Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 7. Managing Users and Roles
A User defines a set of details for individuals using the system. Users can be associated with organizations and environments, so that when they create new entities, the default settings are automatically used. Users can also have one or more roles attached, which grants them rights to view and manage organizations and environments. See Section 7.1, “Managing Users” for more information on working with users.
You can manage permissions of several users at once by organizing them into user groups. User groups themselves can be further grouped to create a hierarchy of permissions. For more information on creating user groups, see Section 7.4, “Creating and Managing User Groups”.
Roles define a set of permissions and access levels. Each role contains one on more permission filters that specify the actions allowed for the role. Actions are grouped according to the Resource type. Once a role has been created, users and user groups can be associated with that role. This way, you can assign the same set of permissions to large groups of users. Satellite provides a set of predefined roles and also enables creating custom roles and permission filters as described in Section 7.5, “Creating and Managing Roles”.
7.1. Managing Users
As an administrator, you can create, modify and remove Satellite users. You can also configure access permissions for a user or a group of users by assigning them different roles.
7.1.1. Creating a User
Use this procedure to create a user. To use the CLI instead of the Satellite web UI, see the CLI procedure.
Procedure
- In the Satellite web UI, navigate to Administer > Users.
- Click Create User.
- In the Login field, enter a username for the user.
- In the Firstname and Lastname fields, enter the real first name and last name of the user.
- In the Mail field, enter the user’s email address.
- In the Description field, add a description of the new user.
- Select a specific language for the user from the Language list.
Select a timezone for the user from the Timezone list.
By default, Satellite Server uses the language and timezone settings of the user’s browser.
Set a password for the user:
From the Authorized by list, select the source by which the user is authenticated.
- INTERNAL: to enable the user to be managed inside Satellite Server.
- EXTERNAL: to configure external authentication as described in Configuring External Authentication in Installing Satellite Server in a Connected Network Environment.
- Enter an initial password for the user in the Password field and the Verify field.
- Click Submit to create the user.
CLI procedure
To create a user, enter the following command:
# hammer user create \ --auth-source-id My_Authentication_Source \ --login My_User_Name \ --mail My_User_Mail \ --organization-ids My_Organization_ID_1,My_Organization_ID_2 \ --password My_User_Password
The
--auth-source-id 1
setting means that the user is authenticated internally, you can specify an external authentication source as an alternative. Add the--admin
option to grant administrator privileges to the user. Specifying organization IDs is not required, you can modify the user details later using theupdate
subcommand.
For more information about user related subcommands, enter hammer user --help
.
7.1.2. Assigning Roles to a User
Use this procedure to assign roles to a user. To use the CLI instead of the Satellite web UI, see the CLI procedure.
Procedure
- In the Satellite web UI, navigate to Administer > Users.
Click the username of the user to be assigned one or more roles.
NoteIf a user account is not listed, check that you are currently viewing the correct organization. To list all the users in Satellite, click Default Organization and then Any Organization.
- Click the Locations tab, and select a location if none is assigned.
- Click the Organizations tab, and check that an organization is assigned.
- Click the Roles tab to display the list of available roles.
Select the roles to assign from the Roles list.
To grant all the available permissions, select the Admin checkbox.
- Click Submit.
To view the roles assigned to a user, click the Roles tab; the assigned roles are listed under Selected items. To remove an assigned role, click the role name in Selected items.
CLI procedure
To assign roles to a user, enter the following command:
# hammer user add-role --id user_id --role role_name
7.1.3. Impersonating a Different User Account
Administrators can impersonate other authenticated users for testing and troubleshooting purposes by temporarily logging on to the Satellite web UI as a different user. When impersonating another user, the administrator has permissions to access exactly what the impersonated user can access in the system, including the same menus.
Audits are created to record the actions that the administrator performs while impersonating another user. However, all actions that an administrator performs while impersonating another user are recorded as having been performed by the impersonated user.
Prerequisites
- Ensure that you are logged on to the Satellite web UI as a user with administrator privileges for Satellite.
Procedure
- In the Satellite web UI, navigate to Administer > Users.
- To the right of the user that you want to impersonate, from the list in the Actions column, select Impersonate.
When you want to stop the impersonation session, in the upper right of the main menu, click the impersonation icon.
7.1.4. Creating an API-Only User
You can create users that can interact only with the Satellite API.
Prerequisite
- You have created a user and assigned roles to them. Note that this user must be authorized internally. For more information, see Creating a User and Assigning Roles to a User.
Procedure
- Log in to your Satellite as admin.
- Navigate to Administer > Users and select a user.
On the User tab, set a password. Do not save or communicate this password with others. You can create pseudo-random strings on your console:
# openssl rand -hex 32
- Create a Personal Access Token for the user. For more information, see Section 7.3.1, “Creating a Personal Access Token”.
7.2. Managing SSH Keys
Adding SSH keys to a user allows deployment of SSH keys during provisioning. For information on deploying SSH keys during provisioning, see Deploying SSH Keys during Provisioning in Provisioning Hosts.
For information on SSH keys and SSH key creation, see Using SSH-based Authentication in Red Hat Enterprise Linux 8 Configuring basic system settings.
7.2.1. Managing SSH Keys for a User
Use this procedure to add or remove SSH keys for a user. To use the CLI instead of the Satellite web UI, see the CLI procedure.
Prerequisites
- Ensure that you are logged in to the Satellite web UI as an Admin user of Red Hat Satellite or a user with the create_ssh_key permission enabled for adding SSH key and destroy_ssh_key permission for removing a key.
Procedure
- In the Satellite web UI, navigate to Administer > Users.
- From the Username column, click on the username of the required user.
Click on the SSH Keys tab.
To Add SSH key
- Prepare the content of the public SSH key in a clipboard.
- Click Add SSH Key.
- In the Key field, paste the public SSH key content from the clipboard.
- In the Name field, enter a name for the SSH key.
- Click Submit.
To Remove SSH key
- Click Delete on the row of the SSH key to be deleted.
- Click OK in the confirmation prompt.
CLI procedure
To add an SSH key to a user, you must specify either the path to the public SSH key file, or the content of the public SSH key copied to the clipboard.
If you have the public SSH key file, enter the following command:
# hammer user ssh-keys add \ --user-id user_id \ --name key_name \ --key-file ~/.ssh/id_rsa.pub
If you have the content of the public SSH key, enter the following command:
# hammer user ssh-keys add \ --user-id user_id \ --name key_name \ --key ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNtYAAABBBHHS2KmNyIYa27Qaa7EHp+2l99ucGStx4P77e03ZvE3yVRJEFikpoP3MJtYYfIe8k 1/46MTIZo9CPTX4CYUHeN8= host@user
To delete an SSH key from a user, enter the following command:
# hammer user ssh-keys delete --id key_id --user-id user_id
To view an SSH key attached to a user, enter the following command:
# hammer user ssh-keys info --id key_id --user-id user_id
To list SSH keys attached to a user, enter the following command:
# hammer user ssh-keys list --user-id user_id
7.3. Managing Personal Access Tokens
Personal Access Tokens allow you to authenticate API requests without using your password. You can set an expiration date for your Personal Access Token and you can revoke it if you decide it should expire before the expiration date.
7.3.1. Creating a Personal Access Token
Use this procedure to create a Personal Access Token.
Procedure
- In the Satellite web UI, navigate to Administer > Users.
- Select a user for which you want to create a Personal Access Token.
- On the Personal Access Tokens tab, click Add Personal Access Token.
- Enter a Name for you Personal Access Token.
- Optional: Select the Expires date to set an expiration date. If you do not set an expiration date, your Personal Access Token will never expire unless revoked.
Click Submit. You now have the Personal Access Token available to you on the Personal Access Tokens tab.
ImportantEnsure to store your Personal Access Token as you will not be able to access it again after you leave the page or create a new Personal Access Token. You can click Copy to clipboard to copy your Personal Access Token.
Verification
Make an API request to your Satellite Server and authenticate with your Personal Access Token:
# curl https://satellite.example.com/api/status --user My_Username:My_Personal_Access_Token
You should receive a response with status
200
, for example:{"satellite_version":"6.12.0","result":"ok","status":200,"version":"3.5.1.10","api_version":2}
If you go back to Personal Access Tokens tab, you can see the updated Last Used time next to your Personal Access Token.
7.3.2. Revoking a Personal Access Token
Use this procedure to revoke a Personal Access Token before its expiration date.
Procedure
- In the Satellite web UI, navigate to Administer > Users.
- Select a user for which you want to revoke the Personal Access Token.
- On the Personal Access Tokens tab, locate the Personal Access Token you want to revoke.
- Click Revoke in the Actions column next to the Personal Access Token you want to revoke.
Verification
Make an API request to your Satellite Server and try to authenticate with the revoked Personal Access Token:
# curl https://satellite.example.com/api/status --user My_Username:My_Personal_Access_Token
You receive the following error message:
{ "error": {"message":"Unable to authenticate user My_Username"} }
7.4. Creating and Managing User Groups
7.4.1. User Groups
With Satellite, you can assign permissions to groups of users. You can also create user groups as collections of other user groups. If using an external authentication source, you can map Satellite user groups to external user groups as described in Configuring External User Groups in Installing Satellite Server in a Connected Network Environment.
User groups are defined in an organizational context, meaning that you must select an organization before you can access user groups.
7.4.2. Creating a User Group
Use this procedure to create a user group.
Procedure
- In the Satellite web UI, navigate to Administer > User Groups.
- Click Create User group.
On the User Group tab, specify the name of the new user group and select group members:
- Select the previously created user groups from the User Groups list.
- Select users from the Users list.
- On the Roles tab, select the roles you want to assign to the user group. Alternatively, select the Admin checkbox to assign all available permissions.
- Click Submit.
CLI procedure
To create a user group, enter the following command:
# hammer user-group create \ --name My_User_Group_Name \ --role-ids My_Role_ID_1,My_Role_ID_2 \ --user-ids My_User_ID_1,My_User_ID_2
7.4.3. Removing a User Group
Use the Satellite web UI to remove a user group.
Procedure
- In the Satellite web UI, navigate to Administer > User Groups.
- Click Delete to the right of the user group you want to delete.
- In the alert box that appears, click OK to delete a user group.
7.5. Creating and Managing Roles
Satellite provides a set of predefined roles with permissions sufficient for standard tasks, as listed in Section 7.6, “Predefined Roles Available in Satellite”. It is also possible to configure custom roles, and assign one or more permission filters to them. Permission filters define the actions allowed for a certain resource type. Certain Satellite plug-ins create roles automatically.
7.5.1. Creating a Role
Use this procedure to create a role.
Procedure
- In the Satellite web UI, navigate to Administer > Roles.
- Click Create Role.
- Provide a Name for the role.
- Click Submit to save your new role.
CLI procedure
To create a role, enter the following command:
# hammer role create --name My_Role_Name
To serve its purpose, a role must contain permissions. After creating a role, proceed to Section 7.5.3, “Adding Permissions to a Role”.
7.5.2. Cloning a Role
Use the Satellite web UI to clone a role.
Procedure
- In the Satellite web UI, navigate to Administer > Roles and select Clone from the drop-down menu to the right of the required role.
- Provide a Name for the role.
- Click Submit to clone the role.
- Click the name of the cloned role and navigate to Filters.
- Edit the permissions as required.
- Click Submit to save your new role.
7.5.3. Adding Permissions to a Role
Use this procedure to add permissions to a role. To use the CLI instead of the Satellite web UI, see the CLI procedure.
Procedure
- In the Satellite web UI, navigate to Administer > Roles.
- Select Add Filter from the drop-down list to the right of the required role.
- Select the Resource type from the drop-down list. The (Miscellaneous) group gathers permissions that are not associated with any resource group.
- Click the permissions you want to select from the Permission list.
- Depending on the Resource type selected, you can select or deselect the Unlimited and Override checkbox. The Unlimited checkbox is selected by default, which means that the permission is applied on all resources of the selected type. When you disable the Unlimited checkbox, the Search field activates. In this field you can specify further filtering with use of the Satellite search syntax. For more information, see Section 7.7, “Granular Permission Filtering”. When you enable the Override checkbox, you can add additional locations and organizations to allow the role to access the resource type in the additional locations and organizations; you can also remove an already associated location and organization from the resource type to restrict access.
- Click Next.
- Click Submit to save changes.
CLI procedure
List all available permissions:
# hammer filter available-permissions
Add permissions to a role:
# hammer filter create \ --permission-ids My_Permission_ID_1,My_Permission_ID_2 \ --role My_Role_Name
For more information about roles and permissions parameters, enter the hammer role --help
and hammer filter --help
commands.
7.5.4. Viewing Permissions of a Role
Use the Satellite web UI to view the permissions of a role.
Procedure
- In the Satellite web UI, navigate to Administer > Roles.
- Click Filters to the right of the required role to get to the Filters page.
The Filters page contains a table of permissions assigned to a role grouped by the resource type. It is also possible to generate a complete table of permissions and actions that you can use on your Satellite system. For more information, see Section 7.5.5, “Creating a Complete Permission Table”.
7.5.5. Creating a Complete Permission Table
Use the Satellite CLI to create a permission table.
Procedure
Ensure that the required packages are installed. Execute the following command on Satellite Server:
# satellite-maintain packages install foreman-console
Start the Satellite console with the following command:
# foreman-rake console
Insert the following code into the console:
f = File.open('/tmp/table.html', 'w') result = Foreman::AccessControl.permissions {|a,b| a.security_block <=> b.security_block}.collect do |p| actions = p.actions.collect { |a| "<li>#{a}</li>" } "<tr><td>#{p.name}</td><td><ul>#{actions.join('')}</ul></td><td>#{p.resource_type}</td></tr>" end.join("\n") f.write(result)
The above syntax creates a table of permissions and saves it to the
/tmp/table.html
file.Press
Ctrl
+D
to exit the Satellite console. Insert the following text at the first line of/tmp/table.html
:<table border="1"><tr><td>Permission name</td><td>Actions</td><td>Resource type</td></tr>
Append the following text at the end of
/tmp/table.html
:</table>
-
Open
/tmp/table.html
in a web browser to view the table.
7.5.6. Removing a Role
Use the Satellite web UI to remove a role.
Procedure
- In the Satellite web UI, navigate to Administer > Roles.
- Select Delete from the drop-down list to the right of the role to be deleted.
- In an alert box that appears, click OK to delete the role.
7.6. Predefined Roles Available in Satellite
The following table provides an overview of permissions that predefined roles in Satellite grant to a user.
To view the exact set of permissions a predefined role grants, display the role in Satellite web UI as the privileged user. For more information, see Section 7.5.4, “Viewing Permissions of a Role”.
Role | Permissions Provided by Role |
---|---|
Access Insights Admin | Add and edit Insights rules. |
Access Insights Viewer | View Insight reports. |
Ansible Roles Manager | Play roles on hosts and host groups. View, destroy, and import Ansible roles. View, edit, create, destroy, and import Ansible variables. |
Ansible Tower Inventory Reader | View facts, hosts, and host groups. |
Bookmarks manager | Create, edit, and delete bookmarks. |
Boot disk access | Download the boot disk. |
Compliance manager | View, create, edit, and destroy SCAP content files, compliance policies, and tailoring files. View compliance reports. |
Compliance viewer | View compliance reports. |
Create ARF report | Create compliance reports. |
Default role | The set of permissions that every user is granted, irrespective of any other roles. |
Discovery Manager | View, provision, edit, and destroy discovered hosts and manage discovery rules. |
Discovery Reader | View hosts and discovery rules. |
Edit hosts | View, create, edit, destroy, and build hosts. |
Edit partition tables | View, create, edit and destroy partition tables. |
Manager | View and edit global settings. |
Organization admin | All permissions except permissions for managing organizations. An administrator role defined per organization. The role has no visibility into resources in other organizations. By cloning this role and assigning an organization, you can delegate administration of that organization to a user. |
Red Hat Access Logs | View the log viewer and the logs. |
Remote Execution Manager | Control which roles have permission to run infrastructure jobs. |
Remote Execution User | Run remote execution jobs against hosts. |
Site manager | A restrained version of the Manager role. |
System admin |
Users with this role can create users and assign all roles to them. Therefore, ensure to give this role only to trusted users. |
Tasks manager | View and edit Satellite tasks. |
Tasks reader | A role that can only view Satellite tasks. |
Viewer | A passive role that provides the ability to view the configuration of every element of the Satellite structure, logs, reports, and statistics. |
View hosts | A role that can only view hosts. |
Virt-who Manager | A role with full virt-who permissions. |
Virt-who Reporter | Upload reports generated by virt-who to Satellite. It can be used if you configure virt-who manually and require a user role that has limited virt-who permissions. |
Virt-who Viewer | View virt-who configurations. Users with this role can deploy virt-who instances using existing virt-who configurations. |
7.7. Granular Permission Filtering
As mentioned in Section 7.5.3, “Adding Permissions to a Role”, Red Hat Satellite provides the ability to limit the configured user permissions to selected instances of a resource type. These granular filters are queries to the Satellite database and are supported by the majority of resource types.
7.7.1. Creating a Granular Permission Filter
Use this procedure to create a granular filter. To use the CLI instead of the Satellite web UI, see the CLI procedure.
Satellite does not apply search conditions to create actions. For example, limiting the create_locations action with name = "Default Location" expression in the search field does not prevent the user from assigning a custom name to the newly created location.
Procedure
Specify a query in the Search field on the Edit Filter page. Deselect the Unlimited checkbox for the field to be active. Queries have the following form:
field_name operator value
- field_name marks the field to be queried. The range of available field names depends on the resource type. For example, the Partition Table resource type offers family, layout, and name as query parameters.
- operator specifies the type of comparison between field_name and value. See Section 7.7.3, “Supported Operators for Granular Search” for an overview of applicable operators.
- value is the value used for filtering. This can be for example a name of an organization. Two types of wildcard characters are supported: underscore (_) provides single character replacement, while percent sign (%) replaces zero or more characters.
For most resource types, the Search field provides a drop-down list suggesting the available parameters. This list appears after placing the cursor in the search field. For many resource types, you can combine queries using logical operators such as and, not and has operators.
CLI procedure
To create a granular filter, enter the
hammer filter create
command with the--search
option to limit permission filters, for example:# hammer filter create \ --permission-ids 91 \ --search "name ~ ccv*" \ --role qa-user
This command adds to the qa-user role a permission to view, create, edit, and destroy Content Views that only applies to Content Views with name starting with ccv
.
7.7.2. Examples of Using Granular Permission Filters
As an administrator, you can allow selected users to make changes in a certain part of the environment path. The following filter allows you to work with content while it is in the development stage of the application life cycle, but the content becomes inaccessible once is pushed to production.
7.7.2.1. Applying Permissions for the Host Resource Type
The following query applies any permissions specified for the Host resource type only to hosts in the group named host-editors.
hostgroup = host-editors
The following query returns records where the name matches XXXX, Yyyy, or zzzz example strings:
name ^ (XXXX, Yyyy, zzzz)
You can also limit permissions to a selected environment. To do so, specify the environment name in the Search field, for example:
Dev
You can limit user permissions to a certain organization or location with the use of the granular permission filter in the Search field. However, some resource types provide a GUI alternative, an Override checkbox that provides the Locations and Organizations tabs. On these tabs, you can select from the list of available organizations and locations. For more information, see Section 7.7.2.2, “Creating an Organization Specific Manager Role”.
7.7.2.2. Creating an Organization Specific Manager Role
Use the Satellite web UI to create an administrative role restricted to a single organization named org-1.
Procedure
- In the Satellite web UI, navigate to Administer > Roles.
- Clone the existing Organization admin role. Select Clone from the drop-down list next to the Filters button. You are then prompted to insert a name for the cloned role, for example org-1 admin.
- Click the desired locations and organizations to associate them with the role.
- Click Submit to create the role.
- Click org-1 admin, and click Filters to view all associated filters. The default filters work for most use cases. However, you can optionally click Edit to change the properties for each filter. For some filters, you can enable the Override option if you want the role to be able to access resources in additional locations and organizations. For example, by selecting the Domain resource type, the Override option, and then additional locations and organizations using the Locations and Organizations tabs, you allow this role to access domains in the additional locations and organizations that is not associated with this role. You can also click New filter to associate new filters with this role.
7.7.3. Supported Operators for Granular Search
Operator | Description |
and | Combines search criteria. |
not | Negates an expression. |
has | Object must have a specified property. |
Operator | Description |
= | Is equal to. An equality comparison that is case-sensitive for text fields. |
!= | Is not equal to. An inversion of the = operator. |
~ | Like. A case-insensitive occurrence search for text fields. |
!~ | Not like. An inversion of the ~ operator. |
^ | In. An equality comparison that is case-sensitive search for text fields. This generates a different SQL query to the Is equal to comparison, and is more efficient for multiple value comparison. |
!^ | Not in. An inversion of the ^ operator. |
>, >= | Greater than, greater than or equal to. Supported for numerical fields only. |
<, ⇐ | Less than, less than or equal to. Supported for numerical fields only. |