Citrix Systems 5.6 Role Based Access Control

7

When you leave the domain (that is, disable Active Directory authentication and disconnect a pool or server

from its domain), any users who authenticated to the pool or server with Active Directory credentials are

disconnected.

Use XenCenter to leave an AD domain. See the XenCenter help for more information. Alternately run the

pool-disable-external-auth command, specifying the pool uuid if required.

Note:

Leaving the domain will not cause the host objects to be removed from the AD database. See this knowledge

base article for more information about this and how to remove the disabled host entries.

Role Based Access Control

Note:

The full RBAC feature is only available in Citrix XenServer Enterprise Edition or higher. To learn more about

upgrading XenServer, click here.

XenServer's Role Based Access Control (RBAC) allows you to assign users, roles, and permissions to

control who has access to your XenServer and what actions they can perform. The XenServer RBAC

system maps a user (or a group of users) to defined roles (a named set of permissions), which in turn have

associated XenServer permissions (the ability to perform certain operations).

As users are not assigned permissions directly, but acquire them through their assigned role, management

of individual user permissions becomes a matter of simply assigning the user to the appropriate role; this

simplifies common operations. XenServer maintains a list of authorized users and their roles.

RBAC allows you to easily restrict which operations different groups of users can perform - thus reducing

the probability of an accident by an inexperienced user.

To facilitate compliance and auditing, RBAC also provides an Audit Log feature and its corresponding

Workload Balancing Pool Audit Trail report.

RBAC depends on Active Directory for authentication services. Specifically, XenServer keeps a list of

authorized users based on Active Directory user and group accounts. As a result, you must join the pool to

the domain and add Active Directory accounts before you can assign roles.

Contents

Main Page iii Table of Contents XenServer hosts and resource pools ....................................................... 19 iv v vi vii viii ix x xi xii xiii Monitoring and managing XenServer .................................................... 136 xiv xv xvi xvii xviii xix Page Document Overview How this Guide relates to other documentation Managing users Authenticating users using Active Directory (AD) Understanding Active Directory authentication in the XenServer environment Upgrading from XenServer 5.5 Configuring Active Directory authentication Enabling external authentication on a pool Disabling external authentication User authentication Allowing a user access to XenServer using the CLI Removing access for a user using the CLI Listing subjects with access Removing access for a user Terminating all authenticated sessions using xe Terminating individual user sessions using xe Leaving an AD domain Role Based Access Control RBAC process Roles A user's role can be changed in two ways: Definitions of RBAC roles and permissions Table 1. Permissions available for each role Definitions of permissions Table 2. Definitions of permissions Page Page Working with RBAC using the xe CLI To list all the available defined roles in XenServer To display a list of current subjects: To add a subject to RBAC To assign an RBAC role to a created subject To change a subject's RBAC role: Auditing Audit log xe CLI commands To obtain all audit records from the pool To obtain audit records of the pool since a precise millisecond timestamp To obtain audit records of the pool since a precise minute timestamp How does XenServer compute the roles for the session? XenServer hosts and resource pools Hosts and resource pools overview Requirements for creating resource pools Creating a resource pool To join XenServer hosts host1 and host2 into a resource pool using the CLI Naming a resource pool Creating heterogeneous resource pools To add a heterogeneous XenServer host to a resource pool using the xe CLI Adding shared storage Adding NFS shared storage to a resource pool using the CLI Removing a XenServer host from a resource pool To remove a host from a resource pool using the CLI High Availability HA Overview Overcommitting Overcommitment Warning Host Fencing Configuration Requirements Restart priorities Enabling HA on a XenServer pool Enabling HA using the CLI Removing HA protection from a VM using the CLI Recovering an unreachable host Shutting down a host when HA is enabled Shutting down a VM when it is protected by HA Host Power On Powering on hosts remotely Using the CLI to Manage Host Power On To enable Host Power On using the CLI To turn on hosts remotely using the CLI Configuring a Custom Script for XenServer's Host Power On Feature Key/Value Pairs host.power_on_mode host.power_on_config Sample Script Storage Storage Overview Storage Repositories (SRs) Virtual Disk Images (VDIs) Physical Block Devices (PBDs) Virtual Block Devices (VBDs) Summary of Storage objects Virtual Disk Data Formats VHD-based VDIs VHD Chain Coalescing Space Utilization LUN-based VDIs Storage configuration Creating Storage Repositories Upgrading LVM storage from XenServer 5.0 or earlier LVM performance considerations VDI types Creating a raw virtual disk using the xe CLI Converting between VDI formats Probing an SR Page Page Storage Multipathing To enable storage multipathing using the xe CLI Storage Repository Types Local LVM Creating a local LVM SR (lvm) Local EXT3 VHD Creating a local EXT3 SR (ext) udev ISO EqualLogic Creating a shared EqualLogic SR EqualLogic VDI Snapshot space allocation with XenServer EqualLogic Adapter Creating a VDI using the CLI NetApp FlexVols Aggregates Thick or thin provisioning FAS Deduplication Access Control Licenses Further information Creating a shared NetApp SR over iSCSI Managing VDIs in a NetApp SR Taking VDI snapshots with a NetApp SR Software iSCSI Support XenServer Host iSCSI configuration Managing Hardware Host Bus Adapters (HBAs) Sample QLogic iSCSI HBA setup Removing HBA-based SAS, FC or iSCSI device entries LVM over iSCSI Creating a shared LVM over iSCSI SR using the software iSCSI initiator (lvmoiscsi) Creating a shared LVM over Fibre Channel / iSCSI HBA or SAS SR (lvmohba) 51 NFS VHD Creating a shared NFS SR (nfs) LVM over hardware HBA Citrix StorageLink Gateway (CSLG) SRs Creating a shared StorageLink SR Page To create a CSLG SR Page 58 You can use grep to filter the sr-probe output to just the storage pool IDs You can use grep to filter the sr-probe output to just the storage pool IDs 5. Create the SR specifying the desired storage system and storage pool IDs Managing Storage Repositories Destroying or forgetting a SR Introducing an SR Resizing an SR Converting local Fibre Channel SRs to shared SRs Moving Virtual Disk Images (VDIs) between SRs Copying all of a VM's VDIs to a different SR Copying individual VDIs to a different SR Virtual disk QoS settings Page Configuring VM memory What is Dynamic Memory Control (DMC)? The concept of dynamic range The concept of static range DMC Behaviour How does DMC Work? Memory constraints Supported operating systems xe CLI commands Display the static memory properties of a VM Display the dynamic memory properties of a VM Updating memory properties Update individual memory properties Upgrade issues Workload Balancing interaction Networking XenServer networking overview Network objects Networks VLANs Using VLANs with host management interfaces Using VLANs with virtual machines NIC bonds Initial networking configuration Managing networking configuration Creating networks in a standalone server To add a new network using the CLI Creating networks in resource pools Creating VLANs To connect a network to an external VLAN using the CLI Creating NIC bonds on a standalone host Creating a NIC bond on a dual-NIC host Bonding two NICs together Controlling the MAC address of the bond Reverting NIC bonds Creating NIC bonds in resource pools Adding NIC bonds to new resource pools Adding NIC bonds to an existing pool To add NIC bonds to the pool master and other hosts Configuring a dedicated storage NIC To assign NIC functions using the xe CLI Controlling Quality of Service (QoS) Changing networking configuration options Hostname DNS servers Changing IP address configuration for a standalone host Changing IP address configuration in resource pools Changing the IP address of a pool member host Management interface To change the NIC used for the management interface Disabling management access Adding a new physical NIC NIC/PIF ordering in resource pools Verifying NIC ordering Re-ordering NICs Networking Troubleshooting Diagnosing network corruption Recovering from a bad network configuration Workload Balancing What's New? New Features Changes Workload Balancing Overview Workload Balancing Basic Concepts Workload Balancing Installation Overview Workload Balancing System Requirements Supported XenServer Versions Supported Operating Systems Recommended Hardware Workload Balancing Data Store Requirements SQL Server Database Authentication Requirements Operating System Language Support Preinstallation Considerations WLB Access Control Permissions Installing Workload Balancing To install Workload Balancing server To verify your Workload Balancing installation Configuring Firewalls Upgrading Workload Balancing Upgrading Workload Balancing on the Same Operating System Upgrading SQL Server Upgrading Workload Balancing and the Operating System Initializing Workload Balancing To initialize Workload Balancing Authorization for Workload Balancing Configuring Antivirus Software Configuring Workload Balancing Settings To display the Workload Balancing Configuration dialog box Adjusting the Optimization Mode Fixed Scheduled To set an optimization mode for all time periods Optimizing and Managing Power Automatically Accepting Optimization Recommendations Automatically Enabling Workload Balancing Power Management Designing Environments for Power Management and VM Consolidation To apply optimization recommendations automatically To select servers for power management Changing the Critical Thresholds Default Settings for Critical Thresholds To change the critical thresholds Tuning Metric Weightings To edit metric weighting factors Excluding Hosts from Recommendations To exclude hosts from placement and optimization recommendations Configuring Optimization Intervals, Report Subscriptions, and Data Storage Historical Data (Storage Time) To configure the data storage period VM Optimization Criteria Length of Time Between Optimization Recommendations After VM Moves Number of Times an Optimization Recommendation is Made Setting the Minimum Optimization Severity Modifying the Aggressiveness Setting To configure VM Recommendation intervals Receiving Reports by Email Automatically (Report Subscriptions) To configure report subscriptions Choosing an Optimal Server for VM Initial Placement, Migrate, and Resume To start a virtual machine on the optimal server To resume a virtual machine on the optimal server Accepting Optimization Recommendations To accept an optimization recommendation Administering Workload Balancing Disabling Workload Balancing Reconfiguring a Pool to Use Another WLB Server Updating Workload Balancing Credentials Uninstalling Workload Balancing Customizing Workload Balancing Entering Maintenance Mode with Workload Balancing Enabled To enter maintenance mode with Workload Balancing enabled Working with Workload Balancing Reports Introduction Subscribing to Workload Balancing Reports Using Workload Balancing Reports for Tasks Evaluating the Effectiveness of Your Optimization Thresholds Generating and Managing Workload Balancing Reports To generate a Workload Balancing report To subscribe to a Workload Balancing report To cancel a report subscription To navigate in a Workload Balancing Report Table 3. Report Toolbar Buttons To print a Workload Balancing report To export a Workload Balancing report Displaying Workload Balancing Reports Report Generation Features Toolbar Buttons Table 4. Report Toolbar Buttons Workload Balancing Report Glossary Host Health History Pool Optimization Performance History Pool Audit Log History Audit Log Event Names Pool Health Pool Health History Pool Optimization History Virtual Machine Motion History Virtual Machine Performance History Backup and recovery Backups To backup pool metadata To backup host configuration and software To backup a VM Full metadata backup and disaster recovery (DR) DR and metadata backup overview Backup and restore using xsconsole Moving SRs between hosts and Pools To create and move a portable SR using the xsconsole and XenCenter Using Portable SRs for Manual Multi-Site Disaster Recovery VM Snapshots Regular Snapshots Quiesced Snapshots Snapshots with memory Creating a VM Snapshot Creating a snapshot with memory To list all of the snapshots on a XenServer pool To list the snapshots on a particular VM Restoring a VM to its previous state Deleting a snapshot Snapshot Templates Creating a template from a snapshot Exporting a snapshot to a template Advanced Notes for Quiesced Snapshots Page Coping with machine failures Member failures Master failures Pool failures To restore a completely failed pool Coping with Failure due to Configuration Errors To restore host software and configuration Physical Machine failure To restore a pool with all hosts failed To restore a VM when VM storage is not available Monitoring and managing XenServer Alerts Customizing Alerts Valid VM Elements Valid Host Elements Configuring Email Alerts Custom Fields and Tags Custom Searches Determining throughput of physical bus adapters To determine PBD throughput Troubleshooting XenServer host logs Sending host log messages to a central server To write logs to a remote server XenCenter logs Troubleshooting connections between XenCenter and the XenServer host Appendix A. Command line interface Basic xe syntax Special characters and syntax Command types Parameter types Low-level param commands Low-level list commands xe command reference Bonding commands Bond parameters bond-create bond-destroy CD commands CD parameters cd-list Console commands Console parameters Event commands Event classes event-wait Host (XenServer host) commands Host selectors Host parameters Page Page host-backup host-bugreport-upload host-crashdump-destroy host-crashdump-upload host-disable host-dmesg host-enable host-evacuate host-forget host-get-system-status host-get-system-status-capabilities host-is-in-emergency-mode host-apply-edition license-server-address license-server-port host-license-add host-license-view host-logs-download host-management-disable host-management-reconfigure host-power-on host-set-power-on host-reboot host-restore host-set-hostname-live Log commands log-get-keys log-reopen log-set-output Message commands Message parameters message-create message-list Network commands Network parameters network-create network-destroy Patch (update) commands Patch parameters patch-apply patch-clean patch-pool-apply PBD commands PBD parameters pbd-create pbd-destroy pbd-plug PIF commands PIF parameters Page pif-forget pif-introduce pif-plug pif-reconfigure-ip pif-scan Pool commands Pool parameters Page pool-designate-new-master pool-dump-database pool-eject pool-emergency-reset-master pool-emergency-transition-to-master Storage Manager commands SM parameters SR commands SR parameters sr-create sr-destroy sr-forget sr-introduce sr-probe Task commands Task parameters task-cancel Template commands Template parameters Page Page Page Page Page Page template-export Update commands update-upload User commands user-password-change VBD commands VBD parameters vbd-create vbd-destroy vbd-eject vbd-insert vbd-plug VDI commands VDI parameters vdi-clone vdi-copy vdi-create vdi-destroy vdi-forget vdi-import vdi-introduce vdi-resize VIF commands VIF parameters Page vif-create vif-destroy vif-plug vif-unplug VLAN commands vlan-create pool-vlan-create vlan-destroy VM commands Page Page Page Page Page Page vm-cd-add vm-cd-eject vm-cd-insert vm-cd-list vm-cd-remove vm-clone vm-compute-maximum-memory vm-copy vm-crashdump-list vm-data-source-forget vm-data-source-list vm-data-source-query vm-data-source-record vm-destroy vm-disk-add vm-disk-list vm-disk-remove vm-export vm-import vm-install vm-memory-shadow-multiplier-set vm-migrate vm-reboot vm-reset-powerstate vm-resume vm-shutdown vm-start vm-suspend vm-uninstall vm-vcpu-hotplug vm-vif-list Workload Balancing commands pool-initialize-wlb pool-param-set other-config host-retrieve-wlb-evacuate-recommendations vm-retrieve-wlb-recommendations pool-certificate-list pool-certificate-install pool-certificate-sync pool-param-set pool-deconfigure-wlb pool-retrieve-wlb-configuration pool-retrieve-wlb-recommendations pool-retrieve-wlb-report pool-send-wlb-configuration Index A C E F S T U V X