Administering User and Group Accounts from the Command Line

The following sections describe the common tasks that can be performed to administer user accounts using the ovirt-aaa-jdbc-tool command utility. This utility is used to manage user and group accounts on the internal domain. To view a list all available options for managing user and group accounts, run the ovirt-aaa-jdbc-tool --help command.

Note:

Changes made using ovirt-aaa-jdbc-tool command utility take effect immediately and do not require you to restart the Manager.

Creating a New User Account

The ovirt-aaa-jdbc-tool user add command is used to create user accounts.

To create a new user account:

  1. Log in to the host that is running the Manager.

  2. Create a new user account. 

    ovirt-aaa-jdbc-tool user add username option

    For example, create a new user account and add a first and last name to associate with the account. 

    ovirt-aaa-jdbc-tool user add test1 --attribute=firstName=John --attribute=lastName=Doe
    adding user test1...
user added successfully
Note: by default created user cannot log in. see:
/usr/bin/ovirt-aaa-jdbc-tool user password-reset --help.

    To view a full list of options available for creating a user account, run the ovirt-aaa-jdbc-tool user add --help command.

    Note:

    After creating a new user account, you must set a password so that the user can log in. See Setting the Password for a User Account.

  3. Add the newly created user in the Administration Portal and assign the group appropriate roles and permissions. See Assigning Permissions to Users and Groups.

Setting the Password for a User Account

The ovirt-aaa-jdbc-tool password-reset command is used to set (or reset) passwords for a user account.

Note:

You must set a value for the --password-valid-to option, otherwise, the password expiry time defaults to the time of the last login.

By default, the password policy for user accounts on the internal domain has the following restrictions:

  • A user password must be a minimum length of 6 characters.
  • When resetting a password, you cannot use the three previous passwords used for the user account.

For more information on the password policy and other default settings, run the ovirt-aaa-jdbc-tool settings show command.

To set (or reset) the password for a user account:

  1. From a command line, log into the host running the Manager.
  2. Set (or reset) the password for a user account. 
    ovirt-aaa-jdbc-tool user password-reset username --password-valid-to "yyyy-MM-dd HH:mm:ssZ"

    For example, set a user password. In the example, 0800 stands for GMT minus 8 hours. 

    ovirt-aaa-jdbc-tool user password-reset test1 --password-valid-to="2025-08-01 12:00:00-0800"
    Password:
Reenter password:
updating user test1...
user updated successfully

Editing User Information

The ovirt-aaa-jdbc-tool user edit command is used to edit user information associated with a user account.

To edit user information:

  1. Log in to the host that is running the Manager.

  2. Edit the user account. 

    ovirt-aaa-jdbc-tool user edit username option

    For example, edit a user account by adding an email address to associate with this user. 

    ovirt-aaa-jdbc-tool user edit test1 --attribute=email=jdoe@example.com
    updating user test1...
user updated successfully

    To view a full list of options available for editing user information, run the ovirt-aaa-jdbc-tool user edit --help command.

Viewing User Information

The ovirt-aaa-jdbc-tool user show command is used to display user information.

To view detailed user information:

  1. From a command line, log into the host running the Manager.
  2. Display information about a user. 
    ovirt-aaa-jdbc-tool user show username

    For example:

    ovirt-aaa-jdbc-tool user show test1
    -- User test1(e9e4b7d0-8ffd-45a3-b6ea-1f519238e766) --
Namespace: *
Name: test1
ID: e9e4b7d0-8ffd-45a3-b6ea-1f519238e766
Display Name:
Email: jdoe@example.com
First Name: John
Last Name: Doe
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2019-08-26 18:59:16Z
Account Valid To: 2219-08-26 18:59:16Z
Account Without Password: false
Last successful Login At: 2019-08-27 15:21:20Z
Last unsuccessful Login At: 2019-08-27 15:20:59Z
Password Valid To: 2025-08-01 20:00:00Z

Removing a User

The ovirt-aaa-jdbc-tool user delete command is used to remove a user.

To remove a user account:
  1. From a command line, log into the host running the Manager.
  2. Remove a user. 
    ovirt-aaa-jdbc-tool user delete username

    For example: 

    ovirt-aaa-jdbc-tool user delete test1
    deleting user test1...
user deleted successfully

Disabling User Accounts

You can disable users on the local domains, including the internal admin user created that is created when you run the engine-setup command.

Important:

Make sure you have at least one user in the environment with full administrative permissions before disabling the default internal administrative user account (admin user). The SuperUser role gives a user full administrative permissions.

To disable a user:

  1. Log in to the host that is running the Manager.

  2. Disable the user. 

    ovirt-aaa-jdbc-tool user edit username --flag=+disabled

    The following example shows how to disable the admin user. 

    ovirt-aaa-jdbc-tool user edit admin --flag=+disabled
updating user admin...
user updated successfully

    Note:

    If for some reason you need to re-enable the internal admin user after it has been disabled, you can do so by running the ovirt-aaa-jdbc-tool user edit admin --flag=-disabled command.

Creating Group Accounts

The ovirt-aaa-jdbc-tool command is used to create and manage group accounts on the internal domain. Managing group accounts is similar to managing user accounts. To view all available options for managing group accounts, run the ovirt-aaa-jdbc-tool group --help command. Common examples are provided in this section.

Creating a Group

To create a group account:

  1. Log in to the host that is running the Manager.
  2. Create a new group account. 
    ovirt-aaa-jdbc-tool group add group-name

    For example:

    ovirt-aaa-jdbc-tool group add group1

adding group group1...
group added successfully

    Note:

    Users must be created before they can be added to groups.

  3. Add users to the group: 
    ovirt-aaa-jdbc-tool group-manage  useradd group-name --user=username

    For example:

    ovirt-aaa-jdbc-tool group-manage useradd group1 --user test1

updating user group1...
user updated successfully

    To view a full list of the options for adding or removing members to and from groups, run the ovirt-aaa-jdbc-tool group-manage --help command.

  4. Display group account details. 
    ovirt-aaa-jdbc-tool group show group-name

    For example:

    ovirt-aaa-jdbc-tool group show group1

-- Group group1(f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829) --
Namespace: *
Name: group1
ID: f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829
Display Name:
Description:

  5. Add the newly created group in the Administration Portal and assign the group appropriate roles and permissions. See Assigning Permissions to Users and Groups.

    The users in the group inherit the roles and permissions of the group.

Creating Nested Groups
To create nested groups:
  1. Log in to the host that is running the Manager.
  2. Create the first group account. 
    ovirt-aaa-jdbc-tool group add group1

    For example: 

    ovirt-aaa-jdbc-tool group add group1

adding group group1...
group added successfully
  3. Create the second group account. 
    ovirt-aaa-jdbc-tool group add group2

    For example:

    ovirt-aaa-jdbc-tool group add group2

adding group group2...
group added successfully
  4. Add the second group to the first group. 
    ovirt-aaa-jdbc-tool group manage group add group1 --group=group2

    For example:

    ovirt-aaa-jdbc-tool group-manage groupadd group1 --group=group2

updating group group1...
group updated successfully

  5. Add the first group in the Administration Portal and assign the group appropriate roles and permissions. See Assigning Permissions to Users and Groups.

Removing a Group Account

To remove a group account:
  1. Log in to the host that is running the Manager.
  2. Remove a group account. 
    ovirt-aaa-jdbc-tool group delete group-name

    For example: 

    ovirt-aaa-jdbc-tool group delete group3

deleting group group3...
group deleted successfully

Querying Users and Groups

The ovirt-aaa-jdbc-tool query command is used to query user and group information. To view a full list of options available for querying users and groups, run the ovirt-aaa-jdbc-tool query --help command.

Listing All User or Group Account Details

To list all account information:

  1. From a command line, log into the host running the Manager.

  2. Display account details.

    • List all user account details.
      ovirt-aaa-jdbc-tool query --what=user

      For example, the sample output from the ovirt-aaa-jdbc-tool query --what=user command. 

      ovirt-aaa-jdbc-tool query --what=user
      -- User test2(35e8b35e-2320-45da-b59e-1076b521d13f) --
Namespace: *
Name: test2
ID: 35e8b35e-2320-45da-b59e-1076b521d13f
Display Name:
Email:
First Name: Jane
Last Name: Doe
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2019-09-06 16:51:32Z
Account Valid To: 2219-09-06 16:51:32Z
Account Without Password: false
Last successful Login At: 2019-09-06 17:12:08Z
Last unsuccessful Login At: 1970-01-01 00:00:00Z
Password Valid To: 2025-08-01 20:00:00Z
-- User admin(89559d7f-3b48-420b-bd4d-2790122c199b) --
Namespace: *
Name: admin
ID: 89559d7f-3b48-420b-bd4d-2790122c199b
Display Name:
Email:
First Name: admin
Last Name:
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 2019-03-07 11:09:07Z
Account Valid From: 2019-01-24 21:18:11Z
Account Valid To: 2219-01-24 21:18:11Z
Account Without Password: false
Last successful Login At: 2019-09-06 18:10:11Z
Last unsuccessful Login At: 2019-09-06 18:09:36Z
Password Valid To: 2025-08-01 20:00:00Z
-- User test1(e75956a8-6ebf-49d7-94fa-504afbfb96ad) --
Namespace: *
Name: test1
ID: e75956a8-6ebf-49d7-94fa-504afbfb96ad
Display Name:
Email: jdoe@example.com
First Name: John
Last Name: Doe
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2019-08-29 18:15:20Z
Account Valid To: 2219-08-29 18:15:20Z
Account Without Password: false
Last successful Login At: 1970-01-01 00:00:00Z
Last unsuccessful Login At: 1970-01-01 00:00:00Z
Password Valid To: 2025-08-01 20:00:00Z
    • List all group account details. ovirt-aaa-jdbc-tool query --what=group

      For example, the sample output from the ovirt-aaa-jdbc-tool query --what=group command. 

      ovirt-aaa-jdbc-tool query --what=group
      -- Group group2(d6e0b913-d038-413a-b732-bc0c33ea1ed4) --
Namespace: *
Name: group2
ID: d6e0b913-d038-413a-b732-bc0c33ea1ed4
Display Name:
Description:
-- Group group1-1(e43ba527-6256-4c29-bd7a-0fb08b990b72) --
Namespace: *
Name: group1-1
ID: e43ba527-6256-4c29-bd7a-0fb08b990b72
Display Name:
Description:
-- Group group1(f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829) --
Namespace: *
Name: group1
ID: f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829
Display Name:
Description:

Listing Filtered Account Details

To apply filters when listing account information:

  1. From a command line, log into the host running the Manager.
  2. Filter account details using the --pattern keyword.
    • List user account based on a pattern. 
      ovirt-aaa-jdbc-tool query --what=user --pattern=attribute=value

      For example, how to filter the output of the ovirt-aaa-jdbc-tool query command to display only user account details that start with the character J. 

      ovirt-aaa-jdbc-tool query --what=user --pattern="firstName=J*"
      -- User test1(e75956a8-6ebf-49d7-94fa-504afbfb96ad) --
Namespace: *
Name: test1
ID: e75956a8-6ebf-49d7-94fa-504afbfb96ad
Display Name:
Email: jdoe@example.com
First Name: John
Last Name: Doe
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2019-08-29 18:15:20Z
Account Valid To: 2219-08-29 18:15:20Z
Account Without Password: false
Last successful Login At: 1970-01-01 00:00:00Z
Last unsuccessful Login At: 1970-01-01 00:00:00Z
Password Valid To: 2025-08-01 20:00:00Z
-- User test2(35e8b35e-2320-45da-b59e-1076b521d13f) --
Namespace: *
Name: test2
ID: 35e8b35e-2320-45da-b59e-1076b521d13f
Display Name:
Email:
First Name: Jane
Last Name: Doe
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2019-09-06 16:51:32Z
Account Valid To: 2219-09-06 16:51:32Z
Account Without Password: false
Last successful Login At: 2019-09-06 17:12:08Z
Last unsuccessful Login At: 1970-01-01 00:00:00Z
Password Valid To: 2025-08-01 20:00:00Z
    • List groups based on a pattern.
      ovirt-aaa-jdbc-tool-query --what=group --pattern=attribute=value

      For example, filter the output of the ovirt-aaa-jdbc-tool query command to display only group account details that match the description documentation-group. 

      ovirt-aaa-jdbc-tool query --what=group --pattern="description=documentation-group"
      -- Group group1(f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829) --
Namespace: *
Name: group1
ID: f23ca27c-1d6a-4f6e-8c3e-1e03e8e56829
Display Name:
Description: documentation-group

Managing Account Settings

The ovirt-aaa-jdbc-tool settings command is used to change the default account settings.

To change the default account settings:

  1. Log in to the host that is running the Manager.

  2. (Optional) Display all the settings that are available. 

    ovirt-aaa-jdbc-tool settings show

  3. Change the desired settings. 

    ovirt-aaa-jdbc-tool settings set --name=setting-name --value=value