Managing HP Serviceguard A.11.20.10 for Linux, December 2012
IMPORTANT: Users on systems outside the cluster can gain Serviceguard root access
privileges to configure the cluster only via a secure connection (rsh or ssh).
• Non-root access: Other users can be assigned one of four roles:
Full Admin: Allowed to perform cluster administration, package administration, and cluster
and package view operations.
These users can administer the cluster, but cannot configure or create a cluster. Full Admin
includes the privileges of the Package Admin role.
◦
◦ (all-packages) Package Admin: Allowed to perform package administration, and use
cluster and package view commands.
These users can run and halt any package in the cluster, and change its switching
behavior, but cannot configure or create packages. Unlike single-package Package
Admin, this role is defined in the cluster configuration file. Package Admin includes the
cluster-wide privileges of the Monitor role.
◦ (single-package) Package Admin: Allowed to perform package administration for a
specified package, and use cluster and package view commands.
These users can run and halt a specified package, and change its switching behavior,
but cannot configure or create packages. This is the only access role defined in the
package configuration file; the others are defined in the cluster configuration file.
Single-package Package Admin also includes the cluster-wide privileges of the Monitor
role.
◦ Monitor: Allowed to perform cluster and package view operations.
These users have read-only access to the cluster and its packages.
IMPORTANT: A remote user (one who is not logged in to a node in the cluster, and is not
connecting via rsh or ssh) can have only Monitor access to the cluster.
(Full Admin and Package Admin can be configured for such a user, but this usage is
deprecated. As of Serviceguard A.11.18 configuring Full Admin or Package Admin for remote
users gives them Monitor capabilities. See “Setting up Access-Control Policies” (page 154) for
more information.)
5.2.8.4 Setting up Access-Control Policies
The root user on each cluster node is automatically granted the Serviceguard root access role on
all nodes. (See “Configuring Root-Level Access” (page 130) for more information.) Access-control
policies define non-root roles for other cluster users.
NOTE: For more information and advice, see the white paper Securing Serviceguard at http://
www.hp.com/go/hpux-serviceguard-docs (Select HP Serviceguard -> White Papers).
Define access-control policies for a cluster in the cluster configuration file; see “Cluster Configuration
Parameters ” (page 86). To define access control for a specific package, use user_host (page 184)
and related parameters in the package configuration file. You can define up to 200 access policies
for each cluster. A root user can create or modify access control policies while the cluster is running.
NOTE: Once nodes are configured into a cluster, the access-control policies you set in the cluster
and package configuration files govern cluster-wide security; changes to the “bootstrap”
cmclnodelist file are ignored (see “Allowing Root Access to an Unconfigured Node” (page 130)).
154 Building an HA Cluster Configuration