Prior to the 1.3.2 release, PowerVC supported user and group filtering for LDAP configurations, but not for the local OS. Without this filtering, all users and groups in the identity backend are visible through PowerVC. It doesn't mean they all have a role assigned in PowerVC, so they may not be able to login, but their information is exposed to anyone that is allowed to view users and groups in PowerVC. E.g. The `openstack user list` CLI command would list system accounts created during OS installation or by some add-on software along with the user accounts that represent real people and processes that are relevant to PowerVC. Not only is this exposing information that you may not want to expose, but it also makes it more difficult to find the user or group you're looking for in a list that is longer than it should be.
With the 1.3.2 release, PowerVC has closed this gap by adding user and group filtering support for local OS users. This new support works just like the pre-existing support for user and group filtering for LDAP identity backends. You can read more about this in the PowerVC Knowledge Center topic PowerVC-Config-Users-Groups
. Previous Behaviour
In previous PowerVC releases, all local OS users and groups were visible to PowerVC. Many of these users and groups are not relevant to PowerVC; however, there was no mechanism to filter them out. The following example demonstrates the display of many users and groups that have nothing to do with PowerVC.Filter support in PowerVC 1.3.2
With PowerVC 1.3.2, default user/group filters are set during installation/upgrade. You can run the ‘powervc-config identity repository’ command to view the current identity backend configuration. Here, it was run right after a new PowerVC install, and therefore shows the default values.
With these default filters, only the OS users that are members of the group ‘powervc-filter’ are visible to PowerVC. Similarly, the only group that is visible in PowerVC is the one named ‘powervc-filter’. You will also notice that the OpenStack user list and group list command output is greatly reduced compared to previous releases.How can I make users and groups visible to PowerVC ?
In previous releases, any OS user or group could be given a PowerVC role assignment, allowing them to log in to PowerVC. However, starting with PowerVC 1.3.2, you will only be able to give role assignments to users and groups that are visible to PowerVC. There are two ways you can ensure that your OS user is visible to PowerVC.
1. By adding the OS user to the ‘powervc-filter’ group. This works because memberOf=powervc-filter is already set as a user filter. This is the simplest method.
2. By updating the user filtering configuration. In the following example, the user filter is updated so that all users who are members of the group powervc-filter or named user2 are visible. Note that any time you update the user filter, it replaces the current filter. So you must specify every member of the group any time you run this command. If you run this command and only specify the new members, then the current members will be removed and the filter will only contain the new members.
Command : powervc-config identity repository -t os --user-filter "(|(memberOf=powervc-filter)(name=user2))" --group-filter "(|(name=powevc-filter))"
Similar steps can be followed to ensure that an OS group is visible in PowerVC. In the following example, the group filter configuration is updated such that both the powervc-filter and group1 groups are visible. Once a user or group is visible, you can assign a PowerVC role to that user or group as in previous releases.
Command : powervc-config identity repository -t os --user-filter "(|(memberOf=powervc-filter)(name=user2)(memberOf=group1))" --group-filter "(|(name=powervc-filter)(name=group1))"How can I disable all user and group filters ?
Disabling filters would mean that all OS users and groups are visible to PowerVC. This is not recommended, but can be achieved by using powervc-config to set the filters to “None” as shown here.
Command : powervc-config identity repository -t os --user-filter None --group-filter NoneWhat are the different values I can give to these filters?
The user and group filters can use a combination of standard operators, like OR (|), AND (&), NOT (!) and wildcard (*) operators. The below example highlights the use of these operators in a complex user filter (Please note that the ‘memberOf’ attribute is not applicable for a group filter).
The below filter makes all OS users who are either (named ‘admin’) OR (a member of the group named ‘dept_it’ but the user name does NOT start with ‘emp2’) visible to PowerVC. The complex filter can be broken down to the below for better comprehension.
1. (name=admin) specifies that the user’s name is admin.
2. (memberOf=dept_it) specifies that the users are members of a group named dept_it
3. (name=emp2*) specifies that user names start with ‘emp2’, and (!(name=emp2*)) specifies that user names do not start with ‘emp2’.
4. (&(memberOf=dept_it) (!(name=emp2*))) specifies that users are members of a group named ‘dept_it’ and have names that do not start with emp2.
Command : powervc-config identity repository -t os --user-filter "(|(name=admin)(&(memberOf=dept_it)(!(name=emp2*))))" --group-filter "(|(name=dept_it))"
Check the PowerVC 1.3.2 Knowledge Center
for more information on the attributes that are supported for user and group filters.Handling user and group filters during an upgrade
When PowerVC is upgraded to 1.3.2 from a previous release, the filters are automatically configured for all users and groups that had role assignments before the upgrade. For users, this is done by adding all groups with role assignments to the user filter (so that group members are visible) along with the new powervc-filter group, and then making users members of the powervc-filter group if they are not a member of a group that has a role assignment. For groups, this is done by adding all groups with role assignments to the group filter (so that the groups themselves are visible). In the following example, ‘admin’, ‘viewer’, ‘group_1’and ‘group_2’ are all groups that had role assignments in the previous release.
This eliminates the need for manual intervention to maintain visibility for all users and groups that had roles in previous releases.Common issues with role assignment failure for new users/groups after installing/upgrading to 1.3.2
After upgrade/install of 1.3.2, if a new user/group is not exposed to PowerVC, then one would run into the issue as shown below.
Role assignment to a new user will fail with an error message like "No user with a name or ID of 'user_132' exists."
Check the existing filter configuration and user/group list.
One of the easiest way to expose the new user to the filter is by adding him as a secondary member to the group powervc-filter.
Another way of exposing the new user is to include his name directly in the user filter without adding him to a group as shown below.
Authors : Archana Prabhakar, Divya K Konoor
, Sourav Biswas, Matthew Edmonds#security#powervc-config#Framework#user-filter#identity#powervc#osdriver#group-filter#filter