CTX126442 - How to Modify Default Role Based Access Control Permissions for Xenserver
-
Upload
casadorio2002 -
Category
Documents
-
view
87 -
download
5
Transcript of CTX126442 - How to Modify Default Role Based Access Control Permissions for Xenserver
How to Modify Default Role Based Access Control Permissions for XenServer
Document ID: CTX126442 / Created On: 25/08/2010 / Updated On: 05/09/2013
Summary
This document explains how to modify and extend RBAC (Role Based Access Control) pre-established roles in XenServer 5.6 and later editions. XenServer 5.6 introduced RBAC
pre-established roles. In certain scenarios, a Pool Administrator might wish to grant specific privileges to a role without changing the users’ role level.
Requirements
Pool Administrator or root access to XenServer host using the Command Line Interface (CLI)
Pool Administrator or root access to XenServer host using XenCenter
Pool Administrator or root access to XenCenter
Considerations
Before extending RBAC permissions, it is important to understand the roles available, the permissions each role has and what operations these permissions allow.
Procedure
Roles
XenServer is shipped with the following pre-established roles:
Pool Admin – the same as being the local root. Can perform all operations. Note: The local super user (root) will always have the "Pool Admin" role. The Pool Admin role
has the same permissions as the local root.
Pool Operator – can do everything apart from adding/removing users and modifying their roles. This role is focused mainly on host and pool management (creating storage,
making pools, managing the hosts, and so on)
VM Power Admin – creates and manages virtual machines. This role is focused on provisioning virtual machines for use by a virtual machine operator.
VM Admin – similar to a VM Power Admin, but cannot migrate virtual machines or perform snapshots.
VM Operator – similar to VM Admin, but cannot create or destroy virtual machines – but can perform start and stop lifecycle operations.
Read Only – can view resource pool and performance data.
Permissions
Listed below are the permissions for each role:
Role permissions Pool Admin Pool Operator VM Power Admin VM Admin VM Operator Read Only
Assign/modify roles X
Log in to (physical) server consoles (through SSH and XenCenter) X
Server backup/restore X
Log out active user connections X X
Create and dismiss alerts X X
Cancel task of any user X X
Pool management X X
VM advanced operations X X X
VM create/destroy operations X X X X
VM change CD media X X X X X
View VM consoles X X X X X
XenCenter view mgmt ops X X X X X
Cancel own tasks X X X X X X
Read audit logs X X X X X X
Configure, Initialize, Enable, Disable WLB X X
Apply WLB Optimization Recommendations X X
Modify WLB Report Subscriptions X X
Accept WLB Placement Recommendations X X X
Display WLB Configuration X X X X X X
Generate WLB Reports X X X X X X
Display WLB Reports X X X X X X
Connect to pool and read all pool metadata X X X X X X
Operations Allowed
The following set of permissions allows the corresponding operations:
Permission Allows
Assign/modify roles Add/remove subjects
Add/remove roles from subjects
Enable/disable Active Directory
Login to host consoles Host console access using ssh
Host console access using XenCenter
Host backup/restore Host backup/restore
Pool metadata backup/restore
Logout active user connections Ability to kick out logged in users
Create/dismiss alerts
Cancel task of any user Request cancellation of any running task
Pool management Pool set properties (name-label, default SRs)
Enable/disable/configure HA
Set per-VM HA restart priorities
Enable/disable/configure WLB
Add/remove host from pool
Emergency transition to master
Emergency master address
Emergency recover slaves
Designate new master
Certificate management (host and pool)
Patching
Host set properties
Host configure logging
Host enable/disable
Host shutdown/reboot/power-on
Host create bugtool/get_system_status
Apply license
Host evacuate
Host configure management interface
Host management disable
Crashdump delete
Network add/remove/edit properties
PIF/VLAN/Bond add/remove/edit
SR/PBD add/remove/edit
Secret add/remove/retrieve
VM advanced operations VM memory adjust (ballooning)
VM checkpoint/snapshot/rollback
VM migrate
VM.start_on
VM.resume_on
VM create/destroy operations VM install/uninstall
VM clone
VM add/remove/configure virtual disk/CD devices
VM add/remove/configure virtual network devices
VM import/export
VM configuration change
VM change CD media Eject current CD
Insert new CD
VM change power state VM start
Clean_shutdown
Hard_shutdown
Clean_reboot
Hard_reboot
Suspend
Resume
View VM consoles See and interact with VM consoles
XenCenter view mgmt operations Create/modify global XenCenter folders
Create/modify global XenCenter custom fields
Create/modify global XenCenter searches
Cancel own tasks Request the cancellation of a user's own tasks
Read audit log Download the XenServer audit log
Connect to pool and read all pool metadata Login to pool
View pool metadata
View historical performance data
View logged in users
View subjects and roles
View tasks
View messages
Register for and receive events
Read WLB reports
Preparing to Extend Permissions
Go to XenCenter and Select the Users tab.1.
Verify that the XenServer host or pool has been successfully added to the domain.2.
From the workstation that XenCenter console is installed, you will have to create the following registry entry:3.
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\XenCenter"
String Value = DontSudo
Value = True
If you decide to create a registry script, the contents of the script need to have the exact details listed below:4.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\XenCenter]
"InstallDir"="C:\\Program Files\\Citrix\\XenCenter\\"
"DontSudo"="True"
Download from above a registry script created for your convenience.5.
Caution! This procedure requires you to edit the registry. Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix
cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Back up the registry before you edit it.
If the registry key is not applied and a user attempts to complete an action for an assigned permission, they receive the following screen:6.
After applying the registry changes, go to XenCenter and Select the Users tab.
Note the Subject and Role that you want to modify (see example below).
7.
Go to the Command Line Interface (CLI) or open up an ssh session to the XenServer host.
Use the following command to find and filter by role:
#xe-subject-list roles=<Subject Role>
8.
Roles available to modify are:
• pool-admin
• pool-operator
• vm-power-admin
• vm-admin
• vm-operator
• read-only
See example below:
# xe subject-list roles=vm-operator
uuid ( RO) : 3f230ef4-df11-3476-585a-31578dd599ce
subject-identifier ( RO): S-1-5-21-3218303669-2594918284-589783900-1110
other-config (MRO): subject-name: DOMAIN\user5; subject-upn: [email protected]; subject-uid: 8389718; subject-gid: 8389121; subject-sid:
S-1-5-21-3218303669-2594918284-589783900-1110; subject-gecos: User5; subject-displayname: User5; subject-is-group: false; subject-account-disabled: false; subject-account-
expired: false; subject-account-locked: false; subject-password-expired: false
roles (SRO): vm-operator
Example:
Find and make a note of the subject UUID of the subject whose role permission will be modified.
Use the following command to add the specific permissions:
#xe-subject-role-add uuid=<Subject UUID> role-name=<Role Permission>
9.
Adding Permissions
Note: For a complete list of permissions, operations allowed, and roles they can be applied to, go to CTX126441 - Available Role Based Access Control Permissions for XenServer. An
“X” indicates that the permission listed has already been assigned to that role.
Below is a small list of the most popular permissions used:
PERMISSION pool-admin pool-operator vm-power-admin vm-admin vm-operator read-only
vm.pool_migrate X X X
vm.hard_reboot X X X X X
vm.power_state_reset X X
vm.hard_shutdown X X X X X
vm.clean_reboot X X X X X
vm.clean_shutdown X X X X X
vm.unpause X X X X X
vm.pause X X X X X
vm.start_on X X X
host.reboot X X
host.shutdown X X
host.enable X X
host.disable X X
host.remove_from_license_server X X
host.add_to_license_server X X
host.set_license_server X X
For example, to add XenMotion rights to a VM operator, use the following syntax:
xe subject-role-add uuid=<subject UUID> role-name=vm.pool_migrate
Example:
Verifying Permissions
To verify the permissions assign to a user, run the following command:
xe subject-list uuid=<subject UUID>
ExampleI
[root@ftlchristophxs56a ~]# xe subject-list uuid=3f230ef4-df11-3476-585a-31578dd599ce
uuid ( RO) : 3f230ef4-df11-3476-585a-31578dd599ce
subject-identifier ( RO): S-1-5-21-3218303669-2594918284-589783900-1110
other-config (MRO): subject-name: DOMAIN\user5; subject-upn: [email protected]; subject-uid: 8389718; subject-gid: 8389121; subject-sid:
S-1-5-21-3218303669-2594918284-589783900-1110; subject-gecos: User5; subject-displayname: User5; subject-is-group: false; subject-account-disabled: false; subject-account-
expired: false; subject-account-locked: false; subject-password-expired: false
roles (SRO): http/post_root; vm.pool_migrate; vm-operator
Removing Permissions
To remove the permissions added, use the following command:
#xe subject-role-remove uuid=<subject UUID> role-name=vm.pool_migrate
Example:
Note: If the permissions were not properly applied, you should receive the following error if you try to complete the operation requested.
Changing Role for Subjects with Extended Permissions
After extending the permissions for a role using the CLI, you can no longer modify it using XenCenter. Trying to change the role using XenCenter results in the following error:
Remove all permissions added to a Subject before changing the role.
Tip: To change a role without going to the CLI, remove and add the User and then apply the new role.
More Information
XenServer 5.6 Role Based Access Control
©1999-2013 Citrix Systems, Inc. All rights reserved.
CTX126441 - Available Role Based Access Control Permissions for XenServer
This document applies to:
XenServer 5.6
XenServer 5.6 Common Criteria
XenServer 5.6 FP 1
XenServer 5.6 SP 2
XenServer 6.0
XenServer 6.1.0
XenServer 6.2.0