Managing HP Serviceguard for Linux, Tenth Edition, September 2012
NOTE: For more information and advice, see the white paper Securing Serviceguard
at http://docs.hp.com -> High Availability -> Serviceguard ->
White Papers.
Define access-control policies for a cluster in the cluster configuration file; see “Cluster
Configuration Parameters ” (page 103). To define access control for a specific package,
use user_host (page 224) and related parameters in the package configuration file.
You can define up to 200 access policies for each cluster. A root user can create or
modify access control policies while the cluster is running.
NOTE: Once nodes are configured into a cluster, the access-control policies you set in
the cluster and package configuration files govern cluster-wide security; changes to the
“bootstrap” cmclnodelist file are ignored (see “Allowing Root Access to an
Unconfigured Node” (page 158)).
Access control policies are defined by three parameters in the configuration file:
• Each USER_NAME can consist either of the literal ANY_USER, or a maximum of 8
login names from the /etc/passwd file on USER_HOST. The names must be
separated by spaces or tabs, for example:
# Policy 1:
USER_NAME john fred patrick
USER_HOST bit
USER_ROLE PACKAGE_ADMIN
• USER_HOST is the node where USER_NAME will issue Serviceguard commands.
NOTE: The commands must be issued on USER_HOST but can take effect on other
nodes; for example patrick can use bit’s command line to start a package on
gryf (assuming bit and gryf are in the same cluster).
Choose one of these three values for USER_HOST:
◦ ANY_SERVICEGUARD_NODE - any node on which Serviceguard is configured,
and which is on a subnet with which nodes in this cluster can communicate (as
reported bycmquerycl -w full).
Configuring the Cluster 189