Chapter 7. Directory Services
The Red Hat Enterprise Virtualization platform relies on directory services for user authentication and authorization. Interactions with all Manager interfaces, including the User Portal, Power User Portal, Administration Portal, and REST API are limited to authenticated, authorized users. Virtual machines within the Red Hat Enterprise Virtualization can use the same directory services to provide authentication and authorization, however they must be configured to do so. Currently the two supported providers of directory services for use with the Red Hat Enterprise Virtualization Manager are
Identity, Policy, and Audit (IPA) and Microsoft
Active Directory (AD). The Red Hat Enterprise Virtualization Manager interfaces with the directory server for:
Portal logins (User, Power User, Administrator, REST API).
Queries to display user information.
Adding the Manager to a domain.
Authentication is the verification and identification of a party who generated some data, and of the integrity of the generated data. A principal is the party whose identity is verified. The verifier is the party who demands assurance of the principal's identity. In the case of Red Hat Enterprise Virtualization, the Manager is the verifier and a user is a principal. Data integrity is the assurance that the data received is the same as the data generated by the principal.
Confidentiality and authorization are closely related to authentication. Confidentiality protects data from disclosure to those not intended to receive it. Strong authentication methods can optionally provide confidentiality. Authorization determines whether a principal is allowed to perform an operation. Red Hat Enterprise Virtualization uses directory services to associate users with roles and provide authorization accordingly. Authorization is usually performed after the principal has been authenticated, and may be based on information local or remote to the verifier.
During installation, a local, internal domain is automatically configured for administration of the Red Hat Enterprise Virtualization environment. After the installation is complete, more domains can be added.
7.1. Local Authentication: Internal Domain
The Red Hat Enterprise Virtualization Manager creates a limited, internal administration domain during installation. This domain is not the same as an AD or IPA domain, because it exists based on a key in the Red Hat Enterprise Virtualization postgres database rather than as a directory service user on a directory server. The internal domain is also different from an external domain because the internal domain will only have one user: the admin@internal
user. Taking this approach to initial authentication allows Red Hat Enterprise Virtualization to be evaluated without requiring a complete, functional directory server, and ensures an administrative account is available to troubleshoot any issues with external directory services.
The admin@internal user is for the initial configuration of an environment. This includes installing and accepting hosts, adding external AD or IPA authentication domains, and delegating permissions to users from external domains.