검색

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 9. Managing users and roles

download PDF

A User defines a set of details for individuals using the system. Users can be associated with organizations and environments, so that when they create new entities, the default settings are automatically used. Users can also have one or more roles attached, which grants them rights to view and manage organizations and environments. See Section 9.1, “Managing users” for more information on working with users.

You can manage permissions of several users at once by organizing them into user groups. User groups themselves can be further grouped to create a hierarchy of permissions. For more information on creating user groups, see Section 9.4, “Creating and managing user groups”.

Roles define a set of permissions and access levels. Each role contains one on more permission filters that specify the actions allowed for the role. Actions are grouped according to the Resource type. Once a role has been created, users and user groups can be associated with that role. This way, you can assign the same set of permissions to large groups of users. Satellite provides a set of predefined roles and also enables creating custom roles and permission filters as described in Section 9.5, “Creating and managing roles”.

9.1. Managing users

As an administrator, you can create, modify and remove Satellite users. You can also configure access permissions for a user or a group of users by assigning them different roles.

9.1.1. Creating a user

Use this procedure to create a user. To use the CLI instead of the Satellite web UI, see the CLI procedure.

Procedure

  1. In the Satellite web UI, navigate to Administer > Users.
  2. Click Create User.
  3. Enter the account details for the new user.
  4. Click Submit to create the user.

The user account details that you can specify include the following:

  • On the User tab, select an authentication source from the Authorized by list:

    • INTERNAL: to manage the user inside Satellite Server.
    • EXTERNAL: to manage the user with external authentication. For more information, see Configuring External Authentication in Installing Satellite Server in a connected network environment.
  • On the Organizations tab, select an organization for the user. Specify the default organization Satellite selects for the user after login from the Default on login list.

    Important

    If a user is not assigned to an organization, their access is limited.

CLI procedure

  • Create a user:

    # hammer user create \
    --auth-source-id My_Authentication_Source \
    --login My_User_Name \
    --mail My_User_Mail \
    --organization-ids My_Organization_ID_1,My_Organization_ID_2 \
    --password My_User_Password

    The --auth-source-id 1 setting means that the user is authenticated internally, you can specify an external authentication source as an alternative. Add the --admin option to grant administrator privileges to the user. Specifying organization IDs is not required.

    You can modify the user details later by using the hammer user update command.

Additional resources

  • For more information about creating user accounts by using Hammer, enter hammer user create --help.

9.1.2. Assigning roles to a user

Use this procedure to assign roles to a user. To use the CLI instead of the Satellite web UI, see the CLI procedure.

Procedure

  1. In the Satellite web UI, navigate to Administer > Users.
  2. Click the username of the user to be assigned one or more roles.

    Note

    If a user account is not listed, check that you are currently viewing the correct organization. To list all the users in Satellite, click Default Organization and then Any Organization.

  3. Click the Locations tab, and select a location if none is assigned.
  4. Click the Organizations tab, and check that an organization is assigned.
  5. Click the Roles tab to display the list of available roles.
  6. Select the roles to assign from the Roles list.

    To grant all the available permissions, select the Administrator checkbox.

  7. Click Submit.

To view the roles assigned to a user, click the Roles tab; the assigned roles are listed under Selected items. To remove an assigned role, click the role name in Selected items.

CLI procedure

  • To assign roles to a user, enter the following command:

    # hammer user add-role --id user_id --role role_name

9.1.3. Impersonating a different user account

Administrators can impersonate other authenticated users for testing and troubleshooting purposes by temporarily logging on to the Satellite web UI as a different user. When impersonating another user, the administrator has permissions to access exactly what the impersonated user can access in the system, including the same menus.

Audits are created to record the actions that the administrator performs while impersonating another user. However, all actions that an administrator performs while impersonating another user are recorded as having been performed by the impersonated user.

Prerequisites

  • Ensure that you are logged on to the Satellite web UI as a user with administrator privileges for Satellite.

Procedure

  1. In the Satellite web UI, navigate to Administer > Users.
  2. To the right of the user that you want to impersonate, from the list in the Actions column, select Impersonate.

When you want to stop the impersonation session, in the upper right of the main menu, click the impersonation icon.

9.1.4. Creating an API-only user

You can create users that can interact only with the Satellite API.

Prerequisites

Procedure

  1. Log in to your Satellite as admin.
  2. Navigate to Administer > Users and select a user.
  3. On the User tab, set a password. Do not save or communicate this password with others. You can create pseudo-random strings on your console:

    # openssl rand -hex 32
  4. Create a Personal Access Token for the user. For more information, see Section 9.3.1, “Creating a Personal Access Token”.

9.2. Managing SSH keys

Adding SSH keys to a user allows deployment of SSH keys during provisioning. For information on deploying SSH keys during provisioning, see Deploying SSH Keys during Provisioning in Provisioning hosts.

For information on SSH keys and SSH key creation, see Using SSH-based Authentication in Red Hat Enterprise Linux 8 Configuring basic system settings.

9.2.1. Managing SSH keys for a user

Use this procedure to add or remove SSH keys for a user. To use the CLI instead of the Satellite web UI, see the CLI procedure.

Prerequisites

  • Ensure that you are logged in to the Satellite web UI as an Admin user of Red Hat Satellite or a user with the create_ssh_key permission enabled for adding SSH key and destroy_ssh_key permission for removing a key.

Procedure

  1. In the Satellite web UI, navigate to Administer > Users.
  2. From the Username column, click on the username of the required user.
  3. Click on the SSH Keys tab.

    • To Add SSH key

      1. Prepare the content of the public SSH key in a clipboard.
      2. Click Add SSH Key.
      3. In the Key field, paste the public SSH key content from the clipboard.
      4. In the Name field, enter a name for the SSH key.
      5. Click Submit.
    • To Remove SSH key

      1. Click Delete on the row of the SSH key to be deleted.
      2. Click OK in the confirmation prompt.

CLI procedure

To add an SSH key to a user, you must specify either the path to the public SSH key file, or the content of the public SSH key copied to the clipboard.

  • If you have the public SSH key file, enter the following command:

    # hammer user ssh-keys add \
    --user-id user_id \
    --name key_name \
    --key-file ~/.ssh/id_rsa.pub
  • If you have the content of the public SSH key, enter the following command:

    # hammer user ssh-keys add \
    --user-id user_id \
    --name key_name \
    --key ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNtYAAABBBHHS2KmNyIYa27Qaa7EHp+2l99ucGStx4P77e03ZvE3yVRJEFikpoP3MJtYYfIe8k 1/46MTIZo9CPTX4CYUHeN8= host@user

To delete an SSH key from a user, enter the following command:

# hammer user ssh-keys delete --id key_id --user-id user_id

To view an SSH key attached to a user, enter the following command:

# hammer user ssh-keys info --id key_id --user-id user_id

To list SSH keys attached to a user, enter the following command:

# hammer user ssh-keys list --user-id user_id

9.3. Managing Personal Access Tokens

Personal Access Tokens allow you to authenticate API requests without using your password. You can set an expiration date for your Personal Access Token and you can revoke it if you decide it should expire before the expiration date.

9.3.1. Creating a Personal Access Token

Use this procedure to create a Personal Access Token.

Procedure

  1. In the Satellite web UI, navigate to Administer > Users.
  2. Select a user for which you want to create a Personal Access Token.
  3. On the Personal Access Tokens tab, click Add Personal Access Token.
  4. Enter a Name for you Personal Access Token.
  5. Optional: Select the Expires date to set an expiration date. If you do not set an expiration date, your Personal Access Token will never expire unless revoked.
  6. Click Submit. You now have the Personal Access Token available to you on the Personal Access Tokens tab.

    Important

    Ensure to store your Personal Access Token as you will not be able to access it again after you leave the page or create a new Personal Access Token. You can click Copy to clipboard to copy your Personal Access Token.

Verification

  1. Make an API request to your Satellite Server and authenticate with your Personal Access Token:

    # curl https://satellite.example.com/api/status --user My_Username:My_Personal_Access_Token
  2. You should receive a response with status 200, for example:

    {"satellite_version":"6.15.0","result":"ok","status":200,"version":"3.5.1.10","api_version":2}

    If you go back to Personal Access Tokens tab, you can see the updated Last Used time next to your Personal Access Token.

9.3.2. Revoking a Personal Access Token

Use this procedure to revoke a Personal Access Token before its expiration date.

Procedure

  1. In the Satellite web UI, navigate to Administer > Users.
  2. Select a user for which you want to revoke the Personal Access Token.
  3. On the Personal Access Tokens tab, locate the Personal Access Token you want to revoke.
  4. Click Revoke in the Actions column next to the Personal Access Token you want to revoke.

Verification

  1. Make an API request to your Satellite Server and try to authenticate with the revoked Personal Access Token:

    # curl https://satellite.example.com/api/status --user My_Username:My_Personal_Access_Token
  2. You receive the following error message:

    {
      "error": {"message":"Unable to authenticate user My_Username"}
    }

9.4. Creating and managing user groups

9.4.1. User groups

With Satellite, you can assign permissions to groups of users. You can also create user groups as collections of other user groups. If using an external authentication source, you can map Satellite user groups to external user groups as described in Configuring External User Groups in Installing Satellite Server in a connected network environment.

User groups are defined in an organizational context, meaning that you must select an organization before you can access user groups.

9.4.2. Creating a user group

Use this procedure to create a user group.

Procedure

  1. In the Satellite web UI, navigate to Administer > User Groups.
  2. Click Create User group.
  3. On the User Group tab, specify the name of the new user group and select group members:

    • Select the previously created user groups from the User Groups list.
    • Select users from the Users list.
  4. On the Roles tab, select the roles you want to assign to the user group. Alternatively, select the Admin checkbox to assign all available permissions.
  5. Click Submit.

CLI procedure

  • To create a user group, enter the following command:

    # hammer user-group create \
    --name My_User_Group_Name \
    --role-ids My_Role_ID_1,My_Role_ID_2 \
    --user-ids My_User_ID_1,My_User_ID_2

9.4.3. Removing a user group

Use the following procedure to remove a user group from Satellite.

Procedure

  1. In the Satellite web UI, navigate to Administer > User Groups.
  2. Click Delete to the right of the user group you want to delete.
  3. Click Confirm to delete the user group.

9.5. Creating and managing roles

Satellite provides a set of predefined roles with permissions sufficient for standard tasks, as listed in Section 9.6, “Predefined roles available in Satellite”. It is also possible to configure custom roles, and assign one or more permission filters to them. Permission filters define the actions allowed for a certain resource type. Certain Satellite plugins create roles automatically.

9.5.1. Creating a role

Use this procedure to create a role.

Procedure

  1. In the Satellite web UI, navigate to Administer > Roles.
  2. Click Create Role.
  3. Provide a Name for the role.
  4. Click Submit to save your new role.

CLI procedure

  • To create a role, enter the following command:

    # hammer role create --name My_Role_Name

To serve its purpose, a role must contain permissions. After creating a role, proceed to Section 9.5.3, “Adding permissions to a role”.

9.5.2. Cloning a role

Use the Satellite web UI to clone a role.

Procedure

  1. In the Satellite web UI, navigate to Administer > Roles and select Clone from the drop-down menu to the right of the required role.
  2. Provide a Name for the role.
  3. Click Submit to clone the role.
  4. Click the name of the cloned role and navigate to Filters.
  5. Edit the permissions as required.
  6. Click Submit to save your new role.

9.5.3. Adding permissions to a role

Use this procedure to add permissions to a role. To use the CLI instead of the Satellite web UI, see the CLI procedure.

Procedure

  1. In the Satellite web UI, navigate to Administer > Roles.
  2. Select Add Filter from the drop-down list to the right of the required role.
  3. Select the Resource type from the drop-down list. The (Miscellaneous) group gathers permissions that are not associated with any resource group.
  4. Click the permissions you want to select from the Permission list.
  5. Depending on the Resource type selected, you can select or deselect the Unlimited and Override checkbox. The Unlimited checkbox is selected by default, which means that the permission is applied on all resources of the selected type. When you disable the Unlimited checkbox, the Search field activates. In this field you can specify further filtering with use of the Satellite search syntax. For more information, see Section 9.7, “Granular permission filtering”. When you enable the Override checkbox, you can add additional locations and organizations to allow the role to access the resource type in the additional locations and organizations; you can also remove an already associated location and organization from the resource type to restrict access.
  6. Click Next.
  7. Click Submit to save changes.

CLI procedure

  1. List all available permissions:

    # hammer filter available-permissions
  2. Add permissions to a role:

    # hammer filter create \
    --permission-ids My_Permission_ID_1,My_Permission_ID_2 \
    --role My_Role_Name

For more information about roles and permissions parameters, enter the hammer role --help and hammer filter --help commands.

9.5.4. Viewing permissions of a role

Use the Satellite web UI to view the permissions of a role.

Procedure

  1. In the Satellite web UI, navigate to Administer > Roles.
  2. Click Filters to the right of the required role to get to the Filters page.

The Filters page contains a table of permissions assigned to a role grouped by the resource type. It is also possible to generate a complete table of permissions and actions that you can use on your Satellite system. For more information, see Section 9.5.5, “Creating a complete permission table”.

9.5.5. Creating a complete permission table

Use the Satellite CLI to create a permission table.

Procedure

  1. Start the Satellite console with the following command:

    # foreman-rake console
  2. Insert the following code into the console:

    f = File.open('/tmp/table.html', 'w')
    
    result = Foreman::AccessControl.permissions {|a,b| a.security_block <=> b.security_block}.collect do |p|
          actions = p.actions.collect { |a| "<li>#{a}</li>" }
          "<tr><td>#{p.name}</td><td><ul>#{actions.join('')}</ul></td><td>#{p.resource_type}</td></tr>"
    end.join("\n")
    
    f.write(result)

    The above syntax creates a table of permissions and saves it to the /tmp/table.html file.

  3. Press Ctrl + D to exit the Satellite console.
  4. Insert the following text at the first line of /tmp/table.html:

    <table border="1"><tr><td>Permission name</td><td>Actions</td><td>Resource type</td></tr>
  5. Append the following text at the end of /tmp/table.html:

    </table>
  6. Open /tmp/table.html in a web browser to view the table.

9.5.6. Removing a role

Use the following procedure to remove a role from Satellite.

Procedure

  1. In the Satellite web UI, navigate to Administer > Roles.
  2. Select Delete from the drop-down list to the right of the role to be deleted.
  3. Click Confirm to delete the role.

9.6. Predefined roles available in Satellite

The following table provides an overview of permissions that predefined roles in Satellite grant to a user.

For a complete set of predefined roles and the permissions they grant, log in to Satellite web UI as the privileged user and navigate to Administer > Roles. For more information, see Section 9.5.4, “Viewing permissions of a role”.

Predefined rolePermissions the role providesAdditional information

Auditor

View the Audit log.

 

Default role

View tasks and jobs invocations.

Satellite automatically assigns this role to every user in the system.

Manager

View and edit global settings.

 

Organization admin

All permissions except permissions for managing organizations.

An administrator role defined per organization. The role has no visibility into resources in other organizations.

By cloning this role and assigning an organization, you can delegate administration of that organization to a user.

Site manager

View permissions for various items.

Permissions to manage hosts in the infrastructure.

A restrained version of the Manager role.

System admin

Edit global settings in Administer > Settings.

View, create, edit, and destroy users, user groups, and roles.

View, create, edit, destroy, and assign organizations and locations but not view resources within them.

Users with this role can create users and assign all roles to them. Give this role only to trusted users.

Viewer

View the configuration of every element of the Satellite structure, logs, reports, and statistics.

 

9.7. Granular permission filtering

As mentioned in Section 9.5.3, “Adding permissions to a role”, Red Hat Satellite provides the ability to limit the configured user permissions to selected instances of a resource type. These granular filters are queries to the Satellite database and are supported by the majority of resource types.

9.7.1. Creating a granular permission filter

Use this procedure to create a granular filter. To use the CLI instead of the Satellite web UI, see the CLI procedure.

Satellite does not apply search conditions to create actions. For example, limiting the create_locations action with name = "Default Location" expression in the search field does not prevent the user from assigning a custom name to the newly created location.

Procedure

Specify a query in the Search field on the Edit Filter page. Deselect the Unlimited checkbox for the field to be active. Queries have the following form:

field_name operator value
  • field_name marks the field to be queried. The range of available field names depends on the resource type. For example, the Partition Table resource type offers family, layout, and name as query parameters.
  • operator specifies the type of comparison between field_name and value. See Section 9.7.3, “Supported operators for granular search” for an overview of applicable operators.
  • value is the value used for filtering. This can be for example a name of an organization. Two types of wildcard characters are supported: underscore (_) provides single character replacement, while percent sign (%) replaces zero or more characters.

For most resource types, the Search field provides a drop-down list suggesting the available parameters. This list appears after placing the cursor in the search field. For many resource types, you can combine queries using logical operators such as and, not and has operators.

CLI procedure

  • To create a granular filter, enter the hammer filter create command with the --search option to limit permission filters, for example:

    # hammer filter create \
    --permission-ids 91 \
    --search "name ~ ccv*" \
    --role qa-user

This command adds to the qa-user role a permission to view, create, edit, and destroy content views that only applies to content views with name starting with ccv.

9.7.2. Examples of using granular permission filters

As an administrator, you can allow selected users to make changes in a certain part of the environment path. The following filter allows you to work with content while it is in the development stage of the application lifecycle, but the content becomes inaccessible once is pushed to production.

9.7.2.1. Applying permissions for the host resource type

The following query applies any permissions specified for the Host resource type only to hosts in the group named host-editors.

hostgroup = host-editors

The following query returns records where the name matches XXXX, Yyyy, or zzzz example strings:

name ^ (XXXX, Yyyy, zzzz)

You can also limit permissions to a selected environment. To do so, specify the environment name in the Search field, for example:

Dev

You can limit user permissions to a certain organization or location with the use of the granular permission filter in the Search field. However, some resource types provide a GUI alternative, an Override checkbox that provides the Locations and Organizations tabs. On these tabs, you can select from the list of available organizations and locations. For more information, see Section 9.7.2.2, “Creating an organization-specific manager role”.

9.7.2.2. Creating an organization-specific manager role

Use the Satellite web UI to create an administrative role restricted to a single organization named org-1.

Procedure

  1. In the Satellite web UI, navigate to Administer > Roles.
  2. Clone the existing Organization admin role. Select Clone from the drop-down list next to the Filters button. You are then prompted to insert a name for the cloned role, for example org-1 admin.
  3. Click the desired locations and organizations to associate them with the role.
  4. Click Submit to create the role.
  5. Click org-1 admin, and click Filters to view all associated filters. The default filters work for most use cases. However, you can optionally click Edit to change the properties for each filter. For some filters, you can enable the Override option if you want the role to be able to access resources in additional locations and organizations. For example, by selecting the Domain resource type, the Override option, and then additional locations and organizations using the Locations and Organizations tabs, you allow this role to access domains in the additional locations and organizations that is not associated with this role. You can also click New filter to associate new filters with this role.

9.7.3. Supported operators for granular search

Table 9.1. Logical operators

Operator

Description

and

Combines search criteria.

not

Negates an expression.

has

Object must have a specified property.

Table 9.2. Symbolic operators

Operator

Description

=

Is equal to. An equality comparison that is case-sensitive for text fields.

!=

Is not equal to. An inversion of the = operator.

~

Like. A case-insensitive occurrence search for text fields.

!~

Not like. An inversion of the ~ operator.

^

In. An equality comparison that is case-sensitive search for text fields. This generates a different SQL query to the Is equal to comparison, and is more efficient for multiple value comparison.

!^

Not in. An inversion of the ^ operator.

>, >=

Greater than, greater than or equal to. Supported for numerical fields only.

<, ⇐

Less than, less than or equal to. Supported for numerical fields only.

Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.