Product Documentation

Role Based Access Control

Jun 13, 2017
Role Based Access Control
Prev Chapter 2. Managing Users Next

XenServer's Role Based Access Control (RBAC) allows you to assign users, roles, and permissions to control who has access to your XenServer and what actions they can perform. The XenServer RBAC system maps a user (or a group of users) to defined roles (a named set of permissions), which in turn have associated XenServer permissions (the ability to perform certain operations).

As users are not assigned permissions directly, but acquire them through their assigned role, management of individual user permissions becomes a matter of simply assigning the user to the appropriate role; this simplifies common operations. XenServer maintains a list of authorized users and their roles.

RBAC allows you to easily restrict which operations different groups of users can perform- thus reducing the probability of an accident by an inexperienced user.

To facilitate compliance and auditing, RBAC also provides an Audit Log feature.

RBAC depends on Active Directory for authentication services. Specifically, XenServer keeps a list of authorized users based on Active Directory user and group accounts. As a result, you must join the pool to the domain and add Active Directory accounts before you can assign roles.

The local super user (LSU), or root, is a special user account used for system administration and has all rights or permissions. In XenServer, the local super user is the default account at installation. The LSU is authenticated via XenServer and not external authentication service, so if the external authentication service fails, the LSU can still log in and manage the system. The LSU can always access the XenServer physical host via SSH.

This is the standard process for implementing RBAC and assigning a user or group a role:

  1. Join the domain. See Enabling external authentication on a pool

  2. Add an Active Directory user or group to the pool. This becomes a subject. See the section called “To Add a Subject to RBAC”.

  3. Assign (or modify) the subject's RBAC role. See the section called “To Assign an RBAC Role to a Created subject”.

XenServer is shipped with the following six, pre-established roles:

  • Pool Administrator (Pool Admin) – the same as being the local root. Can perform all operations.

    Note

    The local super user (root) will always have the "Pool Admin" role. The Pool Admin role has the same permissions as the local root.

  • Pool Operator (Pool Operator) – can do everything apart from adding/removing users and modifying their roles. This role is focused mainly on host and pool management (i.e. creating storage, making pools, managing the hosts etc.)

  • Virtual Machine Power Administrator (VM Power Admin) – creates and manages Virtual Machines. This role is focused on provisioning VMs for use by a VM operator.

  • Virtual Machine Administrator (VM Admin) – similar to a VM Power Admin, but cannot migrate VMs or perform snapshots.

  • Virtual Machine Operator (VM Operator) – similar to VM Admin, but cannot create/destroy VMs – but can perform start/stop lifecycle operations.

  • Read-only (Read Only) – can view resource pool and performance data.

Note

You cannot add, remove or modify roles in this version of XenServer.

Warning

You can not assign the role of pool-admin to an AD group which has more than 500 members, if you want users of the AD group to have SSH access.

For a summary of the permissions available for each role and more detailed information on the operations available for each permission, see the section called “Definitions of RBAC Roles and Permissions”.

All XenServer users need to be allocated to an appropriate role. By default, all new users will be allocated to the Pool Administrator role. It is possible for a user to be assigned to multiple roles; in that scenario, the user will have the union of all the permissions of all their assigned roles.

A user's role can be changed in two ways:

  1. Modify the subject -> role mapping (this requires the assign/modify role permission, only available to a Pool Administrator.)

  2. Modify the user's containing group membership in Active Directory.

The following table summarizes which permissions are available for each role. For details on the operations available for each permission, see Definitions of permissions.


Definitions of Permissions

The following table provides additional details about permissions:

Table 2.2. Definitions of permissions

PermissionAllows Assignee ToRationale/Comments
Assign/modify roles
  • Add/remove users

  • Add/remove roles from users

  • Enable and disable Active Directory integration (being joined to the domain)

This permission lets the user grant himself or herself any permission or perform any task.

Warning: This role lets the user disable the Active Directory integration and all subjects added from Active Directory.

Log in to server consoles
  • Server console access through ssh

  • Server console access through XenCenter

Warning: With access to a root shell, the assignee could arbitrarily reconfigure the entire system, including RBAC.
Server backup/restore VM create/destroy operations
  • Back up and restore servers

  • Back up and restore pool metadata

The ability to restore a backup lets the assignee revert RBAC configuration changes.
Import/export OVF/OVA packages and disk images
  • Import OVF and OVA packages

  • Import disk images

  • Export VMs as OVF/OVA packages

 
Log out active user connections
  • Ability to disconnect logged in users

 
Create/dismiss alerts  

Warning: A user with this permission can dismiss alerts for the entire pool.

Note: The ability to view alerts is part of the Connect to Pool and read all pool metadata permission.

Cancel task of any user
  • Cancel any user's running task

This permission lets the user request XenServer cancel an in-progress task initiated by any user.
Pool management
  • Set pool properties (naming, default SRs)

  • Enable, disable, and configure HA

  • Set per-VM HA restart priorities

  • Add and remove server from pool

  • Emergency transition to master

  • Emergency master address

  • Emergency recover slaves

  • Designate new master

  • Manage pool and server certificates

  • Patching

  • Set server properties

  • Configure server logging

  • Enable and disable servers

  • Shut down, reboot, and power-on servers

  • System status reports

  • Apply license

  • Live migration of all other VMs on a server to another server, due to either Maintenance Mode, or HA

  • Configure server management interface and secondary interfaces

  • Disable server management

  • Delete crashdumps

  • Add, edit, and remove networks

  • Add, edit, and remove PBDs/PIFs/VLANs/Bonds/SRs

  • Add, remove, and retrieve secrets

This permission includes all the actions required to maintain a pool.

Note: If the management interface is not functioning, no logins can authenticate except local root logins.

VM advanced operations
  • Adjust VM memory (through Dynamic Memory Control)

  • Create a VM snapshot with memory, take VM snapshots, and roll-back VMs

  • Migrate VMs

  • Start VMs, including specifying physical server

  • Resume VMs

This permission provides the assignee with enough privileges to start a VM on a different server if they are not satisfied with the server XenServer selected.
VM create/destroy operations
  • Install or delete

  • Clone VMs

  • Add, remove, and configure virtual disk/CD devices

  • Add, remove, and configure virtual network devices

  • Import/export VMs

  • VM configuration change

 
VM change CD media
  • Eject current CD

  • Insert new CD

VM change power state
  • Start VMs (automatic placement)

  • Shut down VMs

  • Reboot VMs

  • Suspend VMs

  • Resume VMs (automatic placement)

This permission does not include start_on, resume_on, and migrate, which are part of the VM advanced operations permission.
View VM consoles
  • See and interact with VM consoles

This permission does not let the user view server consoles.
XenCenter view mgmt operations
  • Create and modify global XenCenter folders

  • Create and modify global XenCenter custom fields

  • Create and modify global XenCenter searches

Folders, custom fields, and searches are shared between all users accessing the pool
Cancel own tasks
  • Lets a user cancel their own tasks

 
Read audit log
  • Download the XenServer audit log

 
Connect to pool and read all pool metadata
  • Log in to pool

  • View pool metadata

  • View historical performance data

  • View logged in users

  • View users and roles

  • View messages

  • Register for and receive events

 


Note

In some cases, a Read Only user cannot move a resource into a folder in XenCenter, even after receiving an elevation prompt and supplying the credentials of a more privileged user. In this case, log on to XenCenter as the more privileged user and retry the action.

  • Run the command: xe role-list

    This command returns a list of the currently defined roles, for example:

uuid( RO): 0165f154-ba3e-034e-6b27-5d271af109ba 
name ( RO): pool-admin 
description ( RO): The Pool Administrator role has full access to all  
features and settings, including accessing Dom0 and managing subjects,  
roles and external authentication 
                
uuid ( RO): b9ce9791-0604-50cd-0649-09b3284c7dfd 
name ( RO): pool-operator 
description ( RO): The Pool Operator role manages host- and pool-wide resources,  
including setting up storage, creating resource pools and managing patches, and  
high availability (HA). 
 
uuid( RO): 7955168d-7bec-10ed-105f-c6a7e6e63249 
name ( RO): vm-power-admin 
description ( RO): The VM Power Administrator role has full access to VM and  
template management and can choose where to start VMs and use the dynamic memory  
control and VM snapshot features 
 
uuid ( RO): aaa00ab5-7340-bfbc-0d1b-7cf342639a6e 
name ( RO): vm-admin 
description ( RO):  The VM Administrator role can manage VMs and templates 
                 
uuid ( RO): fb8d4ff9-310c-a959-0613-54101535d3d5 
name ( RO): vm-operator 
description ( RO):  The VM Operator role can use VMs and interact with VM consoles 
                 
uuid ( RO): 7233b8e3-eacb-d7da-2c95-f2e581cdbf4e 
name ( RO): read-only 
description ( RO): The Read-Only role can log in with basic read-only access 

Note

This list of roles is static; it is not possible to add, remove, or modify roles.

  • Run the command xe subject-list

This will return a list of XenServer users, their uuid, and the roles they are associated with:

uuid ( RO): bb6dd239-1fa9-a06b-a497-3be28b8dca44 
subject-identifier ( RO): S-1-5-21-1539997073-1618981536-2562117463-2244 
other-config (MRO): subject-name: example01\user_vm_admin; subject-upn: \ 
  user_vm_admin@XENDT.NET; subject-uid: 1823475908; subject-gid: 1823474177; \ 
  subject-sid: S-1-5-21-1539997073-1618981536-2562117463-2244; subject-gecos: \ 
  user_vm_admin; subject-displayname: user_vm_admin; subject-is-group: false; \ 
  subject-account-disabled: false; subject-account-expired: false; \ 
  subject-account-locked: false;subject-password-expired: false 
roles (SRO): vm-admin 
                 
uuid ( RO): 4fe89a50-6a1a-d9dd-afb9-b554cd00c01a 
subject-identifier ( RO): S-1-5-21-1539997073-1618981536-2562117463-2245 
other-config (MRO): subject-name: example02\user_vm_op; subject-upn: \ 
  user_vm_op@XENDT.NET; subject-uid: 1823475909; subject-gid: 1823474177; \ 
  subject-sid: S-1-5-21-1539997073-1618981536-2562117463-2245; \ 
  subject-gecos: user_vm_op; subject-displayname: user_vm_op; \ 
  subject-is-group: false; subject-account-disabled: false; \ 
  subject-account-expired: false; subject-account-locked: \ 
  false; subject-password-expired: false 
roles (SRO): vm-operator 
                 
uuid ( RO): 8a63fbf0-9ef4-4fef-b4a5-b42984c27267 
subject-identifier ( RO): S-1-5-21-1539997073-1618981536-2562117463-2242 
other-config (MRO): subject-name: example03\user_pool_op; \ 
  subject-upn: user_pool_op@XENDT.NET; subject-uid: 1823475906; \ 
  subject-gid: 1823474177; subject-s id: 
  S-1-5-21-1539997073-1618981536-2562117463-2242; \ 
  subject-gecos: user_pool_op; subject-displayname: user_pool_op; \ 
  subject-is-group: false; subject-account-disabled: false; \  
  subject-account-expired: false; subject-account-locked: \ 
  false; subject-password-expired: false 
  roles (SRO): pool-operator

In order to enable existing AD users to use RBAC, you will need to create a subject instance within XenServer, either for the AD user directly, or for one of their containing groups:

  1. Run the command xe subject-add subject-name=AD user/group

This adds a new subject instance.

Once you have added a subject, you can assign it to an RBAC role. You can refer to the role by either its uuid or name:

  1. Run the command:

    xe subject-role-add uuid=subject uuid role-uuid=role_uuid

    or

    xe subject-role-add uuid=subject uuid role-name=role_name

    For example, the following command adds a subject with the uuid b9b3d03b-3d10-79d3-8ed7-a782c5ea13b4 to the Pool Administrator role:

    xe subject-role-add uuid=b9b3d03b-3d10-79d3-8ed7-a782c5ea13b4 role-name=pool-admin

To change a user's role it is necessary to remove them from their existing role, and add them to a new role:

  1. Run the commands:

    xe subject-role-remove uuid=subject uuid role-name= \  
      role_name_to_remove 
    xe subject-role-add uuid=subject uuid  role-name= \     
      role_name_to_add

To ensure that the new role takes effect, the user should be logged out and logged back in again (this requires the "Logout Active User Connections" permission - available to a Pool Administrator or Pool Operator).

Warning

Once you have added or removed a pool-admin subject, there can be a delay of a few seconds for ssh sessions associated to this subject to be accepted by all hosts of the pool.

The RBAC audit log will record any operation taken by a logged-in user.

  • the message will explicitly record the Subject ID and user name associated with the session that invoked the operation.

  • if an operation is invoked for which the subject does not have authorization, this will be logged.

  • if the operation succeeded then this is recorded; if the operation failed then the error code is logged.

xe audit-log-get [since=timestamp] filename=output filename

This command downloads to a file all the available records of the RBAC audit file in the pool. If the optional parameter 'since' is present, then it only downloads the records from that specific point in time.

Run the following command:

xe audit-log-get filename=/tmp/auditlog-pool-actions.out

Run the following command:

xe audit-log-get since=2009-09-24T17:56:20.530Z \ 
filename=/tmp/auditlog-pool-actions.out

Run the following command:

xe audit-log-get since=2009-09-24T17:56Z \  
filename=/tmp/auditlog-pool-actions.out

1. The subject is authenticated via the Active Directory server to verify which containing groups the subject may also belong to.

2. XenServer then verifies which roles have been assigned both to the subject, and to its containing groups.

3. As subjects can be members of multiple Active Directory groups, they will inherit all of the permissions of the associated roles.

In this illustration, since Subject 2 (Group 2) is the Pool Operator and User 1 is a member of Group 2, when Subject 3 (User 1) tries to log in, he or she inherits both Subject 3 (VM Operator) and Group 2 (Pool Operator) roles. Since the Pool Operator role is higher, the resulting role for Subject 3 (User 1) is Pool Operator and not VM Operator.


Prev Up Next
Chapter 2. Managing Users Home Chapter 3. XenServer Hosts and Resource Pools