1. Administrator's Guide
  2. Global Configuration

2 Global Configuration

For Oracle Linux Virtualization Manager, global configuration options are set from the Configure dialog box. This dialog box is accessed by selecting Administration and then clicking Configure. From the Configure dialog box, you can configure a number of global resources for your virtualization environment, such as users, roles, system permissions, scheduling policies, and MAC address pools. You can also customize the way in which users interact with resources in the environment and configure options that can be applied to multiple clusters from a central location.

Administering User Accounts from the Administration Portal

The following tasks describe common user administration tasks that are performed in the Administration Portal.

Adding VM Portal Permissions to a User

Users must be created already before they can be added and assigned roles and permissions. For more information, refer to Administering User and Group Accounts from the Command Line.

In the following example procedure, a user is assigned the roles and permissions associated with the UserRole. This role gives the user the permission to log in to the VM Portal and to start creating virtual machines. The procedure also applies to group accounts.

  1. Click Administration and then select Configure.

    The Configure dialog box opens with the Roles tab selected on the sidebar menu.

  2. Click the System Permissions tab on the sidebar.

  3. Click Add.

    The Add System Permission to User dialog box opens.

  4. Select a profile from the Search drop-down list and click Go.

  5. Select the check box next to the user or group account.

  6. Under the Role to Assign drop-down list, select UserRole.

  7. Click OK.

  8. (Optional) Log in to the VM Portal to verify the permissions of the user account.

Removing Users and Groups

To use the Administration Portal to remove a user or group:

  1. Go to Administration and then click Users.

    The Users pane opens.

  2. On the Users pane, select either the User or Group tab to display the added users or groups.

  3. Select the user or group to be removed.

  4. Click Remove.

    The Remove User(s) dialog box opens.

  5. Click OK to confirm the removal of the user.

    The user or group is removed and no longer appears on the Users pane.

Assigning Permissions to Users and Groups

Users and groups must be created already before they can be assigned roles and permissions. For more information, refer to Administering User and Group Accounts from the Command Line.

  1. Go to Administration and then click Users.

    The Users pane opens.

  2. Click Add.

    The Add Users and Groups dialog box opens.

  3. Select either the Users option.

  4. In the Search field, enter the name of the user or group to be added and then select Go.

    The dialog box updates to display the search results.

  5. Select the check box next to the user or group to be added.

  6. Click Add.

    The user or group is added and appears on the Users pane.

  7. On the Users pane, select either the User or Group tab to display the added users or groups.

  8. Display the detailed view for the user or group by clicking the name of the user under the User Name column or the name of the group under the Group Name column.

  9. Click the Permissions tab.

  10. Click Add System Permissions.

    The Add System Permission to User dialog box opens.

  11. From the Add System Permission to User drop-down list, select the role to assign to the user.

Creating a Custom Role

If you require a role that is not available in the default set of roles provided by the Manager, you can create a custom role.

Note:

For more information about the default set of roles provided by the Manager, the Administration Guide in oVirt Documentation.

To create a custom role:

  1. Click Administration and then select Configure.

    The Configure dialog box opens with the Roles tab selected on the sidebar menu. The Roles tab displays a list of administrator and user roles, and any custom roles that have been created.

  2. Click New.

    The New Role dialog box opens.

  3. For the Name and Description fields, enter an appropriate name and description for the role.

  4. Under Account Type, select either Admin or User.

  5. Under Check Boxes to Allow Action, select the appropriate objects whose permissions to assign to the user.

    Click Expand All to see the objects under each permissions group. Click Collapse All to collapse the list of objects under each of the permission group.

  6. For each of the objects, select or clear the objects the actions to be permitted or denied for the custom role that is being created.

  7. Click OK to create the custom role.

The custom role now appears on the Roles tab.

Administering User and Group Accounts from the Command Line

The following sections describe the common tasks that can be performed to administer user accounts using the ovirt-aaa-jdbc-tool command utility. This utility is used to manage user and group accounts on the internal domain. To view a list all available options for managing user and group accounts, run the ovirt-aaa-jdbc-tool --help command.

Note:

Changes made using ovirt-aaa-jdbc-tool command utility take effect immediately and do not require you to restart the Manager.

Creating a New User Account

The ovirt-aaa-jdbc-tool user add command is used to create user accounts.

To create a new user account:

  1. Log in to the host that is running the Manager.

  2. Create a new user account. 

    ovirt-aaa-jdbc-tool user add username option

    To view a full list of options available for creating a user account, run the ovirt-aaa-jdbc-tool user add --help command.

    The following example shows how to create a new user account and add a first and last name to associate with the account. 

    # ovirt-aaa-jdbc-tool user add test1 --attribute=firstName=John --attribute=lastName=Doe
adding user test1...
user added successfully
Note: by default created user cannot log in. see:
/usr/bin/ovirt-aaa-jdbc-tool user password-reset --help.

    Note:

    After creating a new user account, you must set a password so that the user can log in. See Setting the Password for a User Account.

  3. Add the newly created user in the Administration Portal and assign the group appropriate roles and permissions. See Assigning Permissions to Users and Groups.

Setting the Password for a User Account

The ovirt-aaa-jdbc-tool password-reset command is used to set (or reset) passwords for a user account.

To set (or reset) the password for a user account:

  1. Log in to the host that is running the Manager.

  2. Set (or reset) the password for a user account. 

    ovirt-aaa-jdbc-tool user password-reset username --password-valid-to "yyyy-MM-dd HH:mm:ssZ"

    Note:

    You must set a value for the --password-valid-to option; otherwise the password expiry time defaults to the time of the last login.

    By default, the password policy for user accounts on the internal domain has the following restrictions:

    • A user password must be a minimum length of 6 characters.

    • When resetting a password, you cannot use the three previous passwords used for the user account.

    For more information on the password policy and other default settings, run the ovirt-aaa-jdbc-tool settings show command.

    The following example shows how to set a user password. In the example, 0800 stands for GMT minus 8 hours. 

    # ovirt-aaa-jdbc-tool user password-reset test1 --password-valid-to="2025-08-01 12:00:00-0800"
Password:
Reenter password:
updating user test1...
user updated successfully

Editing User Information

The ovirt-aaa-jdbc-tool user edit command is used to edit user information associated with a user account.

To edit user information:

  1. Log in to the host that is running the Manager.

  2. Edit the user account. 

    ovirt-aaa-jdbc-tool user edit username option

    To view a full list of options available for editing user information, run the ovirt-aaa-jdbc-tool user edit --help command.

    The following example shows to edit a user account by adding an email address to associate with this user. 

    # ovirt-aaa-jdbc-tool user edit test1 --attribute=email=jdoe@example.com
updating user test1...
user updated successfully

Viewing User Information

The ovirt-aaa-jdbc-tool user show command is used to display user information.

To view detailed user information:

  1. Log in to the host that is running the Manager.

  2. Display information about a user. 

    ovirt-aaa-jdbc-tool user show username

    The following example shows how to view details about a user account. 

    # ovirt-aaa-jdbc-tool user show test1
-- User test1(e9e4b7d0-8ffd-45a3-b6ea-1f519238e766) --
Namespace: *
Name: test1
ID: e9e4b7d0-8ffd-45a3-b6ea-1f519238e766
Display Name:
Email: jdoe@example.com
First Name: John
Last Name: Doe
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2019-08-26 18:59:16Z
Account Valid To: 2219-08-26 18:59:16Z
Account Without Password: false
Last successful Login At: 2019-08-27 15:21:20Z
Last unsuccessful Login At: 2019-08-27 15:20:59Z
Password Valid To: 2025-08-01 20:00:00Z

Removing a User

The ovirt-aaa-jdbc-tool user delete command is used to remove a user.

To remove a user account:

  1. Log in to the host that is running the Manager.

  2. Remove a user. 

    ovirt-aaa-jdbc-tool user delete username

    The following example shows how to remove a user account. 

    # ovirt-aaa-jdbc-tool user delete test1
deleting user test1...
user deleted successfully

Disabling User Accounts

You can disable users on the local domains, including the internal admin user created that is created when you run the engine-setup command.

Important:

Make sure you have at least one user in the environment with full administrative permissions before disabling the default internal administrative user account (admin user). The SuperUser role gives a user full administrative permissions.

To disable a user:

  1. Log in to the host that is running the Manager.

  2. Disable the user. 

    ovirt-aaa-jdbc-tool user edit username --flag=+disabled

    The following example shows how to disable the admin user. 

    # ovirt-aaa-jdbc-tool user edit admin --flag=+disabled
updating user admin...
user updated successfully

    Note:

    If for some reason you need to re-enable the internal admin user after it has been disabled, you can do so by running the ovirt-aaa-jdbc-tool user edit admin --flag=-disabled command.

Creating Group Accounts

The ovirt-aaa-jdbc-tool command is used to create and manage group accounts on the internal domain. Managing group accounts is similar to managing user accounts. To view all available options for managing group accounts, run the ovirt-aaa-jdbc-tool group --help command. Common examples are provided in this section.

Creating a Group

To create a group account:

  1. Log in to the host that is running the Manager.

  2. Create a new group account. 

    ovirt-aaa-jdbc-tool group add group-name

    Note:

    Users must be created before they can be added to groups.

    The following examples shows how to add a new group account. 
    # ovirt-aaa-jdbc-tool group add group1
adding group group1...
group added successfully

  3. Add users to the group: 

    ovirt-aaa-jdbc-tool group-manage  useradd group-name --user=username

    To view a full list of the options for adding or removing members to and from groups, run the ovirt-aaa-jdbc-tool group-manage --help command.

    The following example shows how to add users to a group. 
    # ovirt-aaa-jdbc-tool group-manage useradd group1 --user test1
updating user group1...
user updated successfully

  4. Display group account details. 

    ovirt-aaa-jdbc-tool group show group-name
    The following example shows how to display details about a group account. 
    # ovirt-aaa-jdbc-tool group show group1
-- Group group1(f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829) --
Namespace: *
Name: group1
ID: f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829
Display Name:
Description:

  5. Add the newly created group in the Administration Portal and assign the group appropriate roles and permissions. See Assigning Permissions to Users and Groups.

    The users in the group inherit the roles and permissions of the group.

Creating Nested Groups
To create nested groups:

  1. Log in to the host that is running the Manager.

  2. Create the first group account. 

    ovirt-aaa-jdbc-tool group add group1
    The following examples shows how to add a new group account. 
    # ovirt-aaa-jdbc-tool group add group1
adding group group1...
group added successfully

  3. Create the second group account. 

    ovirt-aaa-jdbc-tool group add group2
    The following examples shows how to create the second group account. 
    # ovirt-aaa-jdbc-tool group add group2
adding group group2...
group added successfully

  4. Add the second group to the first group. 

    ovirt-aaa-jdbc-tool group manage group add group1 --group=group2
    The following examples shows how to add the second group to the first group. 
    # ovirt-aaa-jdbc-tool group-manage groupadd group1 --group=group2
updating group group1...
group updated successfully

  5. Add the first group in the Administration Portal and assign the group appropriate roles and permissions. See Assigning Permissions to Users and Groups.

Removing a Group Account

To remove a group account:

  1. Log in to the host that is running the Manager.

  2. Remove a group account. 

    ovirt-aaa-jdbc-tool group delete group-name
    The following example shows how to remove a group account.
    # ovirt-aaa-jdbc-tool group delete group3
deleting group group3...
group deleted successfully

Querying Users and Groups

The ovirt-aaa-jdbc-tool query command is used to query user and group information. To view a full list of options available for querying users and groups, run the ovirt-aaa-jdbc-tool query --help command.

Listing All User or Group Account Details

To list all account information:

  1. Log in to the host that is running the Manager.

  2. Display account details.

    • List all user account details.
      ovirt-aaa-jdbc-tool query --what=user
      The following example shows sample output from the ovirt-aaa-jdbc-tool query --what=user command. 
      # ovirt-aaa-jdbc-tool query --what=user
-- User test2(35e8b35e-2320-45da-b59e-1076b521d13f) --
Namespace: *
Name: test2
ID: 35e8b35e-2320-45da-b59e-1076b521d13f
Display Name:
Email:
First Name: Jane
Last Name: Doe
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2019-09-06 16:51:32Z
Account Valid To: 2219-09-06 16:51:32Z
Account Without Password: false
Last successful Login At: 2019-09-06 17:12:08Z
Last unsuccessful Login At: 1970-01-01 00:00:00Z
Password Valid To: 2025-08-01 20:00:00Z
-- User admin(89559d7f-3b48-420b-bd4d-2790122c199b) --
Namespace: *
Name: admin
ID: 89559d7f-3b48-420b-bd4d-2790122c199b
Display Name:
Email:
First Name: admin
Last Name:
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 2019-03-07 11:09:07Z
Account Valid From: 2019-01-24 21:18:11Z
Account Valid To: 2219-01-24 21:18:11Z
Account Without Password: false
Last successful Login At: 2019-09-06 18:10:11Z
Last unsuccessful Login At: 2019-09-06 18:09:36Z
Password Valid To: 2025-08-01 20:00:00Z
-- User test1(e75956a8-6ebf-49d7-94fa-504afbfb96ad) --
Namespace: *
Name: test1
ID: e75956a8-6ebf-49d7-94fa-504afbfb96ad
Display Name:
Email: jdoe@example.com
First Name: John
Last Name: Doe
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2019-08-29 18:15:20Z
Account Valid To: 2219-08-29 18:15:20Z
Account Without Password: false
Last successful Login At: 1970-01-01 00:00:00Z
Last unsuccessful Login At: 1970-01-01 00:00:00Z
Password Valid To: 2025-08-01 20:00:00Z

    • List all group account details. ovirt-aaa-jdbc-tool query --what=group

      The following example shows sample output from the ovirt-aaa-jdbc-tool query --what=group command. 
      # ovirt-aaa-jdbc-tool query --what=group
-- Group group2(d6e0b913-d038-413a-b732-bc0c33ea1ed4) --
Namespace: *
Name: group2
ID: d6e0b913-d038-413a-b732-bc0c33ea1ed4
Display Name:
Description:
-- Group group1-1(e43ba527-6256-4c29-bd7a-0fb08b990b72) --
Namespace: *
Name: group1-1
ID: e43ba527-6256-4c29-bd7a-0fb08b990b72
Display Name:
Description:
-- Group group1(f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829) --
Namespace: *
Name: group1
ID: f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829
Display Name:
Description:
Listing Filtered Account Details

To apply filters when listing account information:

  1. Log in to the host that is running the Manager.

  2. Filter account details using the --pattern keyword.

    • List user account based on a pattern. 

      ovirt-aaa-jdbc-tool query --what=user --pattern=attribute=value
      The following example shows how to filter the output of the ovirt-aaa-jdbc-tool query command to display only user account details that start with the character J.
      # ovirt-aaa-jdbc-tool query --what=user --pattern="firstName=J*"
-- User test1(e75956a8-6ebf-49d7-94fa-504afbfb96ad) --
Namespace: *
Name: test1
ID: e75956a8-6ebf-49d7-94fa-504afbfb96ad
Display Name:
Email: jdoe@example.com
First Name: John
Last Name: Doe
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2019-08-29 18:15:20Z
Account Valid To: 2219-08-29 18:15:20Z
Account Without Password: false
Last successful Login At: 1970-01-01 00:00:00Z
Last unsuccessful Login At: 1970-01-01 00:00:00Z
Password Valid To: 2025-08-01 20:00:00Z
-- User test2(35e8b35e-2320-45da-b59e-1076b521d13f) --
Namespace: *
Name: test2
ID: 35e8b35e-2320-45da-b59e-1076b521d13f
Display Name:
Email:
First Name: Jane
Last Name: Doe
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2019-09-06 16:51:32Z
Account Valid To: 2219-09-06 16:51:32Z
Account Without Password: false
Last successful Login At: 2019-09-06 17:12:08Z
Last unsuccessful Login At: 1970-01-01 00:00:00Z
Password Valid To: 2025-08-01 20:00:00Z
    • List groups based on a pattern.
      ovirt-aaa-jdbc-tool-query --what=group --pattern=attribute=value

      The following example shows how to filter the output of the ovirt-aaa-jdbc-tool query command to display only group account details that match the description documentation-group. 

      # ovirt-aaa-jdbc-tool query --what=group --pattern="description=documentation-group"
-- Group group1(f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829) --
Namespace: *
Name: group1
ID: f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829
Display Name:
Description: documentation-group

Managing Account Settings

The ovirt-aaa-jdbc-tool settings command is used to change the default account settings.

To change the default account settings:

  1. Log in to the host that is running the Manager.

  2. (Optional) Display all the settings that are available. 

    ovirt-aaa-jdbc-tool setting show

  3. Change the desired settings. 

    ovirt-aaa-jdbc-tool setting set --name=setting-name --value=value

Creating a Scheduling Policy

If you require a scheduling policy that is not available in the default set provided by the Manager, you can create a custom scheduling policy.

Note:

To learn about the default scheduling policies and for conceptual information, see High Availability and Optimization in the Oracle Linux Virtualization Manager: Architecture and Planning Guide. For detailed information on scheduling policies and other policy types, refer to the Administration Guide in oVirt Documentation.
To create a scheduling policy:

  1. Click Administration and then select Configure.

    The Configure dialog box opens.

  2. Click Scheduling Policies.

  3. Click New.

    The New Scheduling Policy dialog box opens.

  4. For the Name and Description fields, enter an appropriate name and description for the policy.

  5. In Filter Modules:
    • Drag and drop modules from the Disabled Filters section to the Enabled Filters section.
    • Optionally, set the module priority by right-clicking on a filter module name, hover over Position and then select First or Last.
  6. In Weights Modules:
    • Drag and drop modules from the Disabled Weights section to the Enabled Weights & Factors section.
    • Optionally, use the plus (+) and minus (-) to increase or decrease module weight.
  7. In Load Balancer:
    • Select the load balancing policy.
    • Select a load balancing property and then enter a property value.
    • Optionally, use the plus (+) and minus (-) to add or remove additional properties.

  8. Click OK to create the scheduling policy.