Discussion:
[ovirt-users] How to create new users other than admin
g***@gmail.com
2021-05-19 09:55:06 UTC
Permalink
Hello everyone, I am new to ovirt and would like to apologise if this has been asked before.
When I created a cluster of ovirt 4.3, I was presented with the option of creating an admin user.
However, we would like to assign different login credentials for our employees with different set of rules.

I was able to view the users menu under the Administration > Users.
Currently we only have an admin user with internal-authz. When clicking on the add button, I only see "internal-authz" and "*" under namespace.
Clicking on Go button simply shows admin user again.

I created a new role under the Administration > Configure > Roles, however, there is no option to add new user anywhere.

Can you please point me to the right steps for adding new users?

Thanks
_______________________________________________
Users mailing list -- ***@ovirt.org
To unsubscribe send an email to users-***@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/***@ovirt.org/message/E7GHE
Lucie Leistnerova
2021-05-19 10:11:53 UTC
Permalink
Hello,

engine itself doesn't manage users directly, it just connects to
different user directories. Admin is created in internal profile, that
is specifically created for engine.

You can manage internal users with AAA JDBC tool.
See
https://www.ovirt.org/develop/release-management/features/infra/aaa-jdbc.html
Post by g***@gmail.com
Hello everyone, I am new to ovirt and would like to apologise if this has been asked before.
When I created a cluster of ovirt 4.3, I was presented with the option of creating an admin user.
However, we would like to assign different login credentials for our employees with different set of rules.
I was able to view the users menu under the Administration > Users.
Currently we only have an admin user with internal-authz. When clicking on the add button, I only see "internal-authz" and "*" under namespace.
Clicking on Go button simply shows admin user again.
I created a new role under the Administration > Configure > Roles, however, there is no option to add new user anywhere.
Can you please point me to the right steps for adding new users?
Thanks
_______________________________________________
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
Best regards,
--
Lucie Leistnerova
Associate Manager, Quality Engineering, RHV - QE Core & Tools
GChat: lleistne @ Virtualization <https://chat.google.com/room/AAAA7lwAJb4>

Red Hat EMEA <https://www.redhat.com>
g***@gmail.com
2021-05-19 10:29:36 UTC
Permalink
Thank you Lucie,

So if I understand correctly, we need to install the AAA JDBC tool as an additional package on the server running the hosted engine?

The link you sent me suggests that we have to run engine-setup? What exactly does this mean and seems rather complicated for adding a new user.

Anyways, I ran the command "ovirt-hosted-engine-setup" after googling a bit and it prompted me to create a new VM with hosted engine. I followed through by providing a FQDN from our DNS server. However, this procedure failed to create the VM.

Am I doing something wrong? Could you please elaborate what would be the right steps here?

Thank you
_______________________________________________
Users mailing list -- ***@ovirt.org
To unsubscribe send an email to users-***@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/***@ovirt.org/message/3PSOYTK7PWUU
Martin Perina
2021-05-19 11:01:07 UTC
Permalink
Hi,

ovirt-engine-extension-aaa-jdbc package is installed automatically as a
part of oVirt Engine, so in order to use it, you need to SSH to oVirt
Engine host/VM and execute ovirt-aaa-jdbc-tool locally:

https://www.ovirt.org/documentation/administration_guide/index.html#sect-Administering_User_Tasks_From_the_commandline

Anyway aaa-jdbc extension is useful mostl for small installations within
organizations which don't have their users/groups provided on LDAP server.
If your organization has LDAP server, then I suggest to use aaa-ldap
extension:

https://www.ovirt.org/documentation/administration_guide/index.html#Introduction_to_Directory_Servers

Regards,
Martin
Post by g***@gmail.com
Thank you Lucie,
So if I understand correctly, we need to install the AAA JDBC tool as an
additional package on the server running the hosted engine?
The link you sent me suggests that we have to run engine-setup? What
exactly does this mean and seems rather complicated for adding a new user.
Anyways, I ran the command "ovirt-hosted-engine-setup" after googling a
bit and it prompted me to create a new VM with hosted engine. I followed
through by providing a FQDN from our DNS server. However, this procedure
failed to create the VM.
Am I doing something wrong? Could you please elaborate what would be the right steps here?
Thank you
_______________________________________________
Privacy Statement: https://www.ovirt.org/privacy-policy.html
https://www.ovirt.org/community/about/community-guidelines/
--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
Klaas Demter
2021-05-19 12:04:30 UTC
Permalink
Hi,

I would recommend to use ansible, that way you can have your
configuration as code.

https://docs.ansible.com/ansible/latest/collections/ovirt/ovirt/ovirt_user_module.html#ansible-collections-ovirt-ovirt-ovirt-user-module


Greetings

Klaas
Post by Martin Perina
Hi,
ovirt-engine-extension-aaa-jdbc package is installed automatically as
a part of oVirt Engine, so in order to use it, you need to SSH to
https://www.ovirt.org/documentation/administration_guide/index.html#sect-Administering_User_Tasks_From_the_commandline
<https://www.ovirt.org/documentation/administration_guide/index.html#sect-Administering_User_Tasks_From_the_commandline>
Anyway aaa-jdbc extension is useful mostl for small installations
within organizations which don't have their users/groups provided on
LDAP server. If your organization has LDAP server, then I suggest to
https://www.ovirt.org/documentation/administration_guide/index.html#Introduction_to_Directory_Servers
<https://www.ovirt.org/documentation/administration_guide/index.html#Introduction_to_Directory_Servers>
Regards,
Martin
Thank you Lucie,
So if I understand correctly, we need to install the AAA JDBC tool
as an additional package on the server running the hosted engine?
The link you sent me suggests that we have to run engine-setup?
What exactly does this mean and seems rather complicated for
adding a new user.
Anyways, I ran the command "ovirt-hosted-engine-setup" after
googling a bit and it prompted me to create a new VM with hosted
engine. I followed through by providing a FQDN from our DNS
server. However, this procedure failed to create the VM.
Am I doing something wrong? Could you please elaborate what would
be the right steps here?
Thank you
_______________________________________________
Privacy Statement: https://www.ovirt.org/privacy-policy.html
<https://www.ovirt.org/privacy-policy.html>
https://www.ovirt.org/community/about/community-guidelines/
<https://www.ovirt.org/community/about/community-guidelines/>
--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
_______________________________________________
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
Martin Perina
2021-05-19 13:24:44 UTC
Permalink
Hi,
I would recommend to use ansible, that way you can have your configuration
as code.
https://docs.ansible.com/ansible/latest/collections/ovirt/ovirt/ovirt_user_module.html#ansible-collections-ovirt-ovirt-ovirt-user-module
This only registers existing user provided by aaa-ldap or aaa-jdbc into
oVirt Engine, it cannot create new user.
Greetings
Klaas
Hi,
ovirt-engine-extension-aaa-jdbc package is installed automatically as a
part of oVirt Engine, so in order to use it, you need to SSH to oVirt
https://www.ovirt.org/documentation/administration_guide/index.html#sect-Administering_User_Tasks_From_the_commandline
Anyway aaa-jdbc extension is useful mostl for small installations within
organizations which don't have their users/groups provided on LDAP server.
If your organization has LDAP server, then I suggest to use aaa-ldap
https://www.ovirt.org/documentation/administration_guide/index.html#Introduction_to_Directory_Servers
Regards,
Martin
Post by g***@gmail.com
Thank you Lucie,
So if I understand correctly, we need to install the AAA JDBC tool as an
additional package on the server running the hosted engine?
The link you sent me suggests that we have to run engine-setup? What
exactly does this mean and seems rather complicated for adding a new user.
Anyways, I ran the command "ovirt-hosted-engine-setup" after googling a
bit and it prompted me to create a new VM with hosted engine. I followed
through by providing a FQDN from our DNS server. However, this procedure
failed to create the VM.
Am I doing something wrong? Could you please elaborate what would be the
right steps here?
Thank you
_______________________________________________
Privacy Statement: https://www.ovirt.org/privacy-policy.html
https://www.ovirt.org/community/about/community-guidelines/
--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
_______________________________________________
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
_______________________________________________
Privacy Statement: https://www.ovirt.org/privacy-policy.html
https://www.ovirt.org/community/about/community-guidelines/
--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
Klaas Demter
2021-05-19 19:15:47 UTC
Permalink
Oh damn yeah,  I only use it to register users that already exist in AD,
nvm the noise --- sorry :)


Greets

Klaas
Post by Klaas Demter
Hi,
I would recommend to use ansible, that way you can have your
configuration as code.
https://docs.ansible.com/ansible/latest/collections/ovirt/ovirt/ovirt_user_module.html#ansible-collections-ovirt-ovirt-ovirt-user-module
<https://docs.ansible.com/ansible/latest/collections/ovirt/ovirt/ovirt_user_module.html#ansible-collections-ovirt-ovirt-ovirt-user-module>
This only registers existing user provided by aaa-ldap or aaa-jdbc
into oVirt Engine, it cannot create new user.
Greetings
Klaas
Post by Martin Perina
Hi,
ovirt-engine-extension-aaa-jdbc package is installed
automatically as a part of oVirt Engine, so in order to use it,
you need to SSH to oVirt Engine host/VM and execute
https://www.ovirt.org/documentation/administration_guide/index.html#sect-Administering_User_Tasks_From_the_commandline
<https://www.ovirt.org/documentation/administration_guide/index.html#sect-Administering_User_Tasks_From_the_commandline>
Anyway aaa-jdbc extension is useful mostl for small installations
within organizations which don't have their users/groups provided
on LDAP server. If your organization has LDAP server, then I
https://www.ovirt.org/documentation/administration_guide/index.html#Introduction_to_Directory_Servers
<https://www.ovirt.org/documentation/administration_guide/index.html#Introduction_to_Directory_Servers>
Regards,
Martin
Thank you Lucie,
So if I understand correctly, we need to install the AAA JDBC
tool as an additional package on the server running the
hosted engine?
The link you sent me suggests that we have to run
engine-setup? What exactly does this mean and seems rather
complicated for adding a new user.
Anyways, I ran the command "ovirt-hosted-engine-setup" after
googling a bit and it prompted me to create a new VM with
hosted engine. I followed through by providing a FQDN from
our DNS server. However, this procedure failed to create the VM.
Am I doing something wrong? Could you please elaborate what
would be the right steps here?
Thank you
_______________________________________________
Privacy Statement: https://www.ovirt.org/privacy-policy.html
<https://www.ovirt.org/privacy-policy.html>
https://www.ovirt.org/community/about/community-guidelines/
<https://www.ovirt.org/community/about/community-guidelines/>
--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
_______________________________________________
Privacy Statement:https://www.ovirt.org/privacy-policy.html <https://www.ovirt.org/privacy-policy.html>
oVirt Code of Conduct:https://www.ovirt.org/community/about/community-guidelines/ <https://www.ovirt.org/community/about/community-guidelines/>
_______________________________________________
Privacy Statement: https://www.ovirt.org/privacy-policy.html
<https://www.ovirt.org/privacy-policy.html>
https://www.ovirt.org/community/about/community-guidelines/
<https://www.ovirt.org/community/about/community-guidelines/>
--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
g***@gmail.com
2021-05-20 05:09:13 UTC
Permalink
Thank you Martin, I tried as you suggested and ran the "ovirt-aaa-jdbc-tool user add" command on the hosted engine server, but got the following error: /usr/bin/ovirt-aaa-jdbc-tool: line 3: /usr/share/ovirt-engine-extension-aaa-jdbc/bin/../../ovirt-engine/bin/engine-prolog.sh: No such file or directory

At first I thought the package doesn't exist, and so I installed it using - yum install ovirt-engine-extension-aaa-jdbc
https://ovirt.org/documentation/administration_guide/index.html#sect-Configuring_an_External_LDAP_Provider

But I continue to receive this same error.
_______________________________________________
Users mailing list -- ***@ovirt.org
To unsubscribe send an email to users-***@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/***@ovirt.org/message/N4HQPUQITXCHKAENRILNZAJDTUZ
Yedidyah Bar David
2021-05-20 05:48:54 UTC
Permalink
Post by g***@gmail.com
Thank you Martin, I tried as you suggested and ran the "ovirt-aaa-jdbc-tool user add" command on the hosted engine server, but got the following error: /usr/bin/ovirt-aaa-jdbc-tool: line 3: /usr/share/ovirt-engine-extension-aaa-jdbc/bin/../../ovirt-engine/bin/engine-prolog.sh: No such file or directory
At first I thought the package doesn't exist, and so I installed it using - yum install ovirt-engine-extension-aaa-jdbc
https://ovirt.org/documentation/administration_guide/index.html#sect-Configuring_an_External_LDAP_Provider
But I continue to receive this same error.
You should do this on the engine machine (VM), not on a host.

You should not need to install this tool on a host, and on the engine
you should already have it.

Best regards,
--
Didi
_______________________________________________
Users mailing list -- ***@ovirt.org
To unsubscribe send an email to users-***@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users
g***@gmail.com
2021-05-20 07:03:57 UTC
Permalink
Thank you so much..I was a bit confused about this but now I have successfully added the users.
However, I am still having trouble assigning login permit for these users. I get the error- The user @internal is not authorized to perform login.

I can only bypass this by assigning some kind of admin roles which we do not wish to have in our setup.

Is there a specific user permission that must be added to permit login? I have already tried creating a custom role with Login permission but that doesn't work.
https://postimg.cc/4m8YhV6Z
_______________________________________________
Users mailing list -- ***@ovirt.org
To unsubscribe send an email to users-***@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/***@ovirt.org/message/GNS4WR7
Yedidyah Bar David
2021-05-20 07:32:00 UTC
Permalink
Post by g***@gmail.com
Thank you so much..I was a bit confused about this but now I have successfully added the users.
I can only bypass this by assigning some kind of admin roles which we do not wish to have in our setup.
Is there a specific user permission that must be added to permit login? I have already tried creating a custom role with Login permission but that doesn't work.
https://postimg.cc/4m8YhV6Z
Any user can login to the VM portal.

Only users that have at least one admin role can login to the admin portal.

You can create a custom admin role and not give it any other
permissions (other than login), then give it to the user you created -
I think this should be enough.

Best regards,
--
Didi
_______________________________________________
Users mailing list -- ***@ovirt.org
To unsubscribe send an email to users-***@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/***@ovirt.org/message/OYZH5AFOV
Edward Berger
2021-05-19 13:33:39 UTC
Permalink
For specific users local to the ovirt engine
https://ovirt.org/documentation/administration_guide/index.html#sect-Administering_User_Tasks_From_the_commandline
OK for an emergency admin user or perhaps external system user, but this
doesn't scale very well.

But generally you might want to setup LDAP logins with
https://ovirt.org/documentation/administration_guide/index.html#sect-Configuring_an_External_LDAP_Provider
and manage users externally across multiple machines.
Post by g***@gmail.com
Hello everyone, I am new to ovirt and would like to apologise if this has
been asked before.
When I created a cluster of ovirt 4.3, I was presented with the option of
creating an admin user.
However, we would like to assign different login credentials for our
employees with different set of rules.
I was able to view the users menu under the Administration > Users.
Currently we only have an admin user with internal-authz. When clicking on
the add button, I only see "internal-authz" and "*" under namespace.
Clicking on Go button simply shows admin user again.
I created a new role under the Administration > Configure > Roles,
however, there is no option to add new user anywhere.
Can you please point me to the right steps for adding new users?
Thanks
_______________________________________________
Privacy Statement: https://www.ovirt.org/privacy-policy.html
https://www.ovirt.org/community/about/community-guidelines/
Loading...