Typical Scenario of Virtuozzo Containers Security Model Usage

A typical course of actions to make use of the Virtuozzo Containers security model is described below:

1. Think over and create the roles you will then assign to your users. A role is a set of privileges or actions that a user is allowed to perform. However, no role has information about particular objects (Hardware Nodes, Containers) on which the user is allowed to perform the actions defined by the role.
2. If you plan to join your users to certain groups, you should create these groups or use the groups pre-created in Parallels Infrastructure Manager for your convenience.
3. Create new users and join them to the corresponding groups, if necessary.
4. If you are going to grant access to the Hardware Node to users from external authentication databases, you should additionally register one or more authentication databases on the Node.
5. Assign a role to a user/group, thus, granting this user/group the right to manage the Hardware Node and/or its Containers in accordance with the privileges deduced from the assigned role.

Let us see how it all works with a common 'Container Administrator' role.

1. The 'Container Administrator' role should be common for virtually every datacenter, so no wonder it is one of the built-in roles in Infrastructure Manager. This role defines a set of privileges the user will be able to perform in the Container context. However, there is no information in this role about the particular Containers that this or that user will be able to administer. As this role is built-in, you do not have to create it, but you may want to see what privileges are included in this role, by default, and modify them, if necessary:
   • Click Security in the Setup group on the left Infrastructure Manager menu.
   • Click the Roles tab.
   • Click the Container Administrator role to view its properties.
   • Overview the privileges included in this role in the Rights group. You are free to modify these privileges at your discretion.
   • Click Submit.

   So we have made sure that the role we need exists in Infrastructure Manager and the necessary privileges are included in it.

2. Next, we should think about user groups. User groups are necessary if we create a permission for a number of users at once. However, the Container Administrator role suggests that a particular Container will be managed by a particular user and another Container will be managed by another user. So it would be logical to create a user group only if we are going to grant two or more users to administer the same Container, otherwise, groups will be of no use.
3. The users to whom you will later assign the Container Administrator role should all be defined on the Users tab of the Security screen. This screen has a number of subtabs corresponding to the available authentication databases. This number may vary depending on the number of authentication databases available, but two databases are always present: Parallels Internal and System. The users in the Parallels Internal database are those that you create in Parallels Infrastructure Manager specifically for Virtuozzo Containers management. On a fresh Virtuozzo Containers installation, this database is empty. The users in the System database are the regular system users of the Master Node of the Virtuozzo Group.

   So, you can either create the necessary number of Virtuozzo Containers users or just have the users from external databases (listed on the respective tabs).

   Note: To be able to use Parallels Infrastructure Manager for the Container administration, the users should also have the privilege to log in to Parallels Infrastructure Manager, which can be defined in the global (Virtuozzo Group) scope only. The easiest way to do this is to include the users in the precreated Parallels Infrastructure Manager Users group.

4. To have more users available without the need to create them, you can connect Parallels Infrastructure Manager to other authentication databases, e.g. to a Windows Active Directory database.
5. Finally, a particular user (or group of users) should be given the right to administer a particular Container. For this, a new permission should be created. Before creating a permission we should think of the scope of this permission. It can be easily seen that among the four possible scopes (Virtuozzo Group, Logical Unit, Hardware Node, Container) the Container scope is the one to choose. Thus, you should:
   • Display a list of Containers you have in the datacenter/logical unit/ on a Hardware Node and click the needed Container to display its control panel.
   • Click the Security tab on the Container dashboard and follow the New Permission link.
   • On the Add Permission screen, fill the Users and Groups area with the users and groups allowed to manage this Container. Normally, it will be just one user.
   • Move the Container Administrator role to the right pane in the Assigned Roles group and click Save.

   Thus, the user we have chosen has got the right to administer this particular Container.

It can be seen from the scenario above that essentially the first four steps (defining the Infrastructure Manager roles, users, groups, and authentication databases) serve to prepare you as the Infrastructure Manager administrator for working with particular permissions in Infrastructure Manager. These four steps are likely to be performed in a detailed manner only once, namely, when you are setting up the Infrastructure Manager security model, and then only maintained from time to time. The last step (creating a permission) is done each time you are granting or denying certain rights to particular users/groups.

Please send us your feedback on this help page