The root user has ful privileges of ClusterVisor and can both view and edit any part of the web interface and use any of the command line utilities. All non-root users will be presented with a read-only version of the pages where no actions can be performed on either the nodes or the data in the Configuration page. Additionally, all fields in the Configuration page with sensitive data (e.g. any usernames and passwords) are redacted on the non-root user's version to prevent any security leaks. However, ClusterVisor also has settings that can limit what pages are available to non-root users as well as elevate the privileges of other non-root users.

Hiding ClusterVisor pages

While non-root users cannot do anything actionable to any of the pages in ClusterVisor, one may want to hide some of the pages anyways. The settings to make these changes can be found under the Configuration page under the Configuration tab followed by clicking the Add / Edit button for config.permissions. From here any page can be hidden using the appropriate field. For instance, to hide the Configuration page from non-root users just select "true" from the drop-down menu for the field Hide Configuration Page.

Managing ClusterVisor admin users

To allow a non-root user to use ClusterVisor without any restrictions they can be made an admin user. The settings to make these change can be found under the Configuration page under the Configuration tab followed by clicking the Add / Edit button for config.permissions.

To make a non-root user an admin click on the Add Admin UIDs button next to the Admin UIDs field and put in the user's UID and optionally a note to help identify which user this is (e.g. their full name or user name). The user will then immediately be able to use all of the ClusterVisor command line utilities without any restrictions and the next time they log into the web interface will have the unrestricted privileges.

To remove a user's admin privileges click on their Index in the table to the right of the Admin UIDs field and click on the Delete button. The user will then immediately have the same privileges as a non-root user for all of the ClusterVisor command line utilities as well as all further actions in the web interface will be treated as being from a non-root user. However they will still be able to view (but not make any changes to) the hidden pages until their next user session.

The reason that a UID is needed here rather than a username is due to the limitations of how munge works. Munge is what ClusterVisor uses to handle its security, but it only sends the UID of the user making the request along with the GID of their default group (not every group the user is assigned to).

Managing sudoer users

While an admin user can make changes to the configuration of the cluster and use the power controls through ClusterVisor, any commands they run will still be treated as a non-root user. This is because an admin user is not a sudoer user on the nodes. However, the sudoers of the cluster can also be managed using ClusterVisor by enabling the sudoers plugin on the nodes (for more information on enabling or disabling plugins see section Node plugins of this guide). When editing the plugin fields for the sudoers plugin on a node, to have all of admin users also be sudoer uses on the node select "true" from the drop-down menu of the Use Admin UIDs field under the Full Admins tab. To manage all other sudoer users that are not also admin users, they can be managed depending on what type of sudoer they will be.

In Linux, a sudoer can either have full unrestricted access to any command and can run them as any user or group they want, or they can run only specific commands as specific user and/or group. In ClusterVisor the former are called a Full Admins and the latter are called Restricted Admins, each with their own respective tab. Since the Full Admins have no restrictions they can easily be added in or removed from the list of usernames and groups in the respective Full Sudoer Users and Full Sudoer Groups fields. However, for Restricted Admins each user or group needs to be added individually since they each can have their own limitations on what commands they can run as a given user and/or group.

Unlike other plugins, the sudoers plugin will only commit the changes made if the data generates valid syntax for the node's /etc/sudoers.d/clustervisor file, otherwise the previous version of the file will be kept. This is to ensure that the system does not end up in a state where it has a corrupt sudoers file since it could prevent all users from using sudo (which should be avoided if at all possible). So if the file is not being updated this is probably due to the fields having invalid data rather than ClusterVisor not working.