cancel
Showing results for 
Search instead for 
Did you mean: 
  • 1,833 Views

system:authenticated:oauth - DO280 ch03s05

Jump to solution

In Chapter 3 Section 5 - "Configuring Authentication and Authorization" - how do you find the groups so you can do part 4? Specifically where can I get the group name 'system:authenticated:oauth' used in 4.2?

2 Solutions

Accepted Solutions
Chetan_Tiwary_
Community Manager
Community Manager
  • 1,827 Views

Hello @bibbinator !

Thanks for reaching out !

Please refer here : https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 

Chetan_Tiwary__0-1690231909467.png

This is the group from which the self-provisioner cluster role will be removed. system:authenticated:oauth is a virtual group that represents all users who have been authenticated using OAuth.

In the step 4 in ch03s05 : the system:authenticated:oauth group name is used to specify the group that the self-provisioner cluster role should be removed from. This means that users who are members of the system:authenticated:oauth group will no longer be able to use the self-provisioner cluster role.

You can check the same in your system( as a cluster-admin)  using the command :

oc describe clusterrolebinding.rbac self-provisioner

Chetan_Tiwary__0-1690232357346.png

 

View solution in original post

0 Kudos
alexcorcoles
Flight Engineer
Flight Engineer
  • 1,826 Views

In the previous GE, in step 2.1 you examine the self-provisioners cluster role binding, and there you learn that the self-provisioner cluster role is assigned to the system:authenticated:oauth group.

However, although the lecture shows the self-provisioner role, you may consider that the lecture does not provide enough detail to complete the review lab if you didn't do the GE, so there might be a small gap there.

I would suggest, though, that if you want further discussion, open a separate topic (so it's easier for others to see your comment), or use the feedback button in the course to report an issue (I found no existing issue about topic).

View solution in original post

0 Kudos
4 Replies
Chetan_Tiwary_
Community Manager
Community Manager
  • 1,828 Views

Hello @bibbinator !

Thanks for reaching out !

Please refer here : https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 

Chetan_Tiwary__0-1690231909467.png

This is the group from which the self-provisioner cluster role will be removed. system:authenticated:oauth is a virtual group that represents all users who have been authenticated using OAuth.

In the step 4 in ch03s05 : the system:authenticated:oauth group name is used to specify the group that the self-provisioner cluster role should be removed from. This means that users who are members of the system:authenticated:oauth group will no longer be able to use the self-provisioner cluster role.

You can check the same in your system( as a cluster-admin)  using the command :

oc describe clusterrolebinding.rbac self-provisioner

Chetan_Tiwary__0-1690232357346.png

 

0 Kudos
alexcorcoles
Flight Engineer
Flight Engineer
  • 1,827 Views

In the previous GE, in step 2.1 you examine the self-provisioners cluster role binding, and there you learn that the self-provisioner cluster role is assigned to the system:authenticated:oauth group.

However, although the lecture shows the self-provisioner role, you may consider that the lecture does not provide enough detail to complete the review lab if you didn't do the GE, so there might be a small gap there.

I would suggest, though, that if you want further discussion, open a separate topic (so it's easier for others to see your comment), or use the feedback button in the course to report an issue (I found no existing issue about topic).

0 Kudos
  • 1,818 Views

I'm an experienced K8's user and I think this question is missing important background information. 

It looks as though there is no way to look up user to group affiliations via oc?

Is this correct?

0 Kudos
alexcorcoles
Flight Engineer
Flight Engineer
  • 1,799 Views

IIRC, you can lookup group members. However, I think system:authenticated:oauth is a special "virtual" group that includes all authenticated users, and I believe if you look up members, OpenShift will not show members (for other groups it will). IIRC, there's another virtual group for unauthenticated users.

0 Kudos
Join the discussion
You must log in to join this conversation.