Managing HP Serviceguard A.11.20.10 for Linux, December 2012

ManualsBrandsHP ManualsSoftwareHP Serviceguard for Linux Cluster

151

152

153

154

155

156

157

158

159

160

Access control policies are defined by three parameters in the configuration file:

• Each USER_NAME can consist either of the literal ANY_USER, or a maximum of 8 login names

from the /etc/passwd file on USER_HOST. The names must be separated by spaces or tabs,

for example:

# Policy 1:

USER_NAME john fred patrick

USER_HOST bit

USER_ROLE PACKAGE_ADMIN

• USER_HOST is the node where USER_NAME will issue Serviceguard commands.

NOTE: The commands must be issued on USER_HOST but can take effect on other nodes;

for example, patrick can use bit’s command line to start a package on gryf (assuming

bit and gryf are in the same cluster).

Choose one of these three values for USER_HOST:

◦ ANY_SERVICEGUARD_NODE - any node on which Serviceguard is configured, and which

is on a subnet with which nodes in this cluster can communicate (as reported

bycmquerycl -w full).

NOTE: If you set USER_HOST to ANY_SERVICEGUARD_NODE, set USER_ROLE to

MONITOR; users connecting from outside the cluster cannot have any higher privileges

(unless they are connecting via rsh or ssh; this is treated as a local connection).

Depending on your network configuration, ANY_SERVICEGUARD_NODE can provide

wide-ranging read-only access to the cluster.

◦ CLUSTER_MEMBER_NODE - any node in the cluster

◦ A specific node name - Use the hostname portion (the first part) of a fully-qualified domain

name that can be resolved by the name service you are using; it should also be in each

node’s /etc/hosts. Do not use an IP addresses or the fully-qualified domain name. If

there are multiple hostnames (aliases) for an IP address, one of those must match

USER_HOST. See “Configuring Name Resolution” (page 131) for more information.

• USER_ROLE must be one of these three values:

MONITOR◦

◦ FULL_ADMIN

◦ PACKAGE_ADMIN

MONITOR and FULL_ADMIN can be set only in the cluster configuration file and they apply

to the entire cluster. PACKAGE_ADMIN can be set in the cluster configuration file or a package

configuration file. If it is set in the cluster configuration file, PACKAGE_ADMIN applies to all

configured packages; if it is set in a package configuration file, it applies to that package

only. These roles are not exclusive; for example, more than one user can have the

PACKAGE_ADMIN role for the same package.

NOTE: You do not have to halt the cluster or package to configure or modify access control

policies.

Here is an example of an access control policy:

USER_NAME john

5.2 Configuring the Cluster 155