Red Hat Virtualization
Objectives
After completing this section, you should be able to use roles to control resource access and management in Red Hat Virtualization.
Managing User Access
New users are typically created in a directory service that is configured in Red Hat Virtualization as an external domain, using native administration mechanisms for that directory service. This configuration was discussed in the preceding section of this chapter.
New users created in a directory service are not initially authorized to access to the Red Hat Virtualization environment. User accounts must be granted permission to perform actions in the Red Hat Virtualization environment before they can be used. In this section, you learn how to manage user access using preconfigured settings called roles.
The Red Hat Virtualization authorization model is based around users, actions, and objects. Actions are tasks that can be performed, such as starting or stopping a virtual machine, creating a new template, or migrating a virtual machine to a different host.
Each type of action corresponds to a permission. Users have permissions that allow them to perform actions on objects. Objects are things like data centers, clusters, hosts, networks, or virtual machines.
To simplify maintenance, multiple permissions can be combined into a role.
A role, in Red Hat Virtualization environment, is a set of privileges permitting access to physical and virtual resources at various levels.
The system comes with multiple predefined roles, such as SuperUser and PowerUserRole.
These roles make it easier to provide a specific level of access to a user.
Users can be assigned roles that apply to the entire Red Hat Virtualization environment, or only to a specific object (such as a virtual machine or a data center).
If a user is assigned a role on an object that contains other objects, then the user gets the same role on all objects in the container.
For example, if a user is assigned the HostAdmin role on a cluster, then the user gets the HostAdmin role on all hosts in that cluster.
When a user performs an action on an object, the user is identified as an entity. This entity is a combination of the user account, and its permissions on the target object. If both the user account information and permissions are correct, the user is allowed to perform the requested action on the target object; otherwise, the request is denied.
Important
To perform certain actions, a user may need to have permissions (or roles) on multiple objects. For example, copying a template between storage domains requires the user to have relevant permissions on both storage domains.
The following graphic shows how permissions are inherited between objects.
Role Types
Red Hat Virtualization comes with a variety of preconfigured roles. Two types of roles that exist in the Red Hat Virtualization environment are:
- Administrator role
Users assigned an administrator role can access the Administration Portal. Using these roles, users can manage physical and virtual resources.
- User role
Users assigned a user role can access the VM Portal. The assigned role determines what a user can view and is allowed to do in the VM Portal.
The following roles come predefined in a standard Red Hat Virtualization environment. Users can be assigned multiple roles at multiple levels in the RHV hierarchy. The complete set of actions a user can accomplish is defined by the union of all roles assigned at a particular level.
Administrator Roles (Basic)
- SuperUser
This role gives the user full permissions across all objects and levels in your Red Hat Virtualization environment. The
admin@internaluser has this role. This role is for architects and engineers that create and manage the RHV environment, and for external resources that support it. For security, this role should be used sparingly after the data centers and clusters have been initially created.- ClusterAdmin
This role gives the user administrative permissions for all resources in a specific cluster. This role is for cluster administrators for specific clusters. Users with this role assigned to one or more clusters can administer those clusters and their resources, but cannot create new clusters.
- DataCenterAdmin
This role gives the user administrative permissions across all objects in a specific data center, except for storage. This role is for data center administrators for specific data centers. Users with this role assigned to one or more data centers can administer all objects in a those data centers and their resources except for storage, which is manage by a StorageAdmin.
Administrator Roles (Advanced)
- TemplateAdmin
This role represents the permissions required by a virtual machine template administrator. Users with this role assigned can create, delete, and configure the storage domains and network details of templates.
- StorageAdmin
This role represents the permissions required by a storage administrator. Users with this role assigned can create, delete, and manage assigned storage domains.
- HostAdmin
This role represents the permissions required by a host administrator. Users with this role assigned can attach, remove, configure, and manage a host.
- NetworkAdmin
This role represents the permissions required by a network administrator. Users with this role assigned can create, remove, and edit the networks of an assigned data center or cluster.
- GlusterAdmin
This role represents the permissions required for a Red Hat Gluster Storage administrator. Users with this role can create, remove, and manage Gluster storage volumes.
- VmImporterExporter
This role represents the permissions of an import and export administrator. Users with this role can import and export virtual machines.
User Roles (Basic)
- UserRole
This role allows users to log in to the VM Portal. This role allows the user to access and use assigned virtual machines, including checking their state, and viewing virtual machine details. This role does not allow the user to administer their assigned virtual machines.
- PowerUserRole
This role gives the user permission to manage and create virtual machines and templates at their assigned level. Users with this role assigned at a data center level can create virtual machines and templates in the data center. This role allows users to self-service their own virtual machines.
- UserVmManager
This role allows users to manage virtual machines, and to create and use snapshots for the VMs they are assigned. If a user creates a virtual machine using the VM Portal, that user is automatically assigned this role on the new virtual machine.
User Roles (Advanced)
- UserTemplateBasedVm
This role gives the user limited privileges to use only the virtual machine templates. Users with this role assigned can create virtual machines based on templates.
- DiskOperator
This role gives the user privileges to manage virtual disks. Users with this role assigned can use, view, and edit virtual disks.
- VmCreator
This role gives the user permission to create virtual machines using the User Portal. Users with this role assigned can create virtual machines using VM Portal.
- TemplateCreator
This role gives the user privileges to create, edit, manage, and remove templates. Users with this role assigned can create, remove, and edit templates.
- DiskCreator
This role gives the user permission to create, edit, manage, and remove virtual disks. Users with this role can create, remove, manage, and edit virtual disks within the assigned part of the environment.
- TemplateOwner
This role gives the user privileges to edit and remove templates, as well as assign user permissions for templates. It is automatically assigned to the user who creates a template.
- VnicProfileUser
This role gives the user permission to attach or detach network interfaces. Users with this role can attach or detach network interfaces from logical networks.
Use these roles to better manage user access and to delegate administrative authority.
For example, assign SystemAdmin to specific users without giving them access to the admin@internal account. Users with roles can be properly tracked and managed for compliance.
Assign less comprehensive roles to appropriate users in order to offload administrative tasks.
The DataCenterAdmin, ClusterAdmin, and PowerUserRole roles are useful for this purpose.
Important
If you have UserRole on a virtual machine, then you can see the virtual machine in VM Portal and can start or stop that machine.
You cannot create new virtual machines, or edit or delete existing ones.
Also, if you only have UserRole, then you can only see the basic mode of the VM Portal.
If you have UserVmManager on a virtual machine, then you have full control of the virtual machine in VM Portal, and you can edit its configuration or even delete it.
If you have only PowerUserRole, you can create virtual machines in the VM Portal, and you can see your own virtual machines because you automatically get UserVmManager on the virtual machines you create.
You are not able to see the virtual machines, other users created, unless you also have at least UserRole on those machines.
If an administrator removes your UserVmManager role on the virtual machines you created, and you only have PowerUserRole, but not UserRole on those virtual machines, then you are no longer able to see your machine in the VM Portal.
Note
The default roles cannot be changed or removed.
It is possible to clone the default roles for customization, or to create entirely new roles. How to do so is beyond the scope of this course, but more information is available in the Red Hat Virtualization Administration Guide at https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html-single/administration_guide/chap-global_configuration#sect-Roles.
Assigning Roles to Users
Confirm that the user exists using the administrative tools supported by your directory service domain. After confirming the user, grant any desired permissions or roles using the Administration Portal.
Assigning System-wide Roles to Users
To assign a role to a user applicable to all objects in the Red Hat Virtualization environment, log in to the Administration Portal as a user that has the SuperUser role, for example as admin@internal user.
In the web interface, assign the system-wide roles to the users using the Configure dialog box. To access this dialog box, navigate to → . You can find the menu on the navigation pane displayed on the left.
In the Configure dialog box, under System Permissions, the button is used to assign roles to the users.
The button in the Configure dialog box opens the Add System Permission to User dialog box. The Add System Permission to User dialog box allows you to select the appropriate profile to use, under the Search field. In the Add System Permission to User dialog box the button retrieves the list of users and groups from the appropriate source, based on the selected profile.
From the returned list of users, enable the check box for the specific user and select the appropriate role from the drop-down menu under Role to Assign. Confirm the role assigned to the selected user and then click the button.
To verify that the user has been granted the correct permissions, log in to the appropriate portal using the user's credentials.
Assigning Resource-specific Roles to Users
Sometimes users should be assigned a role that only applies to a subset of resources in the Red Hat Virtualization environment. Depending on the role assigned, users are able to access and use resources as described earlier in this chapter.
To assign roles to users at the resource level, determine the resource and then add permissions specific to that particular resource.
The following screenshot considers Data Centers as the determined resource.
Each type of resources has its own page. This page lists the available resources of the specific type. For example, all the available data centers are listed on a page that is different from the page that lists all the networks.
Click on the name of the resource to access the objects associated with the resource.
Among the associated objects are Permissions, which enables adding users with specific roles at the resource level.
These permissions define the rights of a user with a specific role on the resource and its children resources, if any.
The user does not inherit the same permissions on other resources at the same level as the resource to which permissions were applied.
For the selected resource, the Permissions tab returns a list of assigned users, user roles, and inherited permissions. The button on the Permissions tab leads you to the Add Permission to User dialog box where you can assign roles to the users for the resource.
The Add Permission to User dialog box allows you to select the appropriate profile to use from the Search field. In the Add Permission to User dialog box, the button retrieves the list of users and groups from the appropriate source, based on the selected profile.
From the list of returned users, enable the check box for the specific user and select an appropriate role from the drop-down menu under Role to Assign. The button in this dialog box is used to confirm the role assignment to the selected user for the resource.
To verify that the user has been added with the correct permissions, log in to the appropriate portal with the user's credentials and access the resource for which you added the permissions.
Removing Roles from Users
To remove a role from a user in the Red Hat Virtualization environment, clear the box for the user in the Add System Permission to User or Add Permission to User dialog box, and then click to confirm.
The SuperUser role is required to perform this action.
Resetting the Internal Administration User's Password
The admin@internal account is created at installation time as a default user that has the system-wide SuperUser role.
Like root on a Red Hat Enterprise Linux system, this can be useful as an emergency administration account if your external directory service is down.
From time to time, you may need to change or reset the password for this account.
Use the ovirt-aaa-jdbc-tool command to perform the reset.
There is no need to restart the ovirt-engine service in your RHV environment for this change to take effect.
The following command changes the password of the admin@internal user to redhat123, and sets the password validity to 2025-08-01 12:00:00Z.
[root@rhvm-demo ~]#ovirt-aaa-jdbc-tool user password-reset admin \--password-valid-to="2025-08-01 12:00:00Z"Password:redhat123Reenter password:redhat123updating user admin... user updated successfully
User accounts in the internal local domain use the following complexity criteria for the password, by default.
Passwords must be six characters long.
The last three passwords cannot be used again.
You can list or change the default policy using ovirt-aaa-jdbc-tool with the settings subcommand.
Detailed information on how to do so is beyond the scope of this course.
Important
If you attempt to log in to the Administration Portal of the Red Hat Virtualization Manager as admin too many times with the wrong password, then the account may be locked.
The following command unlocks the account.
You must execute the command as the root user on the Red Hat Virtualization Manager server.
[root@rhvm-demo ~]#ovirt-aaa-jdbc-tool user unlock adminupdating user admin... user updated successfully
References
Further information is available in the Global Configuration chapter of the Administration Guide for Red Hat Virtualization at https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html-single/administration_guide/chap-global_configuration
