Citrix Systems 6 Definitions of RBAC Roles and Permissions

12

Note:

You cannot add, remove or modify roles in this version of XenServer.

Warning:

You can not assign the role of pool-admin to an AD group which has more than 500 members,

if you want users of the AD group to have SSH access.

For a summary of the permissions available for each role and more detailed information on the operations

available for each permission, see the section called “Definitions of RBAC Roles and Permissions”.

All XenServer users need to be allocated to an appropriate role. By default, all new users will be allocated to the

Pool Administrator role. It is possible for a user to be assigned to multiple roles; in that scenario, the user will

have the union of all the permissions of all their assigned roles.

A user's role can be changed in two ways:

1. Modify the subject -> role mapping (this requires the assign/modify role permission, only available to a Pool

Administrator.)

2. Modify the user's containing group membership in Active Directory.

Definitions of RBAC Roles and Permissions

The following table summarizes which permissions are available for each role. For details on the operations

available for each permission, see Definitions of permissions.

Table 1. Permissions available for each role

Role

permissions

Pool Admin Pool

Operator

VM Power

Admin

VM Admin VM Operator Read Only

Assign/

modify roles

X

Log in to

(physical)

server

consoles

(through SSH

and

XenCenter)

X

Server

backup/

restore

X

Import/

export OVF/

OVA

packages and

disk images

X

Log out

active user

connections

X X

Create and

dismiss alerts

X X

Contents

Main Page Contents Page Page Page Page Page Monitoring and Managing XenServer ........................................................... 106 Page Page Page Page Page Page Page B. Workload Balancing Service Commands ................................................... 186 Page Document Overview Introducing XenServer Benefits of Using XenServer Using XenServer reduces costs by: Using XenServer increases flexibility by: New Features in XenServer 6.0 Integrated Site Recovery (Disaster Recovery): Integrated StorageLink: GPU Pass-Through: Virtual Appliance Support (vApp): Page VM Protection and Recovery: NFS Support for High Availability: XenCenter Improvements: Host Architectural Improvements: XenServer Documentation Managing Users Authenticating Users With Active Directory (AD) Understanding Active Directory Authentication in the XenServer Environment Upgrading XenServer Configuring Active Directory Authentication Page Enabling external authentication on a pool Disabling external authentication User Authentication Allowing a user access to XenServer using the CLI Removing access for a user using the CLI Listing subjects with access Removing Access for a User Terminating all authenticated sessions using xe Terminating individual user sessions using xe Leaving an AD Domain Role Based Access Control RBAC process Roles A user's role can be changed in two ways: Definitions of RBAC Roles and Permissions Table 1. Permissions available for each role Page Definitions of Permissions Table 2. Definitions of permissions Page Page Using RBAC with the CLI To List All the Available Defined Roles in XenServer To Display a List of Current Subjects: To Add a Subject to RBAC To Assign an RBAC Role to a Created subject To Change a Subject's RBAC Role: Auditing Audit Log xe CLI Commands To Obtain All Audit Records From the Pool To Obtain Audit Records of the Pool Since a Precise Millisecond Timestamp To Obtain Audit Records of the Pool Since a Precise Minute Timestamp Page XenServer Hosts and Resource Pools Hosts and Resource Pools Overview Requirements for Creating Resource Pools Creating a Resource Pool To join XenServer hosts host1 and host2 into a resource pool using the CLI Naming a resource pool Creating Heterogeneous Resource Pools To add a heterogeneous XenServer host to a resource pool using the xe CLI Adding Shared Storage Adding NFS shared storage to a resource pool using the CLI Removing a XenServer Host from a Resource Pool To remove a host from a resource pool using the CLI Preparing a Pool of XenServer Hosts for Maintenance To prepare a XenServer host in a pool for maintenance operations using the CLI High Availability HA Overview Overcommitting Overcommitment Warning Host Fencing Configuration Requirements Restart Priorities Enabling HA on a XenServer Pool Enabling HA Using the CLI Removing HA Protection from a VM using the CLI Recovering an Unreachable Host Shutting Down a host When HA is Enabled Host Power On Powering on Hosts Remotely Using the CLI to Manage Host Power On To Enable Host Power On Using the CLI To Turn on Hosts Remotely Using the CLI Configuring a Custom Script for XenServer's Host Power On Feature Key/Value Pairs host.power_on_mode host.power_on_config Sample Script Page Storage Storage Overview Storage Repositories (SRs) Virtual Disk Images (VDIs) Physical Block Devices (PBDs) Virtual Block Devices (VBDs) Summary of Storage objects Virtual Disk Data Formats VHD-based VDIs VHD Chain Coalescing LUN-based VDIs Storage Repository Types Local LVM Creating a Local LVM SR (lvm) Local EXT3 VHD Creating a Local EXT3 SR (ext) udev ISO Software iSCSI Support XenServer Host iSCSI configuration Citrix StorageLink SRs Upgrading XenServer with StorageLink SRs Creating a Shared StorageLink SR To Create a CSL SR Using XenCenter Page Page Managing Hardware Host Bus Adapters (HBAs) Sample QLogic iSCSI HBA setup Removing HBA-based SAS, FC or iSCSI Device Entries LVM over iSCSI Creating a Shared LVM Over iSCSI SR Using the Software iSCSI Initiator (lvmoiscsi) Creating a Shared LVM over Fibre Channel / iSCSI HBA or SAS SR (lvmohba) 47 NFS VHD Creating a Shared NFS SR (NFS) LVM over Hardware HBA Storage Configuration Creating Storage Repositories Upgrading LVM Storage from XenServer 5.0 or Earlier LVM Performance Considerations VDI Types Creating a Raw Virtual Disk Using the xe CLI Converting Between VDI Formats Probing an SR Page Page Storage Multipathing To enable storage multipathing using the xe CLI MPP RDAC Driver Support for LSI Arrays. Managing Storage Repositories Destroying or Forgetting a SR Introducing an SR Resizing an SR Converting Local Fibre Channel SRs to Shared SRs Moving Virtual Disk Images (VDIs) Between SRs Copying All of a VMs VDIs to a Different SR Copying Individual VDIs to a Different SR Adjusting the Disk IO Scheduler Automatically Reclaiming Space When Deleting Snapshots Reclaiming Space Using the Off Line Coalesce Tool Virtual Disk QoS Settings Page Configuring VM Memory What is Dynamic Memory Control (DMC)? The Concept of Dynamic Range The Concept of Static Range DMC Behaviour How Does DMC Work? Memory Constraints Supported Operating Systems xe CLI Commands Display the Static Memory Properties of a VM Display the Dynamic Memory Properties of a VM Updating Memory Properties Update Individual Memory Properties Upgrade Issues Workload Balancing Interaction Xen Memory Usage Setting Control Domain Memory Page Networking Networking Support vSwitch Networks XenServer Networking Overview Network Objects Networks VLANs Using VLANs with Management Interfaces Using VLANs with Virtual Machines Using VLANs with Dedicated Storage NICs Page Switch Configuration Active-Active Bonding Active-Passive Bonding Initial Networking Configuration Managing Networking Configuration Cross-Server Private networks Creating Networks in a Standalone Server To add a new network using the CLI Creating Networks in Resource Pools Creating VLANs To connect a network to an external VLAN using the CLI Creating NIC Bonds on a Standalone Host Creating a NIC bond Bonding two NICs Controlling the MAC Address of the Bond Reverting NIC bonds Creating NIC bonds in resource pools Adding NIC bonds to new resource pools Adding NIC bonds to an existing pool Configuring a dedicated storage NIC To assign NIC functions using the xe CLI Using SR-IOV Enabled NICs Assigning a SR-IOV NIC VF to a VM Controlling the rate of outgoing data (QoS) Changing networking configuration options Hostname DNS servers Changing IP address configuration for a standalone host Changing IP address configuration in resource pools Changing the IP address of a member host (not pool master) Networking Troubleshooting Diagnosing network corruption Recovering from a bad network configuration Disaster Recovery and Backup Understanding XenServer DR DR Infrastructure Requirements Deployment Considerations Steps to Take Before a Disaster Steps to Take After a Disaster Steps to Take After a Recovery Enabling Disaster Recovery in XenCenter Recovering VMs and vApps in the Event of Disaster (Failover) Restoring VMs and vApps to the Primary Site After Disaster (Failback) Test Failover To perform a test failover of VMs and vApps to a secondary site vApps Creating vApps Using the Manage vApps dialog box in XenCenter Backing Up and Restoring XenServer Hosts and VMs To backup pool metadata To backup host configuration and software To backup a VM To backup VM metadata only Backing up Virtual Machine metadata Backing up single host installations Backing up pooled installations Subsequently restoring this backup on a brand new set of hosts Backing up XenServer hosts To back up a XenServer host To restore a running XenServer host Restarting a crashed XenServer host Backing up VMs VM Snapshots Regular Snapshots Quiesced Snapshots Snapshots with memory Creating a VM Snapshot Creating a snapshot with memory To list all of the snapshots on a XenServer pool To list the snapshots on a particular VM Restoring a VM to its previous state Deleting a snapshot Snapshot Templates Creating a template from a snapshot Exporting a snapshot to a template Advanced Notes for Quiesced Snapshots VM Protection and Recovery Naming convention for VM archive folders Coping with machine failures Member failures Master failures Pool failures To restore a completely failed pool Coping with Failure due to Configuration Errors To restore host software and configuration Physical Machine failure To restore a pool with all hosts failed To restore a VM when VM storage is not available Monitoring and Managing XenServer Alerts Customizing Alerts Valid VM Elements Valid Host Elements Configuring Email Alerts Custom Fields and Tags Custom Searches Determining throughput of physical bus adapters To determine PBD throughput Troubleshooting XenServer host logs Sending host log messages to a central server To write logs to a remote server XenCenter logs Troubleshooting connections between XenCenter and the XenServer host Appendix A. Command Line Interface Basic xe Syntax Special Characters and Syntax Command Types Parameter Types Low-level Parameter Commands Low-level List Commands xe Command Reference Appliance Commands Appliance Parameters appliance-assert-can-be-recovered appliance-create Audit Commands Bonding Commands Bond Parameters bond-create bond-destroy CD Commands cd-list Console Commands Console Parameters Disaster Recovery (DR) Commands drtask-create Page Event Commands Event Classes event-wait GPU Commands Physical GPU (pGPU) Parameters GPU Group Parameters Virtual GPU (vGPU) Parameters vgpu-create vgpu-destroy Host Commands Host Selectors Host Parameters Page Page host-backup host-bugreport-upload host-crashdump-destroy host-crashdump-upload host-disable host-emergency-management-reconfigure host-enable host-evacuate host-forget host-get-system-status host-get-system-status-capabilities host-is-in-emergency-mode host-apply-edition host-license-add host-license-view host-logs-download host-management-reconfigure host-power-on host-get-cpu-features host-set-cpu-features host-set-power-on host-restore host-set-hostname-live host-shutdown host-syslog-reconfigure host-data-source-list host-data-source-record host-data-source-forget host-data-source-query Log Commands log-set-output Message Commands Message Parameters message-create Network Commands Network Parameters network-create network-destroy Patch (Update) Commands Patch Parameters patch-apply patch-clean patch-pool-apply PBD Commands PBD Parameters pbd-create pbd-destroy pbd-plug PIF Commands PIF Parameters Page pif-forget pif-introduce pif-plug pif-reconfigure-ip pif-scan Pool Commands Pool Parameters pool-designate-new-master pool-dump-database Page Storage Manager Commands SM Parameters SR Commands SR Parameters sr-create sr-destroy sr-enable-database-replication sr-disable-database-replication sr-forget sr-introduce Task Commands Task Parameters task-cancel Template Commands Template Parameters Page Page Page Page Page template-export Update Commands update-upload User Commands user-password-change VBD Commands VBD Parameters vbd-create vbd-destroy vbd-eject vbd-insert vbd-plug VDI Commands VDI Parameters vdi-clone vdi-copy vdi-create vdi-destroy vdi-forget vdi-import vdi-introduce vdi-resize VIF Commands VIF Parameters Page vif-create vif-destroy vif-plug vif-unplug VLAN Commands vlan-create pool-vlan-create vlan-destroy VM Commands VM Selectors VM Parameters Page Page Page Page Page Page vm-assert-can-be-recovered vm-cd-add vm-cd-eject vm-cd-insert vm-cd-list vm-clone vm-compute-maximum-memory vm-copy vm-crashdump-list vm-data-source-list vm-data-source-record vm-data-source-forget vm-data-source-query vm-destroy vm-disk-add vm-disk-list vm-disk-remove vm-export vm-import vm-install vm-memory-shadow-multiplier-set vm-migrate vm-reboot vm-recover vm-reset-powerstate vm-resume vm-shutdown vm-start vm-suspend vm-uninstall Workload Balancing XE Commands pool-initialize-wlb pool-param-set other-config Page pool-deconfigure-wlb pool-retrieve-wlb-configuration pool-retrieve-wlb-recommendations pool-retrieve-wlb-report pool-send-wlb-configuration Page Appendix B. Workload Balancing Service Commands Service Commands Logging in to the Workload Balancing Virtual Appliance To log in to the Workload Balancing virtual appliance service workloadbalancing restart Modifying the Workload Balancing configuration options To run the wlbconfig command Editing the Workload Balancing configuration file To edit the wlb.conf file Increasing the Detail in the Workload Balancing Log