Manuals / Citrix Systems / Computer Equipment / Server

Citrix Systems 6 manual Roles, Rbac process

Models: 6

1 207

Download 207 pages 43.5 Kb

Page 29

RBAC depends on Active Directory for authentication services. Specifically, XenServer keeps a list of authorized users based on Active Directory user and group accounts. As a result, you must join the pool to the domain and add Active Directory accounts before you can assign roles.

The local super user (LSU), or root, is a special user account used for system administration and has all rights or permissions. In XenServer, the local super user is the default account at installation. The LSU is authenticated via XenServer and not external authentication service, so if the external authentication service fails, the LSU can still log in and manage the system. The LSU can always access the XenServer physical host via SSH.

RBAC process

This is the standard process for implementing RBAC and assigning a user or group a role:

1.Join the domain. See Enabling external authentication on a pool

2.Add an Active Directory user or group to the pool. This becomes a subject. See the section called “To Add a Subject to RBAC”.

3.Assign (or modify) the subject's RBAC role. See the section called “To Assign an RBAC Role to a Created subject”.

Roles

XenServer is shipped with the following six, pre-established roles:

• Pool Administrator (Pool Admin) – the same as being the local root. Can perform all operations.

Note:

The local super user (root) will always have the "Pool Admin" role. The Pool Admin role has the same permissions as the local root.

•Pool Operator (Pool Operator) – can do everything apart from adding/removing users and modifying their roles. This role is focused mainly on host and pool management (i.e. creating storage, making pools, managing the hosts etc.)

•Virtual Machine Power Administrator (VM Power Admin) – creates and manages Virtual Machines. This role is focused on provisioning VMs for use by a VM operator.

•Virtual Machine Administrator (VM Admin) – similar to a VM Power Admin, but cannot migrate VMs or perform snapshots.

•Virtual Machine Operator (VM Operator) – similar to VM Admin, but cannot create/destroy VMs – but can perform start/stop lifecycle operations.

•Read-only(Read Only) – can view resource pool and performance data.

11

Image 29

Citrix Systems 6 manual Roles, Rbac process

Contents

Citrix XenServer 6.0 Administrators Guide Trademarks Contents Storage ISO Configuring VM Memory Xen Memory Usage Disaster Recovery and Backup Monitoring and Managing XenServer 106 110 Page Host-bugreport-upload 129 Xiii Xiv Page Vm-compute-maximum-memory Workload Balancing Service Commands 186 Xviii Using XenServer reduces costs by Benefits of Using XenServerUsing XenServer increases flexibility by Introducing XenServerXenServer Editions New Features in XenServerAdministering XenServer Distributed Virtual Switch Improvements Rolling Pool Upgrade WizardSimplified Installer Microsoft Scvmm and Scom SupportXenServer Documentation VM Protection and RecoveryNFS Support for High Availability XenCenter ImprovementsXenServer CLI Term Authenticating Users With Active Directory ADXenCenter Term Upgrading XenServer Configuring Active Directory AuthenticationPort Protocol Use Active Directory integrationDisabling external authentication User AuthenticationEnabling external authentication on a pool Allowing a user access to XenServer using the CLI Removing Access for a UserRemoving access for a user using the CLI Listing subjects with accessTerminating all authenticated sessions using xe Role Based Access ControlTerminating individual user sessions using xe Leaving an AD DomainRbac process RolesPermissions available for each role Definitions of Rbac Roles and PermissionsUsers role can be changed in two ways WLB Permission Allows Assignee To Rationale/Comments Definitions of permissionsPermission Allows Assignee To Rationale/Comments Report Generated or its recipient To List All the Available Defined Roles in XenServer Using Rbac with the CLITo Display a List of Current Subjects To Add a Subject to Rbac Run the command xe subject-add subject-name=AD user/groupTo Assign an Rbac Role to a Created subject To Change a Subjects Rbac RoleAuditing Audit Log xe CLI CommandsHow Does XenServer Compute the Roles for the Session? To Obtain All Audit Records From the PoolPage Requirements for Creating Resource Pools Hosts and Resource Pools OverviewNaming a resource pool Creating a Resource PoolCreating Heterogeneous Resource Pools Adding Shared Storage Adding NFS shared storage to a resource pool using the CLIRemoving a XenServer Host from a Resource Pool Preparing a Pool of XenServer Hosts for MaintenanceTo remove a host from a resource pool using the CLI Overcommitting High AvailabilityHA Overview Host Fencing Configuration RequirementsOvercommitment Warning HA Always Run Explanation Restart PrioritiesHA Restart Priority Restart Explanation Enabling HA on a XenServer Pool Enabling HA Using the CLIRemoving HA Protection from a VM using the CLI Recovering an Unreachable Host Host Power OnShutting Down a host When HA is Enabled Shutting Down a VM When it is Protected by HATo Turn on Hosts Remotely Using the CLI Using the CLI to Manage Host Power OnTo Enable Host Power On Using the CLI Sample Script Key/Value PairsResult is only displayed when the script is unsuccessful Storage Repositories SRs Storage OverviewVirtual Disk Images VDIs Physical Block Devices PBDsSummary of Storage objects Virtual Block Devices VBDsVirtual Disk Data Formats VHD-based VDIsVHD Chain Coalescing LUN-based VDIsStorage type Maximum VDI size Storage Repository TypesLocal LVM Udev Local EXT3 VHDCreating a Local LVM SR lvm Creating a Local EXT3 SR extCitrix StorageLink SRs XenServer Host iSCSI configurationSoftware iSCSI Support Creating a Shared StorageLink SR Upgrading XenServer with StorageLink SRsParameter name Description Optional? To Create a CSL SR Using XenCenterTo Create a CSL SR Using the CLI Page Managing Hardware Host Bus Adapters HBAs Sample QLogic iSCSI HBA setupParameter Name Description LVM over iSCSIRemoving HBA-based SAS, FC or iSCSI Device Entries Parameter Name Description Hitachi NFS VHD LVM over Hardware HBA Storage ConfigurationCreating Storage Repositories Creating a Shared NFS SR NFSVDI Types Upgrading LVM Storage from XenServer 5.0 or EarlierLVM Performance Considerations Probing an SR Creating a Raw Virtual Disk Using the xe CLIConverting Between VDI Formats Following parameters can be probed for each SR type Page Storage Multipathing To enable storage multipathing using the xe CLIMPP Rdac Driver Support for LSI Arrays Managing Storage RepositoriesDestroying or Forgetting a SR Introducing an SRConverting Local Fibre Channel SRs to Shared SRs Resizing an SRMoving Virtual Disk Images VDIs Between SRs Adjusting the Disk IO SchedulerCopying All of a VMs VDIs to a Different SR Copying Individual VDIs to a Different SRReclaiming Space Using the Off Line Coalesce Tool Automatically Reclaiming Space When Deleting SnapshotsPossible values of qosalgorithmparamsched are Virtual Disk QoS SettingsPage Concept of Dynamic Range What is Dynamic Memory Control DMC?How Does DMC Work? Concept of Static RangeDMC Behaviour Operating System Supported Memory Limits Memory ConstraintsSupported Operating Systems Display the Static Memory Properties of a VM Xe CLI CommandsUpdating Memory Properties Display the Dynamic Memory Properties of a VMWorkload Balancing Interaction Upgrade IssuesUpdate Individual Memory Properties Name Default Description Setting Control Domain MemoryName Default Description Networking Support VSwitch NetworksNetwork Objects XenServer Networking OverviewNIC Bonds NetworksVLANs Page Switch Configuration Active-Active Bonding Active-Passive Bonding Cross-Server Private networks Managing Networking ConfigurationInitial Networking Configuration Creating Networks in a Standalone Server To connect a network to an external Vlan using the CLI To add a new network using the CLICreating Networks in Resource Pools Creating VLANsControlling the MAC Address of the Bond Creating a NIC bondBonding two NICs Adding NIC bonds to new resource pools Creating NIC bonds in resource poolsReverting NIC bonds Adding NIC bonds to an existing pool Configuring a dedicated storage NICTo assign NIC functions using the xe CLI Assigning a SR-IOV NIC VF to a VM Using SR-IOV Enabled NICsControlling the rate of outgoing data QoS Networking Stack Configuration Methods Available Changing networking configuration optionsChanging IP address configuration in resource pools Changing IP address configuration for a standalone hostHostname DNS serversDisabling management access Networking TroubleshootingPrimary management interface Adding a new physical NICDiagnosing network corruption Recovering from a bad network configurationUnderstanding XenServer DR Disaster Recovery and BackupDR Infrastructure Requirements Steps to Take After a Recovery Enabling Disaster Recovery in XenCenterDeployment Considerations Steps to Take Before a DisasterRecovering VMs and vApps in the Event of Disaster Failover Test Failover Recovery WizardVApps Backing Up and Restoring XenServer Hosts and VMs Using the Manage vApps dialog box in XenCenterCreating vApps Value DescriptionTo backup host configuration and software To backup pool metadataTo backup a VM To backup VM metadata onlyBacking up XenServer hosts Backing up single host installationsBacking up pooled installations Backing up VMs To restore a running XenServer hostTo back up a XenServer host Restarting a crashed XenServer hostRegular Snapshots VM SnapshotsQuiesced Snapshots Snapshots with memoryTo list the snapshots on a particular VM Creating a snapshot with memoryTo list all of the snapshots on a XenServer pool Deleting a snapshot Restoring a VM to its previous stateExporting a snapshot to a template Snapshot TemplatesCreating a template from a snapshot Advanced Notes for Quiesced Snapshots Naming convention for VM archive folders VM Protection and RecoveryCoping with machine failures Master failures Opt/xensource/sm/resetvdis.py hostUUID Sruuid masterMember failures Physical Machine failure Coping with Failure due to Configuration ErrorsPool failures To restore a VM when VM storage is not available To restore a pool with all hosts failedAlert Description AlertsValid VM Elements Customizing AlertsValid Host Elements Configuring Email AlertsCustom Searches Custom Fields and TagsDetermining throughput of physical bus adapters To determine PBD throughputTo write logs to a remote server XenServer host logsSending host log messages to a central server Userprofile%\AppData\Citrix\XenCenter\logs\XenCenter.log XenCenter logsBasic xe Syntax Xe command-name argument=value argument=valueClass-list Command TypesSpecial Characters and Syntax Parameter Types Class-param-list uuid=uuid Low-level Parameter CommandsLow-level List Commands Appliance Commands Xe Command ReferenceAppliance-assert-can-be-recovered Appliance ParametersAudit Commands CD Commands Bonding CommandsCd-listparams=param1,param2,... parameter=parametervalue Cd-listDisaster Recovery DR Commands Console CommandsConsole Parameters Drtask-createVm-recover Vm-assert-can-be-recoveredSr-enable-database-replication Sr-disable-database-replicationClass name Description Event CommandsEvent Classes Event-wait GPU CommandsGPU Group Parameters Vgpu-create Host CommandsVgpu-destroy Host SelectorsHost Parameters Syslogdestination Yyyymmdd-hhmmss-ABC, where ABC is Host-disable Host-backupHost-bugreport-upload Host-crashdump-destroyHost-enable Host-emergency-management-reconfigureHost-evacuate Host-forgetAttribute Description Host-get-system-status-capabilitiesHost-is-in-emergency-mode Host-management-disableHost-apply-edition Host-license-addHost-power-on Host-management-reconfigureHost-get-cpu-features Host-set-cpu-featuresHost-syslog-reconfigure Host-restoreHost-set-hostname-live Host-shutdownHost-data-source-record Host-data-source-listHost-data-source-forget Host-data-source-queryMessage Commands Log CommandsLog-set-output Message ParametersMessage-destroy Network CommandsMessage-list Network ParametersNetwork-create Patch Update CommandsNetwork-destroy Patch ParametersPBD Commands Pbd-create PIF CommandsPbd-destroy Pbd-plugMAC PIF ParametersFull or half Pif-forget Pif-reconfigure-ipPif-introduce Pif-plugPif-scan Pool CommandsPif-unplug Pool ParametersPool-dump-database Pool-designate-new-masterPool-ha-enable Pool-emergency-reset-masterPool-ha-disable Pool-recover-slavesSR Commands Storage Manager CommandsSM Parameters SR ParametersUser Sr-createSr-forget Sr-destroySr-introduce Sr-probeTask Parameters Task CommandsTask-cancel Template CommandsTask-cancel uuid=taskuuid Template ParametersFor memory-dynamic-max Uuid=templateuuid \ Order Order or anYyyymmddThhmmss NotAs not in database for Template-export Update CommandsVBD Commands User CommandsUpdate-upload User-password-changeVbd-createvm-uuid=uuidofthevmdevice=devicevalue Vbd-createVDI Commands VDI VDI ParametersVdi-copy Vdi-cloneVdi-create Local/domain/0/backendVdi-forget Vdi-destroyVdi-import Vdi-introduceVdi-snapshot VIF CommandsVdi-unlock VIF ParametersDisable 165 Vif-create Vlan CommandsVif-destroy Vif-plugVM Commands Parameter Name Description Type Uuid=vmuuid \ Order Value pair autopoweron true Vcpu-hotplug command Domain/domid/vm Vm-cd-eject Vm-cd-addVm-cd-insert Vm-cd-listVm-compute-maximum-memory Vm-cloneVm-copy Vm-crashdump-listVm-data-source-record Vm-data-source-listVm-data-source-forget Vm-data-source-queryVm-disk-add Vm-destroyVm-disk-list Vm-disk-removeVm-import Vm-installVm-reset-powerstate Vm-rebootVm-memory-shadow-multiplier-set Vm-migrateVm-shutdown Vm-resumeVm-start Vm-suspendWorkload Balancing XE Commands Pool-certificate-install Pool-retrieve-wlb-diagnosticsHost-retrieve-wlb-evacuate-recommendations Vm-retrieve-wlb-recommendationsPool-retrieve-wlb-configuration Pool-deconfigure-wlbPool-retrieve-wlb-recommendations Pool-retrieve-wlb-reportPool-send-wlb-configuration 185 Service Commands Editing the Workload Balancing configuration file Modifying the Workload Balancing configuration optionsTo run the wlbconfig command To edit the wlb.conf fileLogging Trace Flag Benefit or Purpose Option Increasing the Detail in the Workload Balancing LogLogging Trace Flag Benefit or Purpose Option