Red Hat Training
A Red Hat training course is available for Red Hat Satellite
9.6. Organizational Trusts
Organizations can share their resources with each other by establishing an organizational trust in the Satellite. An organizational trust is bi-directional, meaning that once a Satellite Administrator establishes a trust between two or more organizations, the Organization Administrator from each organization is free to share as much or as little of their resources as they need to. It is up to each Organization Administrator to determine what resources to share, and what shared resources from other organizations in the trust to use.
Note
Only Organization Administrators are able to share their custom content; Satellite Administrators only allocate system and software entitlements to each organization.
9.6.1. Establishing an Organizational Trust
A Satellite Administrator can create a trust between two or more organizations. To do this, click the Organizations link on the side menu on the Admin main page.
Click the name of one of the organizations and within the Details page, click the Trusts subtab.
On the Trusts subtab, there is a listing of all the other trusts on the RHN Satellite. Here you may use the Filter by Organization text box to narrow down a long list of organizations to a specific subset.
Figure 9.5. Organizational Trusts
Click the checkbox next to the names of the organizations you want to be in the organizational trust with the current organization and click the button.
9.6.2. Sharing Content Channels between Organizations in a Trust
Once an organizational trust has been established, organizations can now share content such as custom software channels with the other organizations in the trust. There are also three levels of channel sharing that can be applied to each channel for finer-grained channel access control.
Note
Organizations cannot share Red Hat Channels because they are available to all organizations that have entitlements to those channels.
To share a custom channel with another organization, perform the following steps:
- Login to the Satellite with the username of the Organization Administrator.
- Click on the Channels tab.
- On the side menu, click Manage Software Channels.
- Click the custom channel that you want to share with the other organizations.
- From the Channel Access Control section of the Details page, there are three choices for sharing in Organizational Sharing.
- Private — Make the channel private so that it cannot be accessed by any organizations except the channel's owner.
- Protected — Allow the channel to be accessed by specific trusted organizations of your choice.
Note
Choosing Protected sharing displays a separate page that prompts you to confirm that you are granting channel access to the organizations by clicking . - Public — Allow all organizations within the trust to access the custom channel.
Click the radio button next to your selection and click .
Now, any other Organization Administrators within the trust for which you have granted access to your custom channel can allow their client systems to install and update packages from the shared channel.
Note
If you have a system subscribed to a shared channel, and the organizational administrator of the shared channel changes access rights to the channel, then the system loses that channel. If he changes a base channel right, then the system will have no base channel on the Systems page and will not receive updates.
9.6.3. Migrating Systems from One Trusted Organization to Another
In addition to sharing software channels, organizations in a trust can migrate systems to other trusted organizations by using a utility called
migrate-system-profile.
migrate-system-profile usage is based on the command-line, and uses systemIDs and orgIDs as arguments to specify what what is being moved and its destination organization.
To use the
migrate-system-profile command, you must have the spacewalk-utils package installed. You do not need to be logged into the Satellite server to use migrate-system-profile; however, if you do not you will need specify the hostname or IP address of the server as a command-line switch.
Note
When an organization migrates a system with the
migrate-system-profile command, the system does not carry any of the previous entitlements or channel subscriptions from the source organization. However, the system's history is preserved, and can be accessed by the new Organization Administrator in order to simplify the rest of the migration process, which includes subscribing to a base channels and granting entitlements.
9.6.3.1. Using migrate-system-profile
Using
migrate-system-profile is straightforward. You need to ascertain the ID of the system to be migrated, the ID of the organization the system will migrate to, and the hostname or IP address of the Satellite server if you are running the command from another machine.
The usage from the command line is the following:
migrate-system-profile --satellite {SATELLITE HOSTNAME OR IP} --systemId={SYSTEM ID} --to-org-id={DESTINATION ORGANIZATION ID}
For example, if the Finance department (created as an organization in RHN Satellite with OrgID 2) wants to migrate a workstation (with SystemID 10001020) from the Engineering department, but the Finance Organization Administrator does not have shell access to the RHN Satellite server. The RHN Satellite hostname is satserver.example.com.
The Finance Organization Administrator would type the following from a shell prompt:
migrate-system-profile --satellite satserver.example.com --systemId=10001020 --to-org-id=2
The Finance Organization Administrator is then prompted for their username and password (unless they specified it using
--username= and --password= at the command-line).
The Finance Organization Administrator would then be able to see the system from the Systems page when logged into the RHN Satellite web interface. The Finance Organization Administrator can then finish the migration process by assigning a base channel and granting entitlements to the client as he would any other system registered to his organization, which is avaiable from the system's History page in the Events subtab.
Figure 9.6. System History
Note
The Satellite Administrator can migrate a system from one trusted organization to any other in the trust. However, Organization Administrators can only migrate a system from their own organization to another in the trust.
Satellite Administrators that need to migrate several systems at once can use the
--csv option of migrate-system-profile to automate the process using a simple comma-separated list of systems to migrate.
A line in the CSV file should contain the ID of the system to be migrated as well as destination organization's ID in the following format:
systemId,to-org-id
the
systemId, for example could be 1000010000, while the to-org-id could be 4. So, a compatible CSV could look like the following:
1000010000,3 1000010020,1 1000010010,4
For more information about using
migrate-system-profile refer to the manual page by typing man migrate-system-profile or for a basic help screen type migrate-system-profile -h.
