Red Hat Training

A Red Hat training course is available for Red Hat Virtualization

15.7. Administering User Tasks From the Command Line

You can use the ovirt-aaa-jdbc-tool tool to manage user accounts on the internal domain. Changes made using the tool take effect immediately and do not require you to restart the ovirt-engine service. For a full list of user options, run ovirt-aaa-jdbc-tool user --help. Common examples are provided in this section.

Important

You must be logged into the Manager machine.

15.7.1. Creating a New User

You can create a new user account. The optional --attribute command specifies account details. For a full list of options, run ovirt-aaa-jdbc-tool user add --help.

# ovirt-aaa-jdbc-tool user add test1 --attribute=firstName=John --attribute=lastName=Doe
adding user test1...
user added successfully

You can add the newly created user in the Administration Portal and assign the user appropriate roles and permissions. See Section 15.6.1, “Adding Users and Assigning VM Portal Permissions” for more information.

15.7.2. Setting a User Password

You can create a password. You must set a value for --password-valid-to, otherwise the password expiry time defaults to the current time. The date format is yyyy-MM-dd HH:mm:ssX. In this example, -0800 stands for GMT minus 8 hours. For more options, run ovirt-aaa-jdbc-tool user password-reset --help.

# ovirt-aaa-jdbc-tool user password-reset test1 --password-valid-to="2025-08-01 12:00:00-0800"
Password:
updating user test1...
user updated successfully
Note

By default, the password policy for user accounts on the internal domain has the following restrictions:

  • A minimum of 6 characters.
  • Three previous passwords used cannot be set again during the password change.

For more information on the password policy and other default settings, run ovirt-aaa-jdbc-tool settings show.

15.7.3. Setting User Timeout

You can set the user timeout period:

# engine-config --set UserSessionTimeOutInterval=integer

15.7.4. Pre-encrypting a User Password

You can create a pre-encrypted user password using the ovirt-engine-crypto-tool script. This option is useful if you are adding users and passwords to the database with a script.

Note

Passwords are stored in the Manager database in encrypted form. The ovirt-engine-crypto-tool script is used because all passwords must be encrypted with the same algorithm.

If the password is pre-encrypted, password validity tests cannot be performed. The password will be accepted even if it does not comply with the password validation policy.

  1. Run the following command:

    # /usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh pbe-encode

    The script will prompt you to enter the password.

    Alternatively, you can use the --password=file:file option to encrypt a single password that appears as the first line of a file. This option is useful for automation. In the following example, file is a text file containing a single password for encryption:

    # /usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh pbe-encode --password=file:file
  2. Set the new password with the ovirt-aaa-jdbc-tool script, using the --encrypted option:

    # ovirt-aaa-jdbc-tool user password-reset test1 --password-valid-to="2025-08-01 12:00:00-0800" --encrypted
  3. Enter and confirm the encrypted password:

    Password:
    Reenter password:
    updating user test1...
    user updated successfully

15.7.5. Viewing User Information

You can view detailed user account information:

# ovirt-aaa-jdbc-tool user show test1

This command displays more information than in the Administration Portal’s AdministrationUsers screen.

15.7.6. Editing User Information

You can update user information, such as the email address:

# ovirt-aaa-jdbc-tool user edit test1 --attribute=email=jdoe@example.com

15.7.7. Removing a User

You can remove a user account:

# ovirt-aaa-jdbc-tool user delete test1

Remove the user from the Administration Portal. See Section 15.6.4, “Removing Users” for more information.

15.7.8. Disabling the Internal Administrative User

You can disable users on the local domains including the admin@internal user created during engine-setup. Make sure you have at least one user in the envrionment with full administrative permissions before disabling the default admin user.

Disabling the Internal Administrative User

  1. Log in to the machine on which the Red Hat Virtualization Manager is installed.
  2. Make sure another user with the SuperUser role has been added to the environment. See Section 15.6.1, “Adding Users and Assigning VM Portal Permissions” for more information.
  3. Disable the default admin user:

    # ovirt-aaa-jdbc-tool user edit admin --flag=+disabled
Note

To enable a disabled user, run ovirt-aaa-jdbc-tool user edit username --flag=-disabled

15.7.9. Managing Groups

You can use the ovirt-aaa-jdbc-tool tool to manage group accounts on your internal domain. Managing group accounts is similar to managing user accounts. For a full list of group options, run ovirt-aaa-jdbc-tool group --help. Common examples are provided in this section.

Creating a Group

This procedure shows you how to create a group account, add users to the group, and view the details of the group.

  1. Log in to the machine on which the Red Hat Virtualization Manager is installed.
  2. Create a new group:

    # ovirt-aaa-jdbc-tool group add group1
  3. Add users to the group. The users must be created already.

    # ovirt-aaa-jdbc-tool group-manage useradd group1 --user=test1
    Note

    For a full list of the group-manage options, run ovirt-aaa-jdbc-tool group-manage --help.

  4. View group account details:

    # ovirt-aaa-jdbc-tool group show group1
  5. Add the newly created group in the Administration Portal and assign the group appropriate roles and permissions. The users in the group inherit the roles and permissions of the group. See Section 15.6.1, “Adding Users and Assigning VM Portal Permissions” for more information.

Creating Nested Groups

This procedure shows you how to create groups within groups.

  1. Log in to the machine on which the Red Hat Virtualization Manager is installed.
  2. Create the first group:

    # ovirt-aaa-jdbc-tool group add group1
  3. Create the second group:

    # ovirt-aaa-jdbc-tool group add group1-1
  4. Add the second group to the first group:

    # ovirt-aaa-jdbc-tool group-manage groupadd group1 --group=group1-1
  5. Add the first group in the Administration Portal and assign the group appropriate roles and permissions. See Section 15.6.1, “Adding Users and Assigning VM Portal Permissions” for more information.

15.7.10. Querying Users and Groups

The query module allows you to query user and group information. For a full list of options, run ovirt-aaa-jdbc-tool query --help.

Listing All User or Group Account Details

This procedure shows you how to list all account information.

  1. Log in to the machine on which the Red Hat Virtualization Manager is installed.
  2. List the account details.

    • All user account details:

      # ovirt-aaa-jdbc-tool query --what=user
    • All group account details:

      # ovirt-aaa-jdbc-tool query --what=group

Listing Filtered Account Details

This procedure shows you how to apply filters when listing account information.

  1. Log in to the machine on which the Red Hat Virtualization Manager is installed.
  2. Filter account details using the --pattern parameter.

    • List user account details with names that start with the character j.

      # ovirt-aaa-jdbc-tool query --what=user --pattern="name=j*"
    • List groups that have the department attribute set to marketing:

      # ovirt-aaa-jdbc-tool query --what=group --pattern="department=marketing"

15.7.11. Managing Account Settings

To change the default account settings, use the ovirt-aaa-jdbc-tool settings module.

Updating Account Settings

This procedure shows you how to update the default account settings.

  1. Log in to the machine on which the Red Hat Virtualization Manager is installed.
  2. Run the following command to show all the settings available:

    # ovirt-aaa-jdbc-tool settings show
  3. Change the desired settings:

    • This example updates the default log in session time to 60 minutes for all user accounts. The default value is 10080 minutes.

      # ovirt-aaa-jdbc-tool settings set --name=MAX_LOGIN_MINUTES --value=60
    • This example updates the number of failed login attempts a user can perform before the user account is locked. The default value is 5.

      # ovirt-aaa-jdbc-tool settings set --name=MAX_FAILURES_SINCE_SUCCESS --value=3
      Note

      To unlock a locked user account, run ovirt-aaa-jdbc-tool user unlock test1.