To list all the available defined roles in XenServer
• Run the command: xe role-list
This command returns a list of the currently defined roles, for example:
uuid( RO): 0165f154-ba3e-034e-6b27-5d271af109ba name ( RO): pool-admin
description ( RO): The Pool Administrator role can do anything
uuid ( RO): b9ce9791-0604-50cd-0649-09b3284c7dfd name ( RO): pool-operator
description ( RO): The Pool Operator can do anything but access Dom0 and mange subjects and roles uuid( RO): 7955168d-7bec-10ed-105f-c6a7e6e63249
name ( RO): vm-power-admin
description ( RO): The VM Power Administrator role can do anything \ affecting VM properties across the pool
uuid ( RO): aaa00ab5-7340-bfbc-0d1b-7cf342639a6e name ( RO): vm-admin
description ( RO): The VM Administrator role can do anything to a VM
uuid ( RO): fb8d4ff9-310c-a959-0613-54101535d3d5 name ( RO): vm-operator
description ( RO): The VM Operator role can do anything to an already
uuid ( RO): 7233b8e3-eacb-d7da-2c95-f2e581cdbf4e name ( RO): read-only
description ( RO): The Read-Only role can only read values Note:
The list of roles is static, so it is not possible to add or remove roles from it, only to list the available static ones.
To display a list of current subjects:
• Run the command xe subject-list
This will return a list of XenServer users, their uuid, and the roles they are associated with:
uuid ( RO): bb6dd239-1fa9-a06b-a497-3be28b8dca44
subject-identifier ( RO): S-1-5-21-1539997073-1618981536-2562117463-2244 other-config (MRO): subject-name: example01\user_vm_admin; subject-upn: \ [email protected]; subject-uid: 1823475908; subject-gid: 1823474177; \ subject-sid: S-1-5-21-1539997073-1618981536-2562117463-2244; subject-gecos: \ user_vm_admin; subject-displayname: user_vm_admin; subject-is-group: false; \ subject-account-disabled: false; subject-account-expired: false; \
subject-account-locked: false;subject-password-expired: false roles (SRO): vm-admin
uuid ( RO): 4fe89a50-6a1a-d9dd-afb9-b554cd00c01a
subject-identifier ( RO): S-1-5-21-1539997073-1618981536-2562117463-2245 other-config (MRO): subject-name: example02\user_vm_op; subject-upn: \ [email protected]; subject-uid: 1823475909; subject-gid: 1823474177; \ subject-sid: S-1-5-21-1539997073-1618981536-2562117463-2245; \
subject-gecos: user_vm_op; subject-displayname: user_vm_op; \ subject-is-group: false; subject-account-disabled: false; \ subject-account-expired: false; subject-account-locked: \ false; subject-password-expired: false
subject-upn: [email protected]; subject-uid: 1823475906; \ subject-gid: 1823474177; subject-s id:
S-1-5-21-1539997073-1618981536-2562117463-2242; \
subject-gecos: user_pool_op; subject-displayname: user_pool_op; \ subject-is-group: false; subject-account-disabled: false; \ subject-account-expired: false; subject-account-locked: \ false; subject-password-expired: false
roles (SRO): pool-operator
To add a subject to RBAC
In order to enable existing AD users to use RBAC, you will need to create a subject instance within XenServer, either for the AD user directly, or for one of their containing groups:
1. Run the command xe subject-add subject-name=<AD user/group>
This adds a new subject instance.
To assign an RBAC role to a created subject
Once you have added a subject, you can assign it to an RBAC role. You can refer to the role by either its uuid or name:
1. Run the command:
xe subject-role-add uuid=<subject uuid> role-uuid=<role_uuid>
or
xe subject-role-add uuid=<subject uuid> role-name=<role_name>
For example, the following command adds a subject with the uuid b9b3d03b-3d10-79d3-8ed7-a782c5ea13b4 to the Pool Administrator role:
xe subject-role-add uuid=b9b3d03b-3d10-79d3-8ed7-a782c5ea13b4 role-name=pool-admin
To change a subject's RBAC role:
To change a user's role it is necessary to remove them from their existing role, and add them to a new role:
1. Run the commands:
xe subject-role-remove uuid=<subject uuid> role-name= \ <role_name_to_remove>
xe subject-role-add uuid=<subject uuid > role-name= \ <role_name_to_add>
To ensure that the new role takes effect, the user should be logged out and logged back in again (this requires the "Logout Active User Connections" permission - available to a Pool Administrator or Pool Operator).
Warning:
Once you have added or removed a pool-admin subject, there can be a delay of a few seconds for ssh sessions associated to this subject to be accepted by all hosts of the pool.
Auditing
The RBAC audit log will record any operation taken by a logged-in user.
• the message will explicitly record the Subject ID and user name associated with the session that invoked the operation.
• if an operation is invoked for which the subject does not have authorization, this will be logged.
• if the operation succeeded then this is recorded; if the operation failed then the error code is logged.
Audit log xe CLI commands
xe audit-log-get [since=<timestamp>] filename=<output filename>
This command downloads to a file all the available records of the RBAC audit file in the pool. If the optional parameter 'since' is present, then it only downloads the records from that specific point in time.
To obtain all audit records from the pool Run the following command:
xe audit-log-get filename=/tmp/auditlog-pool-actions.out
To obtain audit records of the pool since a precise millisecond timestamp Run the following command:
xe audit-log-get since=2009-09-24T17:56:20.530Z \ filename=/tmp/auditlog-pool-actions.out
To obtain audit records of the pool since a precise minute timestamp Run the following command:
xe audit-log-get since=2009-09-24T17:56Z \ filename=/tmp/auditlog-pool-actions.out