XenServer

Use RBAC with the CLI

RBAC xe CLI commands

Use the following commands to work with roles and subjects.

To list all the available defined roles

Run the command: xe role-list

This command returns a list of the currently defined roles, for example:

    uuid( RO): 0165f154-ba3e-034e-6b27-5d271af109ba
    name ( RO): pool-admin
    description ( RO): The Pool Administrator role has full access to all
    features and settings, including accessing Dom0 and managing subjects,
    roles and external authentication

    uuid ( RO): b9ce9791-0604-50cd-0649-09b3284c7dfd
    name ( RO): pool-operator
    description ( RO): The Pool Operator role manages host-  and pool-wide resources,
    including setting up storage, creating resource pools and managing patches, and
    high availability (HA).

    uuid( RO): 7955168d-7bec-10ed-105f-c6a7e6e63249
    name ( RO): vm-power-admin
    description ( RO): The VM Power Administrator role has full access to VM and
    template management and can choose where to start VMs and use the dynamic memory
    control and VM snapshot features

    uuid ( RO): aaa00ab5-7340-bfbc-0d1b-7cf342639a6e
    name ( RO): vm-admin
    description ( RO):  The VM Administrator role can manage VMs and templates

    uuid ( RO): fb8d4ff9-310c-a959-0613-54101535d3d5
    name ( RO): vm-operator
    description ( RO):  The VM Operator role can use VMs and interact with VM consoles

    uuid ( RO): 7233b8e3-eacb-d7da-2c95-f2e581cdbf4e
    name ( RO): read-only
    description ( RO): The Read-Only role can log in with basic read-only access
<!--NeedCopy-->

Note:

This list of roles is static. You cannot add, remove, or modify roles.

To display a list of current subjects

Run the following command:

xe subject-list
<!--NeedCopy-->

This command returns a list of XenServer users, their uuid, and the roles they are associated with:

    uuid ( RO): bb6dd239-1fa9-a06b-a497-3be28b8dca44
    subject-identifier ( RO): S-1-5-21-1539997073-1618981536-2562117463-2244
    other-config (MRO): subject-name: example01\user_vm_admin; subject-upn: \
      user_vm_admin@XENDT.NET; subject-uid: 1823475908; subject-gid: 1823474177; \
      subject-sid: S-1-5-21-1539997073-1618981536-2562117463-2244; subject-gecos: \
      user_vm_admin; subject-displayname: user_vm_admin; subject-is-group: false; \
      subject-account-disabled: false; subject-account-expired: false; \
      subject-account-locked: false;subject-password-expired: false
    roles (SRO): vm-admin

    uuid ( RO): 4fe89a50-6a1a-d9dd-afb9-b554cd00c01a
    subject-identifier ( RO): S-1-5-21-1539997073-1618981536-2562117463-2245
    other-config (MRO): subject-name: example02\user_vm_op; subject-upn: \
      user_vm_op@XENDT.NET; subject-uid: 1823475909; subject-gid: 1823474177; \
      subject-sid: S-1-5-21-1539997073-1618981536-2562117463-2245; \
      subject-gecos: user_vm_op; subject-displayname: user_vm_op; \
      subject-is-group: false; subject-account-disabled: false; \
      subject-account-expired: false; subject-account-locked: \
      false; subject-password-expired: false
    roles (SRO): vm-operator

    uuid ( RO): 8a63fbf0-9ef4-4fef-b4a5-b42984c27267
    subject-identifier ( RO): S-1-5-21-1539997073-1618981536-2562117463-2242
    other-config (MRO): subject-name: example03\user_pool_op; \
      subject-upn: user_pool_op@XENDT.NET; subject-uid: 1823475906; \
      subject-gid: 1823474177; subject-s id:
      S-1-5-21-1539997073-1618981536-2562117463-2242; \
      subject-gecos: user_pool_op; subject-displayname: user_pool_op; \
      subject-is-group: false; subject-account-disabled: false; \
      subject-account-expired: false; subject-account-locked: \
      false; subject-password-expired: false
      roles (SRO): pool-operator
<!--NeedCopy-->

To add a subject to RBAC

To enable existing AD users to use RBAC, create a subject instance within XenServer, either for the AD user directly, or for the containing groups:

Run the following command to add a new subject instance:

xe subject-add subject-name=AD user/group
<!--NeedCopy-->

To assign an RBAC role to a subject

After adding a subject, you can assign it to an RBAC role. You can refer to the role by either by its UUID or name:

Run the command:

xe subject-role-add uuid=subject uuid role-uuid=role_uuid
<!--NeedCopy-->

Or

xe subject-role-add uuid=subject uuid role-name=role_name
<!--NeedCopy-->

For example, the following command adds a subject with the UUID b9b3d03b-3d10-79d3-8ed7-a782c5ea13b4 to the Pool Administrator role:

xe subject-role-add uuid=b9b3d03b-3d10-79d3-8ed7-a782c5ea13b4 role-name=pool-admin
<!--NeedCopy-->

To change the RBAC role of a subject

To change the role of a user, it is necessary to remove them from their existing role and add them to a new role:

Run the following commands:

xe subject-role-remove uuid=subject_uuid role-name=role_name_to_remove
xe subject-role-add uuid=subject_uuid role-name=role_name_to_add
<!--NeedCopy-->

The user must log out and log back in to ensure that the new role takes effect. This requires the “Logout Active User Connections” permission available to a Pool Administrator or Pool Operator.

If you remove the Pool Admin role from a user, consider also changing the root password and rotating the pool secret. For more information, see Pool Security.

Warning:

When you add or remove a pool-admin subject, it can take a few seconds for all hosts in the pool to accept ssh sessions associated with this subject.

Auditing

The RBAC audit log records any operation taken by a logged-in user.

  • The message records the Subject ID and user name associated with the session that invoked the operation.

  • If a subject invokes an operation that is not authorized, the operation is logged.

  • Any successful operation is also recorded. If the operation failed then the error code is logged.

Audit log xe CLI commands

The following command downloads all the available records of the RBAC audit file in the pool to a file. If the optional parameter ‘since’ is present, then it only downloads the records from that specific point in time.

xe audit-log-get \[since=timestamp\] filename=output filename
<!--NeedCopy-->

To obtain all audit records from the pool

Run the following command:

xe audit-log-get filename=/tmp/auditlog-pool-actions.out
<!--NeedCopy-->

To obtain audit records of the pool since a precise millisecond timestamp

Run the following command:

xe audit-log-get since=2009-09-24T17:56:20.530Z \
    filename=/tmp/auditlog-pool-actions.out
<!--NeedCopy-->

To obtain audit records of the pool since a precise minute timestamp

Run the following command:

xe audit-log-get since=2009-09-24T17:56Z \
    filename=/tmp/auditlog-pool-actions.out
<!--NeedCopy-->
Use RBAC with the CLI