Configuring operating system users and groups

Edit online

By default, PowerVC uses the local operating system to manage users and groups. To avoid exposing all of the system's users and groups, such as those for system accounts, PowerVC supports both user and group filtering. Only users and groups which match the corresponding filter will be exposed in PowerVC.

About this task

When you install or upgrade PowerVC, default user and group filters are created. On a new installation, a new group named powervc-filter is created, the default user (root) is added to that group, and the filters are configured so that only that the powervc-filter group and its members are visible to PowerVC.

On an upgrade from a PowerVC version earlier than 1.3.2, a new group named powervc-filter is created and any user that had a PowerVC role assignment is added to that group. The default filters are configured so that these users and groups are visible to PowerVC:

The powervc-filter group and all of its members
Any group that already had a PowerVC role assignment and all of their members

View filters

Default values on a freshly installed PowerVC appear as below. The Type indicates that the identity backend has been by default configured to use the local OS registry. The below filters indicate that only OS users who are members of OS group named powervc-filter and OS group with name powervc-filter are be visible to PowerVC. With the below configuration, for a new OS user to be visible, add the user to the powervc-filter OS group.

# powervc-config identity repository
Type: os
User filter: (memberOf=powervc-filter)
Group filter: (name=powervc-filter)

Notes:

PowerVC backups include information about the configured user and group filters. However, PowerVC does not create users or groups, or adjust group memberships at the time of restore. If operating system users and groups are configured differently when the backup is restored, this might lead to issues.
For example, if the system on which the restore is being performed does not have the same users in the powervc-filter group, those users will not be seen in PowerVC after restore. Some role assignments might no longer work because the user or group to which they were granted does not exist or is not visible based on the user and group filters.

Before performing a restore operation, ensure that the system where restore is performed has the same set of PowerVC OS users or groups with the right group membership as on that of the PowerVC system from where backup has been taken.
For the authentication to be successful with local OS driver, keystone user must be able to run the su command and login as PowerVC end users.

Make a user or group visible to PowerVC

Because the default filter matches all members of the powervc-filter group, the easiest way to make a user visible to PowerVC is to make the user a member of that group. For example, to modify user1 to be a secondary member of the group powervc-filter, run this command:


usermod -a -G powervc-filter user1

To make additional groups visible to PowerVC, you have to update the group filter.

Note: Make sure that the username and password are same for all nodes for multinode setup.

Creating and updating a filter

To create or update a filter, run the powervc-config identity repository CLI with the appropriate attributes, as listed in the following tables. Every time you run this command, it replaces the existing filter. Therefore, it is recommended that you view the current filter before updating the filter by running powervc-config identity repository.

Example 1: This command creates a filter so that PowerVC can see all of the users that are members of the groups power1, power2, or power3, and can also see any groups that are named power1, power2, or power3:

powervc-config identity repository -t os --user-filter "(|(memberOf=power1)(memberOf=power2)(memberOf=power3))" 
     --group-filter "(|(name=power1)(name=power2)(name=power3))"

Note: You have to update both filters if you update either filter.

Example 2: An example of changing filters to make a new user and group (that the user is a member to) visible to PowerVC is listed below. If the user-filter is not modified to update the group, the users within the new group will not be visible.

useradd new_user (set user password using passwd)
groupadd new_group
usermod -a -G new_group new_user
powervc-config identity repository -t os --user-filter "(|(memberOf=powervc-filter)(memberOf=new_group))" --group-filter "(|(name=powervc-filter)(name=new_group))"

Example 3: For removing user and group filters, run the below command. This action results in all OS users and groups becoming visible to PowerVC without any filtering. However, this action is not recommended.

powervc-config identity repository -t os --user-filter None --group-filter None

Values and operators

When creating filters, you can use these values and operators:

Table 1. Available attributes to use when working with user and group filters
Attribute name	Description	Example
User filter	Limits which users are visible to PowerVC. Only the `name` and `memberOf` elements are accepted. The default is "(memberOf=powervc-filter)".	--user-filter "(&(name=user*)(memberOf=powervc-filter))"
Group filter	Limits which groups are visible to PowerVC. Only the `name` element is accepted. The default is "(name=powervc-filter)".	--group-filter "(\|(name=team1)(name=team2)(name=team3))"

Table 2. Accepted operators
Operator	Description	Example
*	Wild card	`(name=)`: All users are visible. `(name=User)`: All users that start with User are visible.
!	Is not	`(!(name=service*))`: All users that do not start with service are visible.
\|	Or	`(\|(name=root)(name=sara)(name=bob))` : PowerVC can see users named root, sara, or bob.
&	And	`(&(name=pvc)(memberOf=powervc-filter))`: PowerVC can see only users whose name starts with pvc and* who are members of the group powervc-filter.