Bug 1268126

Summary: system:admin requiring password
Product: OpenShift Container Platform Reporter: Ryan Howe <rhowe>
Component: apiserver-authAssignee: Jordan Liggitt <jliggitt>
Status: CLOSED CURRENTRELEASE QA Contact: weiwei jiang <wjiang>
Severity: low Docs Contact:
Priority: unspecified    
Version: 3.0.0CC: aos-bugs, salvatore.provvidenza, wsun
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-29 20:58:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ryan Howe 2015-10-01 21:22:48 UTC
Description of problem:
system:admin requiring password when starting fresh with a copied version of admin.kubeconfig

Workaround is to use the -u option the first time. 

Version-Release number of selected component (if applicable):
3.0.2

How reproducible:
100% 

Steps to Reproduce:

[root@master ~]# rm .kube/config
rm: remove regular file ‘.kube/config’? y

[root@master ~]# cp /etc/openshift/master/admin.kubeconfig .kube/config

[root@master ~]# oc login
Authentication required for https://master.lizard.com:8443 (openshift)
Username: system:admin
Password: 
Error from server: Internal error occurred: unexpected response: 500

[root@master ~]# oc login -u system:admin
Logged into "https://master.lizard.com:8443" as "system:admin" using existing credentials.

Using project "default".

You have access to the following projects and can switch between them with 'oc project <projectname>':

  * default (current)
  * openshift
  * openshift-infra


Actual results:
Error from server: Internal error occurred: unexpected response: 500

Expected results:
Logged into "https://master.lizard.com:8443" as "system:admin" using existing credentials.

Additional info:

This only happens when the -u option is not used the first time. 

This was tested with htpasswd auth

Comment 2 Jordan Liggitt 2015-10-01 21:25:54 UTC
To switch to an existing credentials, you must use "-u ...". Will look into preventing the 500 error

Comment 3 Jordan Liggitt 2015-11-12 21:58:04 UTC
Fixed in origin in https://github.com/openshift/origin/pull/5726

Comment 4 Jordan Liggitt 2016-01-13 18:15:27 UTC
Usernames with colons no longer attempt password auth

Comment 5 weiwei jiang 2016-01-14 07:57:07 UTC
checked with devenv-centos7_3136, and still not work

# oc login 
Authentication required for https://172.18.8.193:8443 (openshift)
Username: system:admin
Password: 
error: username system:admin is invalid for basic auth

Comment 6 Jordan Liggitt 2016-01-14 13:31:05 UTC
To switch to an existing credentials, you must use "-u ...". The bug that was fixed was the 500 error encountered if you try to use "system:admin" as a password login.

The "username system:admin is invalid for basic auth" error is working correctly if you attempt to use that username for a password login.

Comment 7 weiwei jiang 2016-01-15 05:47:59 UTC
(In reply to Jordan Liggitt from comment #6)
> To switch to an existing credentials, you must use "-u ...". The bug that
> was fixed was the 500 error encountered if you try to use "system:admin" as
> a password login.
> 
> The "username system:admin is invalid for basic auth" error is working
> correctly if you attempt to use that username for a password login.

If so should be verified.

Comment 8 Salvatore Provvidenza 2016-01-22 11:42:43 UTC
Hy guys, i have the same problem whit the last version of origin (openshift-origin-server-v1.1.1)

when i run this command : 

oc login localhost:8443 -usystem:admin

openshift requires password. I need to system:admin user but i don't know 
how to get permits to run :

oadm policy add-cluster-role-to-user cluster-admin admin

Do you have any idea to help me ?

thanks in advace.

Comment 9 Jordan Liggitt 2016-01-22 21:22:45 UTC
system:admin credentials live in a client certificate. If you get prompted for a password, that means your $KUBECONFIG file does not contain those credentials. You need to locate the admin.kubeconfig file generated at server start and do
export KUBECONFIG=/path/to/admin.kubeconfig

Then you will be able to run cluster admin commands.

Comment 10 Salvatore Provvidenza 2016-01-25 10:05:44 UTC
thanks, now work fine :D