Red Hat Summit16.7. Administering User Tasks From the Command Line
You can use the
ovirt-aaa-jdbc-tool tool to manage user accounts on the internal domain. Changes made using the tool take effect immediately and do not require you to restart the ovirt-engine service. For a full list of user options, run ovirt-aaa-jdbc-tool user --help. Common examples are provided in this section.
Important
You must be logged in on the Manager machine.
16.7.1. Creating a New User
Copy linkLink copied to clipboard!
You can create a new user account. The optional
--attribute command specifies account details. For a full list of options, run ovirt-aaa-jdbc-tool user add --help.
ovirt-aaa-jdbc-tool user add test1 --attribute=firstName=John --attribute=lastName=Doe
# ovirt-aaa-jdbc-tool user add test1 --attribute=firstName=John --attribute=lastName=Doe
adding user test1...
user added successfully
You can add the newly created user in the Administration Portal and assign the user appropriate roles and permissions. See Section 16.6.1, “Adding Users and Assigning User Portal Permissions” for more information.
16.7.2. Setting a User Password
Copy linkLink copied to clipboard!
You can create a user password. You must set
--password-valid-to. Otherwise, the password expiry time defaults to the current time. The date format is yyyy-MM-dd HH:mm:ssX. In this example, -0800 stands for GMT minus 8 hours. For more options, run ovirt-aaa-jdbc-tool user password-reset --help.
Note
By default, the password policy for user accounts on the internal domain has the following restrictions:
- A minimum of 6 characters.
- Three previous passwords used cannot be set again during the password change.
For more information on the password policy and other default settings, run
ovirt-aaa-jdbc-tool settings show.
16.7.3. Setting User Timeout
Copy linkLink copied to clipboard!
You can set the user timeout period:
engine-config --set UserSessionTimeOutInterval=integer
# engine-config --set UserSessionTimeOutInterval=integer
The default user timeout period is
30 minutes. A negative value ensures that sessions never expire.
16.7.4. Pre-encrypting a User Password
Copy linkLink copied to clipboard!
You can create a pre-encrypted user password using the
ovirt-engine-crypto-tool. This option is useful if you are adding users and passwords to the database with a script.
Note
Passwords are stored in the Manager database in encrypted form. The
ovirt-engine-crypto-tool script is used because all passwords must be encrypted with the same algorithm.
If the password is pre-encrypted, password validity tests cannot be performed. The password will be accepted even if it does not comply with the password validation policy.
- Run the following command:
/usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh pbe-encode
# /usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh pbe-encodeCopy to Clipboard Copied! Toggle word wrap Toggle overflow The script will prompt you to enter the password.Alternatively, you can use--password=file:file, with the password in the first line of the file:/usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh pbe-encode --password=file:file
# /usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh pbe-encode --password=file:fileCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Set the new password with the
ovirt-aaa-jdbc-tooltool, using the--encryptedoption:ovirt-aaa-jdbc-tool user password-reset test1 --password-valid-to="2025-08-01 12:00:00-0800" --encrypted
# ovirt-aaa-jdbc-tool user password-reset test1 --password-valid-to="2025-08-01 12:00:00-0800" --encryptedCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Enter and confirm the encrypted password:
Password: Reenter password: updating user test1... user updated successfully
Password: Reenter password: updating user test1... user updated successfullyCopy to Clipboard Copied! Toggle word wrap Toggle overflow
16.7.5. Viewing User Information
Copy linkLink copied to clipboard!
You can view detailed user account information:
ovirt-aaa-jdbc-tool user show test1
# ovirt-aaa-jdbc-tool user show test1
This command displays more information than in the Administration Portal's Users tab.
16.7.6. Editing User Information
Copy linkLink copied to clipboard!
You can update user information, such as the email address:
ovirt-aaa-jdbc-tool user edit test1 --attribute=email=jdoe@example.com
# ovirt-aaa-jdbc-tool user edit test1 --attribute=email=jdoe@example.com16.7.7. Removing a User
Copy linkLink copied to clipboard!
- You can remove a user account:
ovirt-aaa-jdbc-tool user delete test1
# ovirt-aaa-jdbc-tool user delete test1Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Remove the user from the Administration Portal. See Section 16.6.4, “Removing Users” for more information.
16.7.8. Disabling the Internal Administrative User
Copy linkLink copied to clipboard!
You can disable users on the local domains including the
admin@internal user created during engine-setup. Make sure you have at least one user in the environment with full administrative permissions before disabling the default admin user. See Section 16.6.1, “Adding Users and Assigning User Portal Permissions” for more information.
ovirt-aaa-jdbc-tool user edit admin --flag=+disabled
# ovirt-aaa-jdbc-tool user edit admin --flag=+disabledNote
To enable a disabled user, run
ovirt-aaa-jdbc-tool user edit username --flag=-disabled
16.7.9. Managing Groups
Copy linkLink copied to clipboard!
Managing group accounts is similar to managing user accounts. For a full list of group options, run
ovirt-aaa-jdbc-tool group --help. Common examples are provided in this section.
You can create a new group:
ovirt-aaa-jdbc-tool group add group1
# ovirt-aaa-jdbc-tool group add group1
You can add users to the group. The users must be created already.
ovirt-aaa-jdbc-tool group-manage useradd group1 --user=test1
# ovirt-aaa-jdbc-tool group-manage useradd group1 --user=test1Note
For a full list of the group-manage options, run
ovirt-aaa-jdbc-tool group-manage --help.
You can view group account details:
ovirt-aaa-jdbc-tool group show group1
# ovirt-aaa-jdbc-tool group show group1
Add the newly created group in the Administration Portal and assign the group appropriate roles and permissions. The users in the group inherit the roles and permissions of the group. See Section 16.6.1, “Adding Users and Assigning User Portal Permissions” for more information.
You can create groups within groups.
- Create the first group:
ovirt-aaa-jdbc-tool group add group1
# ovirt-aaa-jdbc-tool group add group1Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Create the second group:
ovirt-aaa-jdbc-tool group add group1-1
# ovirt-aaa-jdbc-tool group add group1-1Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Add the second group to the first group:
ovirt-aaa-jdbc-tool group-manage groupadd group1 --group=group1-1
# ovirt-aaa-jdbc-tool group-manage groupadd group1 --group=group1-1Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Add the first group in the Administration Portal and assign the group appropriate roles and permissions. See Section 16.6.1, “Adding Users and Assigning User Portal Permissions” for more information.
16.7.10. Querying Users and Groups
Copy linkLink copied to clipboard!
You can query user and group information using the
query module. For a full list of options, run ovirt-aaa-jdbc-tool query --help.
List all user account details:
ovirt-aaa-jdbc-tool query --what=user
# ovirt-aaa-jdbc-tool query --what=user
List all group account details:
ovirt-aaa-jdbc-tool query --what=group
# ovirt-aaa-jdbc-tool query --what=group
You can apply filters when listing account information, for example, listing user account details for names that start with
j:
ovirt-aaa-jdbc-tool query --what=user --pattern="name=j*"
# ovirt-aaa-jdbc-tool query --what=user --pattern="name=j*"
List groups that have the department attribute set to marketing:
ovirt-aaa-jdbc-tool query --what=group --pattern="department=marketing"
# ovirt-aaa-jdbc-tool query --what=group --pattern="department=marketing"16.7.11. Managing Account Settings
Copy linkLink copied to clipboard!
You can change the default account settings with the
settings module. To view all options, run ovirt-aaa-jdbc-tool settings show.
Update the default log-in session time (
10080 minutes) to 60 minutes for all user accounts:
ovirt-aaa-jdbc-tool settings set --name=MAX_LOGIN_MINUTES --value=60
# ovirt-aaa-jdbc-tool settings set --name=MAX_LOGIN_MINUTES --value=60
Update the default number of failed login attempts (
5) a user can perform before the user account is locked:
ovirt-aaa-jdbc-tool settings set --name=MAX_FAILURES_SINCE_SUCCESS --value=3
# ovirt-aaa-jdbc-tool settings set --name=MAX_FAILURES_SINCE_SUCCESS --value=3Note
To unlock a locked user account, run
ovirt-aaa-jdbc-tool user unlock test1.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}