15.7. Administering User Tasks From the Command Line
You can use the ovirt-aaa-jdbc-tool
tool to manage user accounts on the internal domain. Changes made using the tool take effect immediately and do not require you to restart the ovirt-engine
service. For a full list of user options, run ovirt-aaa-jdbc-tool user --help
. Common examples are provided in this section.
You must be logged into the Manager machine.
15.7.1. Creating a New User
You can create a new user account. The optional --attribute
command specifies account details. For a full list of options, run ovirt-aaa-jdbc-tool user add --help
.
# ovirt-aaa-jdbc-tool user add test1 --attribute=firstName=John --attribute=lastName=Doe adding user test1... user added successfully
You can add the newly created user in the Administration Portal and assign the user appropriate roles and permissions. See Section 15.6.1, “Adding Users and Assigning VM Portal Permissions” for more information.
15.7.2. Setting a User Password
You can create a password. You must set a value for --password-valid-to
, otherwise the password expiry time defaults to the current time. The date format is yyyy-MM-dd HH:mm:ssX
. In this example, -0800
stands for GMT minus 8 hours. For more options, run ovirt-aaa-jdbc-tool user password-reset --help
.
# ovirt-aaa-jdbc-tool user password-reset test1 --password-valid-to="2025-08-01 12:00:00-0800" Password: updating user test1... user updated successfully
By default, the password policy for user accounts on the internal domain has the following restrictions:
- A minimum of 6 characters.
- Three previous passwords used cannot be set again during the password change.
For more information on the password policy and other default settings, run ovirt-aaa-jdbc-tool settings show
.
15.7.3. Setting User Timeout
You can set the user timeout period:
# engine-config --set UserSessionTimeOutInterval=integer
15.7.4. Pre-encrypting a User Password
You can create a pre-encrypted user password using the ovirt-engine-crypto-tool
script. This option is useful if you are adding users and passwords to the database with a script.
Passwords are stored in the Manager database in encrypted form. The ovirt-engine-crypto-tool
script is used because all passwords must be encrypted with the same algorithm.
If the password is pre-encrypted, password validity tests cannot be performed. The password will be accepted even if it does not comply with the password validation policy.
Run the following command:
# /usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh pbe-encode
The script will prompt you to enter the password.
Alternatively, you can use the
--password=file:file
option to encrypt a single password that appears as the first line of a file. This option is useful for automation. In the following example,file
is a text file containing a single password for encryption:# /usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh pbe-encode --password=file:file
Set the new password with the
ovirt-aaa-jdbc-tool
script, using the--encrypted
option:# ovirt-aaa-jdbc-tool user password-reset test1 --password-valid-to="2025-08-01 12:00:00-0800" --encrypted
Enter and confirm the encrypted password:
Password: Reenter password: updating user test1... user updated successfully
15.7.5. Viewing User Information
You can view detailed user account information:
# ovirt-aaa-jdbc-tool user show test1
This command displays more information than in the Administration Portal’s
15.7.6. Editing User Information
You can update user information, such as the email address:
# ovirt-aaa-jdbc-tool user edit test1 --attribute=email=jdoe@example.com
15.7.7. Removing a User
You can remove a user account:
# ovirt-aaa-jdbc-tool user delete test1
Remove the user from the Administration Portal. See Section 15.6.4, “Removing Users” for more information.
15.7.8. Disabling the Internal Administrative User
You can disable users on the local domains including the admin@internal user created during engine-setup
. Make sure you have at least one user in the envrionment with full administrative permissions before disabling the default admin user.
Disabling the Internal Administrative User
- Log in to the machine on which the Red Hat Virtualization Manager is installed.
- Make sure another user with the SuperUser role has been added to the environment. See Section 15.6.1, “Adding Users and Assigning VM Portal Permissions” for more information.
Disable the default admin user:
# ovirt-aaa-jdbc-tool user edit
admin
--flag=+disabled
To enable a disabled user, run ovirt-aaa-jdbc-tool user edit username --flag=-disabled
15.7.9. Managing Groups
You can use the ovirt-aaa-jdbc-tool
tool to manage group accounts on your internal domain. Managing group accounts is similar to managing user accounts. For a full list of group options, run ovirt-aaa-jdbc-tool group --help
. Common examples are provided in this section.
Creating a Group
This procedure shows you how to create a group account, add users to the group, and view the details of the group.
- Log in to the machine on which the Red Hat Virtualization Manager is installed.
Create a new group:
# ovirt-aaa-jdbc-tool group add group1
Add users to the group. The users must be created already.
# ovirt-aaa-jdbc-tool group-manage useradd group1 --user=test1
NoteFor a full list of the group-manage options, run
ovirt-aaa-jdbc-tool group-manage --help
.View group account details:
# ovirt-aaa-jdbc-tool group show group1
- Add the newly created group in the Administration Portal and assign the group appropriate roles and permissions. The users in the group inherit the roles and permissions of the group. See Section 15.6.1, “Adding Users and Assigning VM Portal Permissions” for more information.
Creating Nested Groups
This procedure shows you how to create groups within groups.
- Log in to the machine on which the Red Hat Virtualization Manager is installed.
Create the first group:
# ovirt-aaa-jdbc-tool group add group1
Create the second group:
# ovirt-aaa-jdbc-tool group add group1-1
Add the second group to the first group:
# ovirt-aaa-jdbc-tool group-manage groupadd group1 --group=group1-1
- Add the first group in the Administration Portal and assign the group appropriate roles and permissions. See Section 15.6.1, “Adding Users and Assigning VM Portal Permissions” for more information.
15.7.10. Querying Users and Groups
The query
module allows you to query user and group information. For a full list of options, run ovirt-aaa-jdbc-tool query --help
.
Listing All User or Group Account Details
This procedure shows you how to list all account information.
- Log in to the machine on which the Red Hat Virtualization Manager is installed.
List the account details.
All user account details:
# ovirt-aaa-jdbc-tool query --what=user
All group account details:
# ovirt-aaa-jdbc-tool query --what=group
Listing Filtered Account Details
This procedure shows you how to apply filters when listing account information.
- Log in to the machine on which the Red Hat Virtualization Manager is installed.
Filter account details using the
--pattern
parameter.List user account details with names that start with the character j.
# ovirt-aaa-jdbc-tool query --what=user --pattern="name=j*"
List groups that have the department attribute set to marketing:
# ovirt-aaa-jdbc-tool query --what=group --pattern="department=marketing"
15.7.11. Managing Account Settings
To change the default account settings, use the ovirt-aaa-jdbc-tool
settings
module.
Updating Account Settings
This procedure shows you how to update the default account settings.
- Log in to the machine on which the Red Hat Virtualization Manager is installed.
Run the following command to show all the settings available:
# ovirt-aaa-jdbc-tool settings show
Change the desired settings:
This example updates the default log in session time to 60 minutes for all user accounts. The default value is 10080 minutes.
# ovirt-aaa-jdbc-tool settings set --name=MAX_LOGIN_MINUTES --value=60
This example updates the number of failed login attempts a user can perform before the user account is locked. The default value is 5.
# ovirt-aaa-jdbc-tool settings set --name=MAX_FAILURES_SINCE_SUCCESS --value=3
NoteTo unlock a locked user account, run
ovirt-aaa-jdbc-tool user unlock test1
.