[caasp-beta] caasp v4 dex refreshtokens forbidden

JenTing Hsiao jenting.hsiao at suse.com
Mon Aug 19 19:24:50 MDT 2019


Great, thanks!

Donaldson, Ian <Ian.Donaldson at ngic.com<mailto:Ian.Donaldson at ngic.com>>於 2019年8月19日 週一,21:24寫道:
Ok I have added get to refresh tokens as follows and will open a Bugzilla. The real issue now for developers getting logged in from a browser seems to be the

“securecookie: the value is too long”

issue. I will log Bugzilla as well, but that seems much more critical.

kind: ClusterRole
metadata:
  name: oidc-dex
  namespace: kube-system
rules:
- apiGroups: ["apiextensions.k8s.io<http://apiextensions.k8s.io>"]
  resources: ["customresourcedefinitions"]
 verbs: ["create", "get", "list", "update", "watch"]
- apiGroups: ["dex.coreos.com<http://dex.coreos.com>"]
  resources: ["oauth2clients", "connectors", "passwords", "refreshtokens"]
  verbs: ["list"]
- apiGroups: ["dex.coreos.com<http://dex.coreos.com>"]
  resources: ["signingkeies"]
  verbs: ["create", "get", "list", "update"]
- apiGroups: ["dex.coreos.com<http://dex.coreos.com>"]
  resources: ["authcodes", "authrequests", "offlinesessionses"]
  verbs: ["create", "delete", "get", "list", "update"]
- apiGroups: ["dex.coreos.com<http://dex.coreos.com>"]
  resources: ["refreshtokens"]
  verbs: ["get","create", "delete"]

Ian

From: JenTing Hsiao <jenting.hsiao at suse.com<mailto:jenting.hsiao at suse.com>>
Sent: Monday, August 19, 2019 6:47 AM
To: Donaldson, Ian <Ian.Donaldson at NGIC.COM<mailto:Ian.Donaldson at NGIC.COM>>; caasp-beta at lists.suse.com<mailto:caasp-beta at lists.suse.com>
Subject: Re: [caasp-beta] caasp v4 dex refreshtokens forbidden

WARNING:

This Message came from an external source. Please exercise caution when opening any attachments or clicking on links.
________________________________
Loop more people.

JenTing Hsiao <jenting.hsiao at suse.com<mailto:jenting.hsiao at suse.com>>於 2019年8月17日 週六,11:45寫道:
Hi Ian,
    Due to oidc-dex ClusterRole refreshtokens no get permission. Thanks for finding the bug. Please help file bugzilla if possible.

JenTing

Donaldson, Ian <Ian.Donaldson at ngic.com<mailto:Ian.Donaldson at ngic.com>>於 2019年8月17日 週六,00:44寫道:
One of our developers can’t login to gangway/dex to get his token.. I see these errors in the dex logs. Any ideas?

2019-08-16T11:44:00.072284195-04:00 stderr F time="2019-08-16T15:44:00Z" level=error msg="failed to get refresh token: GET https://10.96.0.1:443/apis/dex.coreos.com/v1/namespaces/kube-system/refreshtokens/bj7ffgjikxfj6hiryzqgmzm6x<https://urldefense.proofpoint.com/v2/url?u=https-3A__10.96.0.1-3A443_apis_dex.coreos.com_v1_namespaces_kube-2Dsystem_refreshtokens_bj7ffgjikxfj6hiryzqgmzm6x&d=DwMGaQ&c=eX9KRkvDm-KpLMQpCehyR8jZgBp9CE2JNMo9X4BhLFU&r=XL_zjqroomktb1qzCDuhym3JVbyITBCYnbJ2SbM3PwA&m=H4y0M0CVHjbeG6Sr3it_Za9b88VhwX1te4KJorod9Ek&s=_jIkYA4iICPe6tiXgQYdhVNt3zlwIjXUw21_mdZ2a94&e=> Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"refreshtokens.dex.coreos.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__refreshtokens.dex.coreos.com&d=DwMGaQ&c=eX9KRkvDm-KpLMQpCehyR8jZgBp9CE2JNMo9X4BhLFU&r=XL_zjqroomktb1qzCDuhym3JVbyITBCYnbJ2SbM3PwA&m=H4y0M0CVHjbeG6Sr3it_Za9b88VhwX1te4KJorod9Ek&s=LWVNGAc2FuG2WCoH84KAmukADr7GXUIPsRsShnnKyy4&e=> \\"bj7ffgjikxfj6hiryzqgmzm6x\\" is forbidden: User \\"system:serviceaccount:kube-system:oidc-dex\\" cannot get resource \\"refreshtokens\\" in API group \\"dex.coreos.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__dex.coreos.com&d=DwMGaQ&c=eX9KRkvDm-KpLMQpCehyR8jZgBp9CE2JNMo9X4BhLFU&r=XL_zjqroomktb1qzCDuhym3JVbyITBCYnbJ2SbM3PwA&m=H4y0M0CVHjbeG6Sr3it_Za9b88VhwX1te4KJorod9Ek&s=QFFEGFT5PIEYZXZURE-bIWIISv8dz66feJH_UfJH82Y&e=>\\" in the namespace \\"kube-system\\"\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"bj7ffgjikxfj6hiryzqgmzm6x\",\"group\":\"dex.coreos.com\",\"kind\":\"refreshtokens\"},\"code\":403}\""



Ian Donaldson
Unix Systems Administrator
Office: 336-435-3983
ian.donaldson at NGIC.com<mailto:ian.donaldson at NGIC.com>
[cid:image001.png at 01CF32FA.7C387000]


_______________________________________________
caasp-beta mailing list
caasp-beta at lists.suse.com<mailto:caasp-beta at lists.suse.com>
Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.suse.com_mailman_listinfo_caasp-2Dbeta&d=DwMGaQ&c=eX9KRkvDm-KpLMQpCehyR8jZgBp9CE2JNMo9X4BhLFU&r=XL_zjqroomktb1qzCDuhym3JVbyITBCYnbJ2SbM3PwA&m=H4y0M0CVHjbeG6Sr3it_Za9b88VhwX1te4KJorod9Ek&s=mt_x-aHQ-jBZ6fckrI09cN-2ATLKjS2KWj8lA2Hx8BA&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20190820/10667dc9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 7504 bytes
Desc: image001.png
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20190820/10667dc9/attachment.png>


More information about the caasp-beta mailing list