2.7. The Configure Window
Accessed from the main title bar in the Administration Portal, the Configure window allows you to configure a number of global resources for your Red Hat Enterprise Virtualization environment, such as users, roles, and permissions, cluster policies, and instance types. This window allows you to customize the way in which users interact with resources in the environment, and provides a central location for configuring options that can be applied to multiple clusters.
2.7.1. Roles
Roles are predefined sets of privileges that can be configured from Red Hat Enterprise Virtualization Manager. Roles provide access and management permissions to different levels of resources in the data center, and to specific physical and virtual resources.
With multilevel administration, any permissions which apply to a container object also apply to all individual objects within that container. For example, when a host administrator role is assigned to a user on a specific host, the user gains permissions to perform any of the available host operations, but only on the assigned host. However, if the host administrator role is assigned to a user on a data center, the user gains permissions to perform host operations on all hosts within the cluster of the data center.
2.7.1.1. Creating a New Role
Summary
If the role you require is not on Red Hat Enterprise Virtualization's default list of roles, you can create a new role and customize it to suit your purposes.
Procedure 2.2. Creating a New Role
- On the header bar, click the Configure button to open the Configure window. The window shows a list of default User and Administrator roles, and any custom roles.
- Click New. The New Role dialog box displays.
- Enter the Name and Description of the new role.
- Select either Admin or User as the Account Type.
- Use the or buttons to view more or fewer of the permissions for the listed objects in the Check Boxes to Allow Action list. You can also expand or collapse the options for each object.
- For each of the objects, select or clear the actions you wish to permit or deny for the role you are setting up.
- Click to apply the changes you have made. The new role displays on the list of roles.
Result
You have created a new role with permissions to specific resources. You can assign the new role to users.
2.7.1.2. Editing or Copying a Role
Summary
You can change the settings for roles you have created, but you cannot change default roles. To change default roles, clone and modify them to suit your requirements.
Procedure 2.3. Editing or Copying a Role
- On the header bar, click the Configure button to open the Configure window. The window shows a list of default User and Administrator roles, and any custom roles.
- Select the role you wish to change. Click Edit to open the Edit Role window, or click Copy to open the Copy Role window.
- If necessary, edit the Name and Description of the role.
- Use the or buttons to view more or fewer of the permissions for the listed objects. You can also expand or collapse the options for each object.
- For each of the objects, select or clear the actions you wish to permit or deny for the role you are editing.
- Click to apply the changes you have made.
Result
You have edited the properties of a role, or cloned a role.
2.7.1.3. User Role and Authorization Examples
The following examples illustrate how to apply authorization controls for various scenarios, using the different features of the authorization system described in this chapter.
Example 2.1. Cluster Permissions
Sarah is the system administrator for the accounts department of a company. All the virtual resources for her department are organized under a Red Hat Enterprise Virtualization
cluster called Accounts. She is assigned the ClusterAdmin role on the accounts cluster. This enables her to manage all virtual machines in the cluster, since the virtual machines are child objects of the cluster. Managing the virtual machines includes editing, adding, or removing virtual resources such as disks, and taking snapshots. It does not allow her to manage any resources outside this cluster. Because ClusterAdmin is an administrator role, it allows her to use the Administration Portal to manage these resources, but does not give her any access via the User Portal.
Example 2.2. VM PowerUser Permissions
John is a software developer in the accounts department. He uses virtual machines to build and test his software. Sarah has created a virtual desktop called
johndesktop for him. John is assigned the UserVmManager role on the johndesktop virtual machine. This allows him to access this single virtual machine using the User Portal. Because he has UserVmManager permissions, he can modify the virtual machine and add resources to it, such as new virtual disks. Because UserVmManager is a user role, it does not allow him to use the Administration Portal.
Example 2.3. Data Center Power User Role Permissions
Penelope is an office manager. In addition to her own responsibilities, she occasionally helps the HR manager with recruitment tasks, such as scheduling interviews and following up on reference checks. As per corporate policy, Penelope needs to use a particular application for recruitment tasks.
While Penelope has her own machine for office management tasks, she wants to create a separate virtual machine to run the recruitment application. She is assigned
PowerUserRole permissions for the data center in which her new virtual machine will reside. This is because to create a new virtual machine, she needs to make changes to several components within the data center, including creating the virtual machine disk image in the storage domain.
Note that this is not the same as assigning
DataCenterAdmin privileges to Penelope. As a PowerUser for a data center, Penelope can log in to the User Portal and perform virtual machine-specific actions on virtual machines within the data center. She cannot perform data center-level operations such as attaching hosts or storage to a data center.
Example 2.4. Network Administrator Permissions
Chris works as the network administrator in the IT department. Her day-to-day responsibilities include creating, manipulating, and removing networks in the department's Red Hat Enterprise Virtualization environment. For her role, she requires administrative privileges on the resources and on the networks of each resource. For example, if Chris has
NetworkAdmin privileges on the IT department's data center, she can add and remove networks in the data center, and attach and detach networks for all virtual machines belonging to the data center.
In addition to managing the networks of the company's virtualized infrastructure, Chris also has a junior network administrator reporting to her. The junior network administrator, Pat, is managing a smaller virtualized environment for the company's internal training department. Chris has assigned Pat
NetworkUser permissions and UserVmManager permissions for the virtual machines used by the internal training department. With these permissions, Pat can perform simple administrative tasks such as adding network interfaces onto virtual machines in the Extended tab of the User Portal. However, he does not have permissions to alter the networks for the hosts on which the virtual machines run, or the networks on the data center to which the virtual machines belong.
Example 2.5. Custom Role Permissions
Rachel works in the IT department, and is responsible for managing user accounts in Red Hat Enterprise Virtualization. She needs permission to add user accounts and assign them the appropriate roles and permissions. She does not use any virtual machines herself, and should not have access to administration of hosts, virtual machines, clusters or data centers. There is no built-in role which provides her with this specific set of permissions. A custom role must be created to define the set of permissions appropriate to Rachel's position.
The custom role shown above allows manipulation of users, permissions and roles. These actions are organized under
System - the top level object of the hierarchy shown in Figure 2.8, “UserManager Custom Role”. This means they apply to all other objects in the system. The role is set to have an Account Type of Admin. This means that when she is assigned this role, Rachel can only use the Administration Portal, not the User Portal.
2.7.2. System Permissions
Permissions enable users to perform actions on objects, where objects are either individual objects or container objects.
Any permissions that apply to a container object also apply to all members of that container. The following diagram depicts the hierarchy of objects in the system.
2.7.2.1. User Properties
Roles and permissions are the properties of the user. Roles are predefined sets of privileges that permit access to different levels of physical and virtual resources. Multilevel administration provides a finely grained hierarchy of permissions. For example, a data center administrator has permissions to manage all objects in the data center, while a host administrator has system administrator permissions to a single physical host. A user can have permissions to use a single virtual machine but not make any changes to the virtual machine configurations, while another user can be assigned system permissions to a virtual machine.
2.7.2.2. User and Administrator Roles
Red Hat Enterprise Virtualization provides a range of pre-configured roles, from an administrator with system-wide permissions to an end user with access to a single virtual machine. While you cannot change or remove the default roles, you can clone and customize them, or create new roles according to your requirements. There are two types of roles:
- Administrator Role: Allows access to the Administration Portal for managing physical and virtual resources. An administrator role confers permissions for actions to be performed in the User Portal; however, it has no bearing on what a user can see in the User Portal.
- User Role: Allows access to the User Portal for managing and accessing virtual machines and templates. A user role determines what a user can see in the User Portal. Permissions granted to a user with an administrator role are reflected in the actions available to that user in the User Portal.
For example, if you have an
administrator role on a cluster, you can manage all virtual machines in the cluster using the Administration Portal. However, you cannot access any of these virtual machines in the User Portal; this requires a user role.
2.7.2.3. User Roles Explained
The table below describes basic user roles which confer permissions to access and configure virtual machines in the User Portal.
Table 2.1. Red Hat Enterprise Virtualization User Roles - Basic
| Role | Privileges | Notes |
|---|---|---|
| UserRole | Can access and use virtual machines and pools. | Can log in to the User Portal, use assigned virtual machines and pools, view virtual machine state and details. |
| PowerUserRole | Can create and manage virtual machines and templates. | Apply this role to a user for the whole environment with the Configure window, or for specific data centers or clusters. For example, if a PowerUserRole is applied on a data center level, the PowerUser can create virtual machines and templates in the data center. |
| UserVmManager | System administrator of a virtual machine. | Can manage virtual machines and create and use snapshots. A user who creates a virtual machine in the User Portal is automatically assigned the UserVmManager role on the machine. |
The table below describes advanced user roles which allow you to do more fine tuning of permissions for resources in the User Portal.
Table 2.2. Red Hat Enterprise Virtualization User Roles - Advanced
| Role | Privileges | Notes |
|---|---|---|
| UserTemplateBasedVm | Limited privileges to only use Templates. | Can use templates to create virtual machines. |
| DiskOperator | Virtual disk user. | Can use, view and edit virtual disks. Inherits permissions to use the virtual machine to which the virtual disk is attached. |
| VmCreator | Can create virtual machines in the User Portal. | This role is not applied to a specific virtual machine; apply this role to a user for the whole environment with the Configure window. Alternatively apply this role for specific data centers or clusters. When applying this role to a cluster, you must also apply the DiskCreator role on an entire data center, or on specific storage domains. |
| TemplateCreator | Can create, edit, manage and remove virtual machine templates within assigned resources. | This role is not applied to a specific template; apply this role to a user for the whole environment with the Configure window. Alternatively apply this role for specific data centers, clusters, or storage domains. |
| DiskCreator | Can create, edit, manage and remove virtual machine disks within assigned clusters or data centers. | This role is not applied to a specific virtual disk; apply this role to a user for the whole environment with the Configure window. Alternatively apply this role for specific data centers or storage domains. |
| TemplateOwner | Can edit and delete the template, assign and manage user permissions for the template. | This role is automatically assigned to the user who creates a template. Other users who do not have TemplateOwner permissions on a template cannot view or use the template. |
| NetworkUser | Logical network and network interface user for virtual machine and template. | Can attach or detach network interfaces from specific logical networks. |
2.7.2.4. Administrator Roles Explained
The table below describes basic administrator roles which confer permissions to access and configure resources in the Administration Portal.
Table 2.3. Red Hat Enterprise Virtualization System Administrator Roles - Basic
| Role | Privileges | Notes |
|---|---|---|
| SuperUser | System Administrator of the Red Hat Enterprise Virtualization environment. | Has full permissions across all objects and levels, can manage all objects across all data centers. |
| ClusterAdmin | Cluster Administrator. | Possesses administrative permissions for all objects underneath a specific cluster. |
| DataCenterAdmin | Data Center Administrator. | Possesses administrative permissions for all objects underneath a specific data center except for storage. |
Important
Do not use the administrative user for the directory server as the Red Hat Enterprise Virtualization administrative user. Create a user in the directory server specifically for use as the Red Hat Enterprise Virtualization administrative user.
The table below describes advanced administrator roles which allow you to do more fine tuning of permissions for resources in the Administration Portal.
Table 2.4. Red Hat Enterprise Virtualization System Administrator Roles - Advanced
| Role | Privileges | Notes |
|---|---|---|
| TemplateAdmin | Administrator of a virtual machine template. | Can create, delete, and configure the storage domains and network details of templates, and move templates between domains. |
| StorageAdmin | Storage Administrator. | Can create, delete, configure, and manage an assigned storage domain. |
| HostAdmin | Host Administrator. | Can attach, remove, configure, and manage a specific host. |
| NetworkAdmin | Network Administrator. | Can configure and manage the network of a particular data center or cluster. A network administrator of a data center or cluster inherits network permissions for virtual pools within the cluster. |
| VmPoolAdmin | System Administrator of a virtual pool. | Can create, delete, and configure a virtual pool; assign and remove virtual pool users; and perform basic operations on a virtual machine in the pool. |
| GlusterAdmin | Gluster Storage Administrator. | Can create, delete, configure, and manage Gluster storage volumes. |
2.7.3. Cluster Policies
A cluster policy is a set of rules that defines the logic by which virtual machines are distributed amongst hosts in the cluster to which that cluster policy is applied. Cluster policies determine this logic via a combination of filters, weightings, and a load balancing policy. While the Red Hat Enterprise Virtualization Manager provides four default cluster policies - Evenly_Distributed, None, Power_Saving, and VM_Evenly_Distributed - you can also define new cluster policies that provide fine-grained control over the distribution of virtual machines.
2.7.3.1. Creating a Cluster Policy
Summary
You can create new cluster policies to control the logic by which virtual machines are distributed amongst a given cluster in your Red Hat Enterprise Virtualization environment.
Procedure 2.4. Creating a Cluster Policy
- Click the button in the header bar of the Administration Portal to open the Configure window.
- Click Cluster Policies to view the cluster policies tab.
- Click to open the New Cluster Policy window.
- Enter a Name and Description for the cluster policy.
- Configure filter modules:
- In the Filter Modules section, drag and drop the preferred filter modules to apply to the cluster policy from the Disabled Filters section into the Enabled Filters section.
- Specific filter modules can also be set as the First, to be given highest priority, or Last, to be given lowest priority, for basic optimization.To set the priority, right-click any filter module, hover the cursor over Position and select First or Last.
- Configure weight modules:
- In the Weights Modules section, drag and drop the preferred weights modules to apply to the cluster policy from the Disabled Weights section into the Enabled Weights & Factors section.
- Use the and buttons to the left of the enabled weight modules to increase or decrease the weight of those modules.
- Specify a load balancing policy:
- From the drop-down menu in the Load Balancer section, select the load balancing policy to apply to the cluster policy.
- From the drop-down menu in the Properties section, select a load balancing property to apply to the cluster policy and use the text field to the right of that property to specify a value.
- Use the and buttons to add or remove additional properties.
- Click .
Result
You have created a new cluster policy that can be applied to clusters in your Red Hat Enterprise Virtualization environment.
2.7.3.2. Explanation of Settings in the New Cluster Policy and Edit Cluster Policy Window
The following table details the options available in the New Cluster Policy and Edit Cluster Policy windows.
Table 2.5. New Cluster Policy Settings
|
Field Name
|
Description
|
|---|---|
|
Name
|
The name of the cluster policy. This is the name used to refer to the cluster policy in the Red Hat Enterprise Virtualization Manager.
|
|
Description
|
A description of the cluster policy. This field is recommended but not mandatory.
|
|
Filter Modules
|
A set of filters for controlling the hosts on which a virtual machine in a cluster can run. Enabling a filter will filter out hosts that do not meet the conditions specified by that filter, as outlined below:
|
|
Weights Modules
|
A set of weightings for controlling the relative priority of factors considered when determining the hosts in a cluster on which a virtual machine can run.
|
|
Load Balancer
|
This drop-down menu allows you to select a load balancing module to apply. Load balancing modules determine the logic used to migrate virtual machines from hosts experiencing high usage to hosts experiencing lower usage.
|
|
Properties
|
This drop-down menu allows you to add or remove properties for load balancing modules, and is only available when you have selected a load balancing module for the cluster policy. No properties are defined by default, and the properties that are available are specific to the load balancing module that is selected. Use the and buttons to add or remove additional properties to or from the load balancing module.
|
2.7.4. Instance Types
Instance types can be used to define the hardware configuration of a virtual machine. Selecting an instance type when creating or editing a virtual machine will automatically fill in the hardware configuration fields. This allows users to create multiple virtual machines with the same hardware configuration without having to manually fill in every field.
A set of predefined instance types are available by default, as outlined in the following table:
Table 2.6. Predefined Instance Types
|
Name
|
Memory
|
vCPUs
|
|---|---|---|
|
Tiny
|
512 MB
|
1
|
|
Small
|
2 GB
|
1
|
|
Medium
|
4 GB
|
2
|
|
Large
|
8 GB
|
2
|
|
XLarge
|
16 GB
|
4
|
Administrators can also create, edit, and remove instance types from the Instance Types tab of the Configure window.
Fields in the New Virtual Machine and Edit Virtual Machine windows that are bound to an instance type will have a chain link image next to them (
). If the value of one of these fields is changed, the virtual machine will be detached from the instance type, changing to Custom, and the chain will appear broken (
). However, if the value is changed back, the chain will relink and the instance type will move back to the selected one.
). If the value of one of these fields is changed, the virtual machine will be detached from the instance type, changing to Custom, and the chain will appear broken (
). However, if the value is changed back, the chain will relink and the instance type will move back to the selected one.
2.7.4.1. Creating Instance Types
Summary
Administrators can create new instance types, which can then be selected by users when creating or editing virtual machines.
Procedure 2.5. Creating an Instance Type
- On the header bar, click the Configure button to open the window.
- Click the Instance Types tab.
- Click the button to open the New Instance Type window.
- On the General tab, fill in the Name and Description fields. You can accept the default settings for other fields, or change them if required.
- Click the System, Console, Host, High Availability, Resource Allocation, Boot Options, and Random Generator tabs in turn to define your instance configuration as required. The settings that appear under these tabs are identical to those in the New Virtual Machine window, but with the relevant fields only.
- Click to create the instance type and close the window.
Result
The new instance type will appear in the Instance Types tab in the Configure window, and can be selected from the Instance Type drop down menu when creating or editing a virtual machine.
2.7.4.2. Editing Instance Types
Summary
Administrators can edit existing instance types from the Configure window.
Procedure 2.6. Editing Instance Type Properties
- Select the instance type to be edited.
- Click the button to open the Edit Instance Type window.
- Change the General, System, Console, Host, High Availability, Resource Allocation, Boot Options, and Random Generator fields as required.
- Click to save your changes.
Result
The configuration of the instance type is updated. Both new virtual machines and existing virtual machines based on the instance type will use the new configuration.
2.7.4.3. Removing Instance Types
Summary
Remove an instance type from the Red Hat Enterprise Virtualization environment.
Procedure 2.7. Removing an Instance Type
- Select the instance type to be removed.
- Click the button to open the Remove Instance Type window.
- If any virtual machines are based on the instance type to be removed, a warning window listing the attached virtual machines will appear. To continue removing the instance type, click the Approve Operation checkbox. Otherwise click .
- Click .
Result
The instance type is removed from the Instance Types list and can no longer be used when creating a new virtual machine. Any virtual machines that were attached to the removed instance type will now be attached to Custom (no instance type).