oVirt 3.6 contains new aaa-jdbc extension which stores authentication and authorization data in relational database and provides these data using standardized oVirt AAA API similarly to already existing aaa-ldap extension. In this session there will be shown aaa-jdbc features available right after oVirt 3.6 installation including user/group/password management, integration with oVirt and also extension customization.

1. oVirt 3.6 Feature 1/17
oVirt 3.6 aaa-jdbc provider
Manage your users/groups using database
Martin Peřina
Software Engineer at Red Hat

2. oVirt 3.6 Feature 2/17
Agenda
● Introduction
● Managing user/groups/passwords
● Configuration of additional domains

3. oVirt 3.6 Feature 3/17
Introduction

4. oVirt 3.6 Feature 4/17
oVirt <= 3.5 user/group management
● 'internal' domain
– provided by legacy internal provider
– only one user and no groups
– ability to change password
– admin user cannot be disabled (locked)
● LDAP domains
– provided by kerbldap and aaa-ldap providers
– unlimited numbers of users and groups
– user/group management is done by LDAP tools

5. oVirt 3.6 Feature 5/17
oVirt 3.6 user/group management
● LDAP domains
– same as in previous version
● Database domains
– provided by new aaa-jdbc provider
– unlimited number of users and groups
– user/group management is done by command line
tool
– 'internal' domain is also provided by aaa-jdbc and
it's configured during installation/upgrade

6. oVirt 3.6 Feature 6/17
aaa-jdbc features
● Complete user/group/password management using
provided command line tool
● Plugged into engine using engine AAA extension API
● Users/groups/passwords are stored in PostgreSQL
database
● Ability to provide multiple domains (stored in one or
multiple PostgreSQL databases)
● More information at
http://www.ovirt.org/Features/AAA_JDBC

7. oVirt 3.6 Feature 7/17
Managing user/groups/passwords

8. oVirt 3.6 Feature 8/17
User management
ovirt-aaa-jdbc-tool user <COMMAND> <...>
● <COMMAND>
– add
– edit
– delete
– show
– unlock

9. oVirt 3.6 Feature 9/17
Password management
ovirt-aaa-jdbc-tool user password-reset <...>
● Password can be specified in one of the following
formats:
– interactive
– on command line
– using environment variable
– using a file
– setting empty password
● By default new password expires at the same moment
as it's set

10. oVirt 3.6 Feature 10/17
Group management
ovirt-aaa-jdbc-tool group <COMMAND> <...>
● <COMMAND>
– add
– edit
– delete
– show

11. oVirt 3.6 Feature 11/17
Group membership management
ovirt-aaa-jdbc-tool group-manage <COMMAND> <...>
● <COMMAND>
– useradd
– userdel
– groupadd
– groupdel
– show

12. oVirt 3.6 Feature 12/17
Searching users/groups
ovirt-aaa-jdbc-tool query --what=<ENTITY> <...>
● <ENTITY>
– user
– group

13. oVirt 3.6 Feature 13/17
Settings management
ovirt-aaa-jdbc-tool settings <COMMAND> <...>
● <COMMAND>
– set
– show

14. oVirt 3.6 Feature 14/17
Configuration of additional domains

15. oVirt 3.6 Feature 15/17
aaa-jdbc configuration
● 'internal' domain configured during setup (using engine
database)
● additional domains can be configured manually
● each domain can be installed
– local or remote database
– unique user per domain or shared user with unique
schema name per domain

16. oVirt 3.6 Feature 16/17
aaa-jdbc configuration
● Profile is oVirt AAA extension API term for domain
● Configuration files
– /etc/ovirt-engine/extensions.d
● <PROFILE>-authn.properties
● <PROFILE>-authz.properties
– /etc/ovirt-engine/aaa
● <PROFILE>.properties
● Documentation provided in /usr/share/doc/ovirt-
engine-extension-aaa-jdbc-1.0.0/README.admin
● Templates provided in /usr/share/ovirt-engine-
extension-aaa-jdbc/examples

17. oVirt 3.6 Feature 17/17
THANK YOU!
http://www.ovirt.org
mperina@redhat.com
mperina at #ovirt (irc.oftc.net)