Configuring operating system users and groups
By default, PowerVC uses the local operating system to manage users and groups. To avoid exposing all of the system's users and groups, such as those for system accounts, PowerVC supports both user and group filtering. Only users and groups which match the corresponding filter will be exposed in PowerVC.
About this task
When you install or upgrade PowerVC, default user and group filters are created. On a new installation, a new group named powervc-filter is created, the default user (root) is added to that group, and the filters are configured so that only that the powervc-filter group and its members are visible to PowerVC.
- The powervc-filter group and all of its members
- Any group that already had a PowerVC role assignment and all of their members
Typeindicates that the identity backend has been by default configured to use the local OS registry. The below filters indicate that only OS users who are members of OS group named
powervc-filterand OS group with name
powervc-filterare be visible to PowerVC. With the below configuration, for a new OS user to be visible, add the user to the
# powervc-config identity repository Type: os User filter: (memberOf=powervc-filter) Group filter: (name=powervc-filter)
- PowerVC backups include information about the configured
user and group filters. However, PowerVC does not create users or groups, or
adjust group memberships at the time of restore. If operating system users and groups are configured
differently when the backup is restored, this might lead to issues.
For example, if the system on which the restore is being performed does not have the same users in the powervc-filter group, those users will not be seen in PowerVC after restore. Some role assignments might no longer work because the user or group to which they were granted does not exist or is not visible based on the user and group filters.
Before performing a restore operation, ensure that the system where restore is performed has the same set of PowerVC OS users or groups with the right group membership as on that of the PowerVC system from where backup has been taken.
- For the authentication to be successful with local OS driver, keystone user must be able to run the su command and login as PowerVC end users.
Make a user or group visible to PowerVC
usermod -a -G powervc-filter user1
Creating and updating a filter
To create or update a filter, run the powervc-config identity repository CLI
with the appropriate attributes, as listed in the following tables. Every time you run this command,
it replaces the existing filter. Therefore, it is recommended that you view the current filter
before updating the filter by running
powervc-config identity repository.
powervc-config identity repository -t os --user-filter "(|(memberOf=power1)(memberOf=power2)(memberOf=power3))" --group-filter "(|(name=power1)(name=power2)(name=power3))"
useradd new_user (set user password using passwd) groupadd new_group usermod -a -G new_group new_user powervc-config identity repository -t os --user-filter "(|(memberOf=powervc-filter)(memberOf=new_group))" --group-filter "(|(name=powervc-filter)(name=new_group))"
powervc-config identity repository -t os --user-filter None --group-filter None
Values and operators
|User filter||Limits which users are visible to PowerVC. Only the
|Group filter||Limits which groups are visible to PowerVC. Only the
pvcand who are members of the group