2 Global Configuration
For Oracle Linux Virtualization Manager, global configuration options are set from the Configure dialog box. This dialog box is accessed by selecting Administration and then clicking Configure. From the Configure dialog box, you can configure a number of global resources for your virtualization environment, such as users, roles, system permissions, scheduling policies, and MAC address pools. You can also customize the way in which users interact with resources in the environment and configure options that can be applied to multiple clusters from a central location.
Administering User Accounts from the Administration Portal
The following tasks describe common user administration tasks that are performed in the Administration Portal.
Adding VM Portal Permissions to a User
Users must be created already before they can be added and assigned roles and permissions. For more information, refer to Administering User and Group Accounts from the Command Line.
In the following example procedure, a user is assigned the roles
and permissions associated with the UserRole
.
This role gives the user the permission to log in to the VM
Portal and to start creating virtual machines. The procedure
also applies to group accounts.
-
Click Administration and then select Configure.
The Configure dialog box opens with the Roles tab selected on the sidebar menu.
-
Click the System Permissions tab on the sidebar.
-
Click Add.
The Add System Permission to User dialog box opens.
-
Select a profile from the Search drop-down list and click Go.
-
Select the check box next to the user or group account.
-
Under the Role to Assign drop-down list, select UserRole.
-
Click OK.
-
(Optional) Log in to the VM Portal to verify the permissions of the user account.
Removing Users and Groups
-
Go to Administration and then click Users.
The Users pane opens.
-
On the Users pane, select either the User or Group tab to display the added users or groups.
-
Select the user or group to be removed.
-
Click Remove.
The Remove User(s) dialog box opens.
-
Click OK to confirm the removal of the user.
The user or group is removed and no longer appears on the Users pane.
Assigning Permissions to Users and Groups
Users and groups must be created already before they can be assigned roles and permissions. For more information, refer to Administering User and Group Accounts from the Command Line.
-
Go to Administration and then click Users.
The Users pane opens.
-
Click Add.
The Add Users and Groups dialog box opens.
-
Select either the Users option.
-
In the Search field, enter the name of the user or group to be added and then select Go.
The dialog box updates to display the search results.
-
Select the check box next to the user or group to be added.
-
Click Add.
The user or group is added and appears on the Users pane.
-
On the Users pane, select either the User or Group tab to display the added users or groups.
-
Display the detailed view for the user or group by clicking the name of the user under the User Name column or the name of the group under the Group Name column.
-
Click the Permissions tab.
-
Click Add System Permissions.
The Add System Permission to User dialog box opens.
-
From the Add System Permission to User drop-down list, select the role to assign to the user.
Creating a Custom Role
If you require a role that is not available in the default set of roles provided by the Manager, you can create a custom role.
Note:
For more information about the default set of roles provided by the Manager, the Administration Guide in oVirt Documentation.
-
Click Administration and then select Configure.
The Configure dialog box opens with the Roles tab selected on the sidebar menu. The Roles tab displays a list of administrator and user roles, and any custom roles that have been created.
-
Click New.
The New Role dialog box opens.
-
For the Name and Description fields, enter an appropriate name and description for the role.
-
Under Account Type, select either Admin or User.
-
Under Check Boxes to Allow Action, select the appropriate objects whose permissions to assign to the user.
Click Expand All to see the objects under each permissions group. Click Collapse All to collapse the list of objects under each of the permission group.
-
For each of the objects, select or clear the objects the actions to be permitted or denied for the custom role that is being created.
-
Click OK to create the custom role.
The custom role now appears on the Roles tab.
Administering User and Group Accounts from the Command Line
The following sections describe the common tasks that can be
performed to administer user accounts using the
ovirt-aaa-jdbc-tool
command utility. This
utility is used to manage user and group accounts on the internal
domain. To view a list all available options for managing user and
group accounts, run the ovirt-aaa-jdbc-tool
--help
command.
Note:
Changes made using ovirt-aaa-jdbc-tool
command utility take effect immediately and do not require you
to restart the Manager.
Creating a New User Account
The ovirt-aaa-jdbc-tool user add
command is
used to create user accounts.
To create a new user account:
-
Log in to the host that is running the Manager.
-
Create a new user account.
ovirt-aaa-jdbc-tool user add username option
To view a full list of options available for creating a user account, run the
ovirt-aaa-jdbc-tool user add --help
command.The following example shows how to create a new user account and add a first and last name to associate with the account.
# ovirt-aaa-jdbc-tool user add test1 --attribute=firstName=John --attribute=lastName=Doe adding user test1... user added successfully Note: by default created user cannot log in. see: /usr/bin/ovirt-aaa-jdbc-tool user password-reset --help.
Note:
After creating a new user account, you must set a password so that the user can log in. See Setting the Password for a User Account.
-
Add the newly created user in the Administration Portal and assign the group appropriate roles and permissions. See Assigning Permissions to Users and Groups.
Setting the Password for a User Account
The ovirt-aaa-jdbc-tool password-reset
command is used to set (or reset) passwords for a user account.
To set (or reset) the password for a user account:
-
Log in to the host that is running the Manager.
-
Set (or reset) the password for a user account.
ovirt-aaa-jdbc-tool user password-reset username --password-valid-to "yyyy-MM-dd HH:mm:ssZ"
Note:
You must set a value for the
--password-valid-to
option; otherwise the password expiry time defaults to the time of the last login.By default, the password policy for user accounts on the internal domain has the following restrictions:-
A user password must be a minimum length of 6 characters.
-
When resetting a password, you cannot use the three previous passwords used for the user account.
For more information on the password policy and other default settings, run the
ovirt-aaa-jdbc-tool settings show
command.The following example shows how to set a user password. In the example,
0800
stands for GMT minus 8 hours.# ovirt-aaa-jdbc-tool user password-reset test1 --password-valid-to="2025-08-01 12:00:00-0800" Password: Reenter password: updating user test1... user updated successfully
-
Editing User Information
The ovirt-aaa-jdbc-tool user edit
command is
used to edit user information associated with a user account.
To edit user information:
-
Log in to the host that is running the Manager.
-
Edit the user account.
ovirt-aaa-jdbc-tool user edit username option
To view a full list of options available for editing user information, run the
ovirt-aaa-jdbc-tool user edit --help
command.The following example shows to edit a user account by adding an email address to associate with this user.
# ovirt-aaa-jdbc-tool user edit test1 --attribute=email=jdoe@example.com updating user test1... user updated successfully
Viewing User Information
The ovirt-aaa-jdbc-tool user show
command is
used to display user information.
To view detailed user information:
-
Log in to the host that is running the Manager.
-
Display information about a user.
ovirt-aaa-jdbc-tool user show username
The following example shows how to view details about a user account.
# ovirt-aaa-jdbc-tool user show test1 -- User test1(e9e4b7d0-8ffd-45a3-b6ea-1f519238e766) -- Namespace: * Name: test1 ID: e9e4b7d0-8ffd-45a3-b6ea-1f519238e766 Display Name: Email: jdoe@example.com First Name: John Last Name: Doe Department: Title: Description: Account Disabled: false Account Locked: false Account Unlocked At: 1970-01-01 00:00:00Z Account Valid From: 2019-08-26 18:59:16Z Account Valid To: 2219-08-26 18:59:16Z Account Without Password: false Last successful Login At: 2019-08-27 15:21:20Z Last unsuccessful Login At: 2019-08-27 15:20:59Z Password Valid To: 2025-08-01 20:00:00Z
Removing a User
The ovirt-aaa-jdbc-tool user delete
command
is used to remove a user.
-
Log in to the host that is running the Manager.
-
Remove a user.
ovirt-aaa-jdbc-tool user delete username
The following example shows how to remove a user account.
# ovirt-aaa-jdbc-tool user delete test1 deleting user test1... user deleted successfully
Disabling User Accounts
You can disable users on the local domains, including the
internal admin
user created that is created
when you run the engine-setup
command.
Important:
Make sure you have at least one user in the environment with
full administrative permissions before disabling the default
internal administrative user account (admin
user). The SuperUser
role gives a user full
administrative permissions.
To disable a user:
-
Log in to the host that is running the Manager.
-
Disable the user.
ovirt-aaa-jdbc-tool user edit username --flag=+disabled
The following example shows how to disable the
admin
user.# ovirt-aaa-jdbc-tool user edit admin --flag=+disabled updating user admin... user updated successfully
Note:
If for some reason you need to re-enable the internal
admin
user after it has been disabled, you can do so by running theovirt-aaa-jdbc-tool user edit admin --flag=-disabled
command.
Creating Group Accounts
The ovirt-aaa-jdbc-tool
command is used to
create and manage group accounts on the internal domain.
Managing group accounts is similar to managing user accounts. To
view all available options for managing group accounts, run the
ovirt-aaa-jdbc-tool group --help
command.
Common examples are provided in this section.
- Creating a Group
-
To create a group account:
-
Log in to the host that is running the Manager.
-
Create a new group account.
ovirt-aaa-jdbc-tool group add group-name
Note:
Users must be created before they can be added to groups.
The following examples shows how to add a new group account.# ovirt-aaa-jdbc-tool group add group1 adding group group1... group added successfully
-
Add users to the group:
ovirt-aaa-jdbc-tool group-manage useradd group-name --user=username
To view a full list of the options for adding or removing members to and from groups, run the
ovirt-aaa-jdbc-tool group-manage --help
command.The following example shows how to add users to a group.# ovirt-aaa-jdbc-tool group-manage useradd group1 --user test1 updating user group1... user updated successfully
-
Display group account details.
ovirt-aaa-jdbc-tool group show group-name
The following example shows how to display details about a group account.# ovirt-aaa-jdbc-tool group show group1 -- Group group1(f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829) -- Namespace: * Name: group1 ID: f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829 Display Name: Description:
-
Add the newly created group in the Administration Portal and assign the group appropriate roles and permissions. See Assigning Permissions to Users and Groups.
The users in the group inherit the roles and permissions of the group.
-
- Creating Nested Groups
-
To create nested groups:
-
Log in to the host that is running the Manager.
-
Create the first group account.
ovirt-aaa-jdbc-tool group add group1
The following examples shows how to add a new group account.# ovirt-aaa-jdbc-tool group add group1 adding group group1... group added successfully
-
Create the second group account.
ovirt-aaa-jdbc-tool group add group2
The following examples shows how to create the second group account.# ovirt-aaa-jdbc-tool group add group2 adding group group2... group added successfully
-
Add the second group to the first group.
ovirt-aaa-jdbc-tool group manage group add group1 --group=group2
The following examples shows how to add the second group to the first group.# ovirt-aaa-jdbc-tool group-manage groupadd group1 --group=group2 updating group group1... group updated successfully
-
Add the first group in the Administration Portal and assign the group appropriate roles and permissions. See Assigning Permissions to Users and Groups.
-
Removing a Group Account
-
Log in to the host that is running the Manager.
-
Remove a group account.
ovirt-aaa-jdbc-tool group delete group-name
The following example shows how to remove a group account.# ovirt-aaa-jdbc-tool group delete group3 deleting group group3... group deleted successfully
Querying Users and Groups
The ovirt-aaa-jdbc-tool query
command is used
to query user and group information. To view a full list of
options available for querying users and groups, run the
ovirt-aaa-jdbc-tool query --help
command.
- Listing All User or Group Account Details
-
To list all account information:
-
Log in to the host that is running the Manager.
-
Display account details.
-
List all user account details.
ovirt-aaa-jdbc-tool query --what=user
The following example shows sample output from theovirt-aaa-jdbc-tool query --what=user
command.# ovirt-aaa-jdbc-tool query --what=user -- User test2(35e8b35e-2320-45da-b59e-1076b521d13f) -- Namespace: * Name: test2 ID: 35e8b35e-2320-45da-b59e-1076b521d13f Display Name: Email: First Name: Jane Last Name: Doe Department: Title: Description: Account Disabled: false Account Locked: false Account Unlocked At: 1970-01-01 00:00:00Z Account Valid From: 2019-09-06 16:51:32Z Account Valid To: 2219-09-06 16:51:32Z Account Without Password: false Last successful Login At: 2019-09-06 17:12:08Z Last unsuccessful Login At: 1970-01-01 00:00:00Z Password Valid To: 2025-08-01 20:00:00Z -- User admin(89559d7f-3b48-420b-bd4d-2790122c199b) -- Namespace: * Name: admin ID: 89559d7f-3b48-420b-bd4d-2790122c199b Display Name: Email: First Name: admin Last Name: Department: Title: Description: Account Disabled: false Account Locked: false Account Unlocked At: 2019-03-07 11:09:07Z Account Valid From: 2019-01-24 21:18:11Z Account Valid To: 2219-01-24 21:18:11Z Account Without Password: false Last successful Login At: 2019-09-06 18:10:11Z Last unsuccessful Login At: 2019-09-06 18:09:36Z Password Valid To: 2025-08-01 20:00:00Z -- User test1(e75956a8-6ebf-49d7-94fa-504afbfb96ad) -- Namespace: * Name: test1 ID: e75956a8-6ebf-49d7-94fa-504afbfb96ad Display Name: Email: jdoe@example.com First Name: John Last Name: Doe Department: Title: Description: Account Disabled: false Account Locked: false Account Unlocked At: 1970-01-01 00:00:00Z Account Valid From: 2019-08-29 18:15:20Z Account Valid To: 2219-08-29 18:15:20Z Account Without Password: false Last successful Login At: 1970-01-01 00:00:00Z Last unsuccessful Login At: 1970-01-01 00:00:00Z Password Valid To: 2025-08-01 20:00:00Z
-
List all group account details.
ovirt-aaa-jdbc-tool query --what=group
The following example shows sample output from theovirt-aaa-jdbc-tool query --what=group
command.# ovirt-aaa-jdbc-tool query --what=group -- Group group2(d6e0b913-d038-413a-b732-bc0c33ea1ed4) -- Namespace: * Name: group2 ID: d6e0b913-d038-413a-b732-bc0c33ea1ed4 Display Name: Description: -- Group group1-1(e43ba527-6256-4c29-bd7a-0fb08b990b72) -- Namespace: * Name: group1-1 ID: e43ba527-6256-4c29-bd7a-0fb08b990b72 Display Name: Description: -- Group group1(f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829) -- Namespace: * Name: group1 ID: f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829 Display Name: Description:
-
-
- Listing Filtered Account Details
-
To apply filters when listing account information:
-
Log in to the host that is running the Manager.
-
Filter account details using the
--pattern
keyword.-
List user account based on a pattern.
ovirt-aaa-jdbc-tool query --what=user --pattern=attribute=value
The following example shows how to filter the output of theovirt-aaa-jdbc-tool query
command to display only user account details that start with the characterJ
.# ovirt-aaa-jdbc-tool query --what=user --pattern="firstName=J*" -- User test1(e75956a8-6ebf-49d7-94fa-504afbfb96ad) -- Namespace: * Name: test1 ID: e75956a8-6ebf-49d7-94fa-504afbfb96ad Display Name: Email: jdoe@example.com First Name: John Last Name: Doe Department: Title: Description: Account Disabled: false Account Locked: false Account Unlocked At: 1970-01-01 00:00:00Z Account Valid From: 2019-08-29 18:15:20Z Account Valid To: 2219-08-29 18:15:20Z Account Without Password: false Last successful Login At: 1970-01-01 00:00:00Z Last unsuccessful Login At: 1970-01-01 00:00:00Z Password Valid To: 2025-08-01 20:00:00Z -- User test2(35e8b35e-2320-45da-b59e-1076b521d13f) -- Namespace: * Name: test2 ID: 35e8b35e-2320-45da-b59e-1076b521d13f Display Name: Email: First Name: Jane Last Name: Doe Department: Title: Description: Account Disabled: false Account Locked: false Account Unlocked At: 1970-01-01 00:00:00Z Account Valid From: 2019-09-06 16:51:32Z Account Valid To: 2219-09-06 16:51:32Z Account Without Password: false Last successful Login At: 2019-09-06 17:12:08Z Last unsuccessful Login At: 1970-01-01 00:00:00Z Password Valid To: 2025-08-01 20:00:00Z
-
List groups based on a pattern.
ovirt-aaa-jdbc-tool-query --what=group --pattern=attribute=value
The following example shows how to filter the output of the
ovirt-aaa-jdbc-tool query
command to display only group account details that match the descriptiondocumentation-group
.# ovirt-aaa-jdbc-tool query --what=group --pattern="description=documentation-group" -- Group group1(f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829) -- Namespace: * Name: group1 ID: f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829 Display Name: Description: documentation-group
-
-
Managing Account Settings
The ovirt-aaa-jdbc-tool settings
command is
used to change the default account settings.
To change the default account settings:
-
Log in to the host that is running the Manager.
-
(Optional) Display all the settings that are available.
ovirt-aaa-jdbc-tool settings show
-
Change the desired settings.
ovirt-aaa-jdbc-tool settings set --name=setting-name --value=value
Creating a Scheduling Policy
If you require a scheduling policy that is not available in the default set provided by the Manager, you can create a custom scheduling policy.
Note:
To learn about the default scheduling policies and for conceptual information, see High Availability and Optimization in the Oracle Linux Virtualization Manager: Architecture and Planning Guide. For detailed information on scheduling policies and other policy types, refer to the Administration Guide in oVirt Documentation.-
Click Administration and then select Configure.
The Configure dialog box opens.
-
Click Scheduling Policies.
-
Click New.
The New Scheduling Policy dialog box opens.
-
For the Name and Description fields, enter an appropriate name and description for the policy.
- In Filter Modules:
- Drag and drop modules from the Disabled Filters section to the Enabled Filters section.
- Optionally, set the module priority by right-clicking on a filter module name, hover over Position and then select First or Last.
- In Weights Modules:
- Drag and drop modules from the Disabled Weights section to the Enabled Weights & Factors section.
- Optionally, use the plus (+) and minus (-) to increase or decrease module weight.
- In Load Balancer:
- Select the load balancing policy.
- Select a load balancing property and then enter a property value.
- Optionally, use the plus (+) and minus (-) to add or remove additional properties.
-
Click OK to create the scheduling policy.