Managing Users and Groups 3.0

OpenNebula supports user accounts and groups. This guide shows how to manage both. After the installation, the administrative user ''oneadmin'' and two default groups should be created. You can check it using the ''oneuser list'' and ''onegroup list'' commands. {{INLINETOC}} ====== Users ====== A user in OpenNebula is defined by a username and password. You don't need to create a new Unix account in the front-end for each OpenNebula user, they are completely different concepts. OpenNebula users are authenticated using a session string included in every [[.:api|operation]], which is checked by the OpenNebula core. Each user has a unique ID, and belongs to a group. There are two user types in the OpenNebula system: * The **oneadmin** account is created **the first time** OpenNebula is started using the ONE_AUTH data. ''oneadmin'' has enough privileges to perform any operation on any object. * **Regular user** accounts must be created by ''oneadmin'' and they **can only manage their own objects** (images, virtual machine templates and networks), and use **public** objects from other users in his group. OpenNebula users should have the following environment variables set, you may want to place them in the .bashrc of the user's Unix account for commodity:

^ **ONE_XMLRPC** | URL where the OpenNebula daemon is listening. By default, it should be **%%http://localhost:2633/RPC2%%**. See the ''PORT'' attribute in the [[.:oned_conf|Daemon configuration file]] for more information. | ^ **ONE_AUTH** | Needs to point to **a file containing just a single line stating "username:password"**. If ONE_AUTH is not defined, $HOME/.one/one_auth will be used instead. If no auth file is present, OpenNebula cannot work properly, as this is needed by the core, the CLI, and the cloud components as well.|

For instance, a user named ''regularuser'' may have the following environment: $ tail ~/.bashrc ONE_XMLRPC=http://localhost:2633/RPC2 export ONE_XMLRPC $ cat ~/.one/one_auth regularuser:password

:!: Please note that the example above is intended for a user interacting with OpenNebula from the front-end, but you can use it from any other computer. Just set the appropriate hostname and port in the ONE_XMLRPC variable.

===== Adding and Deleting Users ===== User accounts within the OpenNebula system are managed by ''oneadmin'' with the ''oneuser create'' and ''oneuser delete'' commands. Users can be easily added to the system like this: $ oneuser create regularuser password ID: 1 $ oneuser list ID GROUP NAME PASSWORD 0 oneadmin oneadmin 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 1 users regularuser 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 $ oneuser show regularuser USER 1 INFORMATION ID : 1 NAME : regularuser GROUP : 1 PASSWORD : 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 ENABLED : Yes The enabled flag can be ignored as it doesn't provide any functionality. It may be used in future releases to temporarily disable users instead of deleting them. ===== Manage your Own User ===== Regular users can see their account information, and change their password. For instance, as ''regularuser'' you could do the following: $ oneuser list [UserPoolInfo] User [1] not authorized to perform action on user. $ oneuser show USER 1 INFORMATION ID : 1 NAME : regularuser GROUP : 1 PASSWORD : 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 ENABLED : Yes $ oneuser passwd 1 abcdpass As you can see, any user can find out his ID using the ''oneuser show'' command without any arguments. ====== Groups ====== A group in OpenNebula makes possible to isolate users and resources. A user can see and use the public resources (Templates, Images, Virtual Networks) in his group; but resources from other groups are completely unreachable. There are two system groups created by default. The ''onedmin'' group allows any user in it to perform any operation, allowing different users to act with the same privileges as the ''oneadmin'' user. ===== Adding and Deleting Groups ===== Your can use the ''onegroup'' command line tool to manage groups in OpenNebula. There are two groups created by default, ''oneadmin'' and ''users''. To create new groups: $ onegroup list ID NAME 0 oneadmin 1 users $ onegroup create "new group" ID: 100 ACL_ID: 2 ACL_ID: 3 The new group has ID 100 to differentiate the system groups to the user-defined ones. When a new group is created, two ACL rules are also created to provide the default behaviour. You can learn more about ACL rules in [[.:manage_acl|this guide]]; but you don't need any further configuration to start using the new group. ===== Adding Users to Groups ===== Use the ''oneuser chgrp'' command to assign users to groups. $ oneuser chgrp -v regularuser "new group" USER 1: Group changed $ onegroup show 100 GROUP 100 INFORMATION ID : 100 NAME : new group USERS ID NAME 1 regularuser To delete a user from a group, just move it again to the default ''users'' group. ====== Managing Users and Groups in Sunstone ====== All the described functionality is available graphically using [[.:sunstone|Sunstone]]: {{ documentation:rel3.0:group_sunstone.png?400 }}