11.2. Typical Scenario of Virtuozzo Automator Security Usage¶
A typical course of actions to make use of the Virtuozzo virtual environments security model is described below:
- Think over and create the roles you will then assign to your users. A role is a set of privileges or actions that a user is allowed to perform. However, no role has information about particular objects (physical or virtual environments) on which the user is allowed to perform the actions defined by the role.
- If you plan to join your users to certain groups, you should create these groups or use the groups pre-created in Virtuozzo Automator for your convenience.
- Create new users and join them to the corresponding groups, if necessary.
- If you are going to grant access to the physical server to users from external authentication databases, you should additionally register one or more authentication databases on the physical server.
- Assign a role to a user/group, thus, granting this user/group the right to manage the physical server and/or its virtual environments in accordance with the privileges deduced from the assigned role.
Let us see how it all works with a common ‘Virtual Environment Administrator’ role.
The ‘Virtual Environment Administrator’ role should be common for virtually every datacenter, so no wonder it is one of the built-in roles in Virtuozzo Automator. This role defines a set of privileges the user will be able to perform in the virtual environment context. However, there is no information in this role about the particular virtual environments that this or that user will be able to administer. As this role is built-in, you do not have to create it, but you may want to see what privileges are included in this role, by default, and modify them, if necessary:
- Click Security in the Setup group on the left Virtuozzo Automator menu.
- Click the Roles tab.
- Click the Virtual Environment Administrator role to view its properties.
- Overview the privileges included in this role in the Privileges group. You are free to modify these privileges at your discretion.
- Click Submit to save the changes.
So we have made sure that the role we need exists in Virtuozzo Automator and the necessary privileges are included in it.
Next, we should think about user groups. User groups are necessary if we create a permission for a number of users at once. However, the Virtual Environment Administrator role suggests that a particular virtual environment will be managed by a particular user and another virtual environment will be managed by another user. So it would be logical to create a user group only if we are going to grant two or more users to administer the same virtual environment, otherwise, groups will be of no use.
The users to whom you will later assign the Virtual Environment Administrator role should all be defined on the Users tab of the Security screen. This screen has a number of subtabs corresponding to the available authentication databases. This number may vary depending on the number of authentication databases available, but two databases are always present: Virtuozzo Internal and System. The users in the Virtuozzo Internal database are those that you create in Virtuozzo Automator specifically for Virtuozzo virtual environment management. On a fresh Virtuozzo Automator installation, this database is empty. The users in the System database are the regular system users of the Master Server of the Server Group.
So, you can either create the necessary number of Virtuozzo virtual environment users or just have the users from external databases (listed on the respective tabs).
To be able to use Virtuozzo Automator for the virtual environment administration, the users should also have the privilege to log in to Virtuozzo Automator. Do not forget to enable this right when creating the role or, you can include the users in the precreated Virtuozzo Automator Users group.
To have more users available without the need to create them, you can connect Virtuozzo Automator to other authentication databases, e.g. to a Windows Active Directory database.
Finally, a particular user (or group of users) should be given the right to administer a particular virtual environment. To this effect, a new permission should be created. Before creating a permission, we should think to what level the permission refers. As we want to give the user rights to administer the virtual environment, the virtual environment should be chosen. Thus, you should:
- Display a list of virtual environments you have in the datacenter/logical unit/ on a physical server and click the needed virtual environment to display its control panel.
- Click the Security tab on the virtual environment dashboard and follow the New Permission link.
- On the Add Permission screen, fill the Users and Groups area with the users and groups allowed to manage this virtual environment. Normally, it will be just one user.
- Move the virtual environment Administrator role to the right pane in the Assigned Roles group and click Save.
Thus, the user we have chosen has got the right to administer this particular virtual environment.
It can be seen from the scenario above that essentially the first four steps (defining the Virtuozzo Automator roles, users, groups, and authentication databases) serve to prepare you as the Virtuozzo Automator administrator for working with particular permissions in Virtuozzo Automator. These four steps are likely to be performed in a detailed manner only once, namely, when you are setting up the Virtuozzo Automator security model, and then only maintained from time to time. The last step (creating a permission) is done each time you are granting or denying certain rights to particular users/groups.