This is the group from which the self-provisioner cluster role will be removed. system:authenticated:oauth is a virtual group that represents all users who have been authenticated using OAuth.

In the step 4 in ch03s05 : the system:authenticated:oauth group name is used to specify the group that the self-provisioner cluster role should be removed from. This means that users who are members of the system:authenticated:oauth group will no longer be able to use the self-provisioner cluster role.

You can check the same in your system( as a cluster-admin)  using the command :

oc describe clusterrolebinding.rbac self-provisioner

Chetan_Tiwary__0-1690232357346.png

 

0 Kudos
alexcorcoles
Flight Engineer
Flight Engineer
‎07-24-2023 10:01 PM
  • 1,680 Views

Jump to solution

In the previous GE, in step 2.1 you examine the self-provisioners cluster role binding, and there you learn that the self-provisioner cluster role is assigned to the system:authenticated:oauth group.

However, although the lecture shows the self-provisioner role, you may consider that the lecture does not provide enough detail to complete the review lab if you didn't do the GE, so there might be a small gap there.

I would suggest, though, that if you want further discussion, open a separate topic (so it's easier for others to see your comment), or use the feedback button in the course to report an issue (I found no existing issue about topic).

0 Kudos
bibbinator
Cadet
Cadet
‎07-24-2023 10:46 PM
  • 1,671 Views

Jump to solution

I'm an experienced K8's user and I think this question is missing important background information. 

It looks as though there is no way to look up user to group affiliations via oc?

Is this correct?

0 Kudos
alexcorcoles
Flight Engineer
Flight Engineer
‎07-25-2023 12:27 AM
  • 1,652 Views

Jump to solution

IIRC, you can lookup group members. However, I think system:authenticated:oauth is a special "virtual" group that includes all authenticated users, and I believe if you look up members, OpenShift will not show members (for other groups it will). IIRC, there's another virtual group for unauthenticated users.

0 Kudos
Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright ?2024 Red Hat, Inc. Privacy policy Terms of use