Create and Manage User Accounts on oVirt and RHEV

Posted on 122 views

Do you have a running oVirt or RHEV platform but wondering how you can add user accounts to it. This article will give you few examples on how to Add and Manage User Accounts on oVirt and RHEV.

What is oVirt?

oVirt is an open-source complete virtualization management platform founded by Red Hat as a community project. oVirt builds on the powerful kernel-based virtual machine (KVM hypervisor) and on the RHEV-M management server.

What’s included in oVirt?

  • Rich web-based user interfaces for both admin and non-admin users
  • Live migration of virtual machines and disks between hosts and storage
  • Integrated management of hosts, storage, and network configuration
  • High availability of virtual machines in the event of a host failure

Create Local User Account on oVirt

oVirt / RHEV comes with command line tool located under ovirt-aaa-jdbc-tool that’s used to manage user accounts. For a full list of options supported, run:

$ sudo ovirt-aaa-jdbc-tool user --help
Usage: /usr/bin/ovirt-aaa-jdbc-tool [options] user module ...
Perform user related tasks.

Options:
 --help
 Show help for this module.

Modules:
 add
 edit
 delete
 unlock
 password-reset
 show
 help

The modules available are add, edit, delete, unlock, password-reset, show. 

Adding a new user

Command usage syntax:

ovirt-aaa-jdbc-tool user add username [options]

Options available are:

Options:
  --account-login-time=[1|0 ** 336]
    7 * 48 long string for each half hour of the week. 1:login_allowed.
    Affects AUTH_RECORD.VALID_TO. See also WEEK_START_SUNDAY setting.
    Default value: 1 ** 336.

  --account-valid-from=[yyyy-MM-dd HH:mm:ssX]
    The date which the account is valid from.
    Default value: current date/time

  --account-valid-to=[yyyy-MM-dd HH:mm:ssX]
    The date when the account become expired from.
    Default value: infinite

  --attribute=[=]
    Available names:
      department
      description
      displayName
      email
      firstName
      lastName
      title

To add a new user to the system, use the basic syntax:

sudo ovirt-aaa-jdbc-tool user add  \
  --attribute=firstName= \
  --attribute=lastName=

Example:

sudo ovirt-aaa-jdbc-tool user add josphat \
  --attribute=firstName=Josphat \
  --attribute=lastName=Mutai

You should get output like below:

adding user josphat...
user added successfully
Note: by default created user cannot log in. see:
/usr/bin/ovirt-aaa-jdbc-tool user password-reset --help.

Resetting Local User Password on oVirt

By default, the added user cannot log in, you need to set a password for it.

$ sudo ovirt-aaa-jdbc-tool user password-reset username [options]

Available options:

Options:
  --encrypted
    Indicates that entered password is already encrypted.
    NOTES:
    1. Entering encrypted password means, that password validity tests cannot be performed, so they are skipped and password is accepted even though it doesn't comply with password validation policy.
    2. Password has to be encrypted using the same algorithm as configure, otherwise user will not be able to login (we cannot perform any tests that correct encryption algorithm was used).

  --force
    If present password validity tests are skipped.

  --help
    Show help for this module.

  --password=[:]
    Password can be specified in one of the following formats:
      interactive: - query password interactively.
      pass:STRING - provide a password as STRING.
      env:KEY - provide a password using environment KEY.
      file:FILE - provide a password as 1st line of FILE.
      none: - provide an empty password, equal to --flag=nopass
    Default value: interactive:

  --password-valid-to=[yyyy-MM-dd HH:mm:ssX]
    Password expiration date.

Example for josphat user:

$ sudo ovirt-aaa-jdbc-tool user password-reset josphat --password-valid-to="2035-01-01 23:55:55Z"
Password:
Reenter password:
updating user josphat...
user updated successfully

You’ll be asked for a password, enter and confirm it. The same command is used for resetting lost password.

View User details on oVirt

To view user account details on oVirt, use the command:

$ sudo ovirt-aaa-jdbc-tool user show josphat
-- User josphat(cc8cd20f-c106-47d8-a81a-29f632ca27fd) --
Namespace: *
Name: josphat
ID: cc8cd20f-c106-47d8-a81a-29f632ca27fd
Display Name:
Email:
First Name: Josphat
Last Name: Mutai
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2022-01-21 10:51:02Z
Account Valid To: 2222-01-21 10:51:02Z
Account Without Password: false
Last successful Login At: 1970-01-01 00:00:00Z
Last unsuccessful Login At: 2022-01-21 10:58:26Z
Password Valid To: 2035-01-01 23:55:55Z

We can confirm the password expiry date is as configured.

Assign User a Role on oVirt

This user account doesn’t have privileges to manage all functions of oVirt. We need to assign this user privileges for SuperUser if you want it to work like any admin user account, else assign specific permissions.

Log in to the dashboard as the admin user, and navigate to:

Administration > Configure > System Permissions > Add

ovirt_add_user_01

On the next window, search for the user added, in my case josphat and click the GO button.

ovirt_add_user_02

Once the account is shown click on the checkbox to select it.

ovirt_add_user_03

Change the Role to Assign to “SuperUser”. For other roles, select appropriately. Click the OK button once done. New role should be assigned to the user account.

ovirt_add_user_04

Delete User on oVirt

If the user account is no longer required, it can be deleted using the commands:

$ sudo ovirt-aaa-jdbc-tool user delete josphat
deleting user josphat...
user deleted successfully

If you try to view user details, you should get an error message saying user account not found.

$ sudo ovirt-aaa-jdbc-tool user show josphat
user josphat not found

Disable a user account on oVirt

To lock a user account on oVirt use:

sudo ovirt-aaa-jdbc-tool user edit  --flag=+disabled

Enable a disabled user account on oVirt

To disable a user account, use the command:

sudo ovirt-aaa-jdbc-tool user edit  --flag=-disabled

Unlocking locked user account on oVirt

If a user account has been locked for many failed logins, you can unlock it using the command:

sudo ovirt-aaa-jdbc-tool user unlock 

E.g

sudo ovirt-aaa-jdbc-tool user unlock josphat

Editing User email address

To change email address, use the command:

sudo ovirt-aaa-jdbc-tool user edit josphat --attribute=email=[email protected]

Managing User Groups in oVirt/RHEV

The same ovirt-aaa-jdbc-tool tool command is used to manage user groups in an internal domain. The whole management of group accounts is similar to managing user accounts. To view a full list of group management options, run the command:

$ ovirt-aaa-jdbc-tool group --help
Perform group operations

Options:
  --help
    Show help for this module.

Modules:
  add
  edit
  delete
  show
  help

To view help on a specific group module, use:

$ ovirt-aaa-jdbc-tool group module --help
#Example
$ ovirt-aaa-jdbc-tool group add --help
Options:
  --attribute=[=]
    Available names:
      description
      displayName

  --help
    Show help for this module.

  --id=[ID]
    String representation of group unique id.
    Default value: generated UUID

Let’s use some examples to demonstrate how this is done.

Add a group on oVirt

We are adding a group called sysadmins

$ sudo ovirt-aaa-jdbc-tool group add sysadmins
adding group sysadmins...
group added successfully

Extra attributes can be provided

$ sudo ovirt-aaa-jdbc-tool group add sysadmins \
  --attribute=displayName="System Administrators" \
  --attribute=description="Users with full oVirt Administration"

adding group sysadmins...
group added successfully

Add users to the group

Let’s add users user1 and user2 to the group. The users must be created already.

$ sudo ovirt-aaa-jdbc-tool group-manage useradd sysadmins --user=user1
updating user sysadmins...
user updated successfully

$ sudo ovirt-aaa-jdbc-tool group-manage useradd sysadmins --user=user2
updating user sysadmins...
user updated successfully

To view group account details, use the commands:

$ sudo ovirt-aaa-jdbc-tool group show sysadmins
Namespace: *
Name: sysadmins
ID: 60126f06-84e5-4517-8d87-d39229129af0
Display Name:
Description:

Creating Nested Groups

You can also create groups within groups. Start with the creation of the first group:

$ sudo ovirt-aaa-jdbc-tool group add devops
adding group devops...
group added successfully

Create the second group:

$ sudo ovirt-aaa-jdbc-tool group add sre
adding group sre...
group added successfully

Finally add the second group to the first group:

$ sudo ovirt-aaa-jdbc-tool group-manage groupadd devops --group=sre
updating group devops...
group updated successfully

Next step is to add the first group in the Administration Portal and assign the group appropriate roles and permissions.

ovirt-rhev-assign-group-permissions-1024x646

Querying Users and Groups

A module called query is provided to allow you to query user and group information. See full options for this module:

$ ovirt-aaa-jdbc-tool query --help
Search users/groups by attributes

Options:
  --help
    Show help for this module.

  --pattern=[=]
    Available attributes:
      department
      description
      displayName
      email
      firstName
      id
      lastName
      name
      title
    Wildcard character may be placed at suffix of value to match any.

  --what=[STRING]
    Query an entity.
    Valid values: user|group

List all user account details

To list all user account details, use the commands:

sudo ovirt-aaa-jdbc-tool query --what=user

List all group account details:

sudo ovirt-aaa-jdbc-tool query --what=group

Listing Filtered Account Details

You can apply filters when listing account information. The --pattern parameter is used for this specific task.

Here is one example on listing user account details with names that start with the character p.

sudo ovirt-aaa-jdbc-tool query --what=user --pattern="name=p*"

Listing oVirt groups that have the department attribute set to devops:

sudo ovirt-aaa-jdbc-tool query --what=group --pattern="department=devops"

These commands should be sufficient for managing user accounts on oVirt. If you have any query or in need of any assistance with your oVirt administration, let me know by dropping a comment.

More on oVirt

coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.