Red Hat Summit第5章 Managing Users and Roles
A User defines a set of details for individuals using the system. Users can be associated with organizations and environments, so that when they create new entities, the default settings are automatically used. Users can also have one or more roles attached, which grants them rights to view and manage organizations and environments. See 「User Management」 for more information on working with users.
You can manage permissions of several users at once by organizing them into user groups. User groups themselves can be further grouped to create a hierarchy of permissions. See 「Creating and Managing User Groups」 for more information on creating user groups.
Roles define a set of permissions and access levels. Each role contains one on more permission filters that specify the actions allowed for the role. Actions are grouped according to the Resource type. Once a role has been created, users and user groups can be associated with that role. This way, you can assign the same set of permissions to large groups of users. Red Hat Satellite provides a set of predefined roles and also enables creating custom roles and permission filters as described in 「Creating and Managing Roles」.
5.1. User Management
As an administrator, you can create, modify and remove Satellite users. You can also configure access permissions for a user or a group of users by assigning them different roles.
5.1.1. Creating a User
Use this procedure to create a user.
Procedure
To create a user, complete the following steps:
- Navigate to Administer > Users.
- Click Create User.
- In the Login field, enter a username for the user.
- In the Firstname and Lastname fields, enter the real first name and last name of the user.
- In the Mail field, enter the user’s email address.
- In the Description field, add a description of the new user.
- Select a specific language for the user from the Language list.
Select a timezone for the user from the Timezone list.
By default, Satellite Server uses the language and timezone settings of the user’s browser.
Set a password for the user:
From the Authorized by list, select the source by which the user is authenticated.
- INTERNAL: to enable the user to be managed inside Satellite Server.
- EXTERNAL: to configure external authentication as described in 13章Configuring External Authentication.
- Enter an initial password for the user in the Password field and the Verify field.
- Click Submit to create the user.
For CLI Users
To create a user, enter the following command:
The --auth-source-id 1 setting means that the user is authenticated internally, you can specify an external authentication source as an alternative. Add the --admin option to grant administrator privileges to the user. Specifying organization IDs is not required, you can modify the user details later using the update subcommand.
For more information about user related subcommands, enter hammer user --help.
5.1.2. Assigning Roles to a User
Use this procedure to assign roles to a user.
Procedure
- Navigate to Administer > Users.
Click the username of the user to be assigned one or more roles.
注記If a user account is not listed, check that you are currently viewing the correct organization. To list all the users in Satellite, click Default Organization and then Any Organization.
- Click the Locations tab, and select a location if none is assigned.
- Click the Organizations tab, and check that an organization is assigned.
- Click the Roles tab to display the list of available roles.
Select the roles to assign from the Roles list.
To grant all the available permissions, select the Admin check box.
- Click Submit.
To view the roles assigned to a user, click the Roles tab; the assigned roles are listed under Selected items. To remove an assigned role, click the role name in Selected items.
For CLI Users
To assign roles to a user, enter the following command:
hammer user add-role --id user_id --role role_name
# hammer user add-role --id user_id --role role_name5.1.3. Impersonating a Different User Account
Administrators can impersonate other authenticated users for testing and troubleshooting purposes by temporarily logging on to the Satellite web UI as a different user. When impersonating another user, the administrator has permissions to access exactly what the impersonated user can access in the system, including the same menus.
Audits are created to record the actions that the administrator performs while impersonating another user. However, all actions that an administrator performs while impersonating another user are recorded as having been performed by the impersonated user.
Prerequisites
- Ensure that you are logged on to the Satellite web UI as a user with administrator privileges for Satellite.
Procedure
To impersonate a different user account, complete the following steps:
- In the Satellite web UI, navigate to Administer > Users.
- To the right of the user that you want to impersonate, from the list in the Actions column, select Impersonate.
When you want to stop the impersonation session, in the upper right of the main menu, click the impersonation icon.
5.1.4. SSH Keys
Adding SSH keys to a user allows deployment of SSH keys during provisioning.
For information on deploying SSH keys during provisioning, see Deploying SSH Keys during Provisioning in the Provisioning Guide.
For information on SSH keys and SSH key creation, see Using SSH-based Authentication in the Red Hat Enterprise Linux 7 System Administrator’s Guide.
5.1.5. Managing SSH Keys for a User
Use this procedure to add or remove SSH keys for a user.
Prerequisites
Make sure that you are logged in to the web UI as an Admin user of Red Hat Satellite or a user with the create_ssh_key permission enabled for adding SSH key and destroy_ssh_key permission for removing a key.
Procedure
- Navigate to Administer > Users.
- From the Username column, click on the username of the required user.
Click on the SSH Keys tab.
To Add SSH key
- Prepare the content of the public SSH key in a clipboard.
- Click Add SSH Key.
- In the Key field, paste the public SSH key content from the clipboard.
- In the Name field, enter a name for the SSH key.
- Click Submit.
To Remove SSH key
- Click Delete on the row of the SSH key to be deleted.
- Click OK in the confirmation prompt.
For CLI Users
To add an SSH key to a user, you must specify either the path to the public SSH key file, or the content of the public SSH key copied to the clipboard.
If you have the public SSH key file, enter the following command:
hammer user ssh-keys add \ --user-id user_id \ --name key_name \ --key-file ~/.ssh/id_rsa.pub
# hammer user ssh-keys add \ --user-id user_id \ --name key_name \ --key-file ~/.ssh/id_rsa.pubCopy to Clipboard Copied! Toggle word wrap Toggle overflow If you have the content of the public SSH key, enter the following command:
hammer user ssh-keys add \ --user-id user_id \ --name key_name \ --key ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNtYAAABBBHHS2KmNyIYa27Qaa7EHp+2l99ucGStx4P77e03ZvE3yVRJEFikpoP3MJtYYfIe8k 1/46MTIZo9CPTX4CYUHeN8= host@user
# hammer user ssh-keys add \ --user-id user_id \ --name key_name \ --key ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNtYAAABBBHHS2KmNyIYa27Qaa7EHp+2l99ucGStx4P77e03ZvE3yVRJEFikpoP3MJtYYfIe8k 1/46MTIZo9CPTX4CYUHeN8= host@userCopy to Clipboard Copied! Toggle word wrap Toggle overflow
To delete an SSH key from a user, enter the following command:
hammer user ssh-keys delete --id key_id --user-id user_id
# hammer user ssh-keys delete --id key_id --user-id user_idTo view an SSH key attached to a user, enter the following command:
hammer user ssh-keys info --id key_id --user-id user_id
# hammer user ssh-keys info --id key_id --user-id user_idTo list SSH keys attached to a user, enter the following command:
hammer user ssh-keys list --user-id user_id
# hammer user ssh-keys list --user-id user_id5.1.6. Email Notifications
Email notifications are created by Satellite Server periodically or after completion of certain events. The periodic notifications can be sent daily, weekly or monthly.
The events that trigger a notification are the following:
- Host build
- Content View promotion
- Error reported by host
- Repository sync
Users do not receive any email notifications by default. An administrator can configure users to receive notifications based on criteria such as the type of notification, and frequency.
If you want email notifications sent to a group’s email address, instead of an individual’s email address, create a user account with the group’s email address and minimal Satellite permissions, then subscribe the user account to the desired notification types.
Satellite Server does not enable outgoing emails by default, therefore you must review your email configuration. For more information, see Configuring Satellite Server for Outgoing Emails in Installing Satellite Server from a Connected Network.
5.1.7. Configuring Email Notifications
Configure email notifications for a user from the Satellite web UI.
Procedure
- Navigate to Administer > Users.
- Click the Username of the user you want to edit.
- On the User tab, verify the value of the Mail field. Email notifications will be sent to the address in this field.
- On the Email Preferences tab, select Mail Enabled.
Select the notifications you want the user to receive using the drop-down menus next to the notification types.
注記The Audit Summary notification can be filtered by entering the required query in the Mail Query text box.
Click Submit.
The user will start receiving the notification emails.
5.1.8. Testing Email Delivery
To verify the delivery of emails, send a test email to a user. If the email gets delivered, the settings are correct.
Procedure
- In the Satellite web UI, navigate to Administer > Users.
- Click on the username.
On the Email Preferences tab, click Test email.
A test email message is sent immediately to the user’s email address.
If the email is delivered, the verification is complete. Otherwise, you must perform the following diagnostic steps:
- Verify the user’s email address.
- Verify Satellite Server’s email configuration.
- Examine firewall and mail server logs.
5.1.9. Testing Email Notifications
To verify that users are correctly subscribed to notifications, trigger the notifications manually.
Procedure
To trigger the notifications, execute the following command:
foreman-rake reports:<frequency>
# foreman-rake reports:<frequency>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Replace frequency with one of the following:
- daily
- weekly
- monthly
This triggers all notifications scheduled for the specified frequency for all the subscribed users. If every subscribed user receives the notifications, the verification succeeds.
Sending manually triggered notifications to individual users is currently not supported.
5.1.10. Notification Types
The following are the notifications created by Satellite:
- Audit summary: A summary of all activity audited by the Satellite Server.
- Host built: A notification sent when a host is built.
- Host errata advisory: A summary of applicable and installable errata for hosts managed by the user.
- OpenSCAP policy summary: A summary of OpenSCAP policy reports and their results.
- Promote errata: A notification sent only after a Content View promotion. It contains a summary of errata applicable and installable to hosts registered to the promoted Content View. This allows a user to monitor what updates have been applied to which hosts.
- Puppet error state: A notification sent after a host reports an error related to Puppet.
- Puppet summary: A summary of Puppet reports.
- Sync errata: A notification sent only after synchronizing a repository. It contains a summary of new errata introduced by the synchronization.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}