Managing HP Serviceguard A.11.20.10 for Linux, December 2012

ManualsBrandsHP ManualsSoftwareHP Serviceguard for Linux RH AS ProLiant Cluster

151

152

153

154

155

156

157

158

159

160

USER_HOST bit

USER_ROLE PACKAGE_ADMIN

If this policy is defined in the cluster configuration file, it grants user john the PACKAGE_ADMIN

role for any package on node bit. User john also has the MONITOR role for the entire cluster,

because PACKAGE_ADMIN includes MONITOR. If the policy is defined in the package configuration

file for PackageA, then user john on node bit has the PACKAGE_ADMIN role only for PackageA.

Plan the cluster’s roles and validate them as soon as possible. If your organization’s security policies

allow it, you may find it easiest to create group logins. For example, you could create a MONITOR

role for user operator1 from CLUSTER_MEMBER_NODE (that is, from any node in the cluster).

Then you could give this login name and password to everyone who will need to monitor your

clusters.

5.2.8.4.1 Role Conflicts

Do not configure different roles for the same user and host; Serviceguard treats this as a conflict

and will fail with an error when applying the configuration. “Wildcards”, such as ANY_USER and

ANY_SERVICEGUARD_NODE, are an exception: it is acceptable for ANY_USER and john to be

given different roles.

IMPORTANT: Wildcards do not degrade higher-level roles that have been granted to individual

members of the class specified by the wildcard. For example, you might set up the following policy

to allow root users on remote systems access to the cluster:

USER_NAME root

USER_HOST ANY_SERVICEGUARD_NODE

USER_ROLE MONITOR

This does not reduce the access level of users who are logged in as root on nodes in this cluster;

they will always have full Serviceguard root-access capabilities.

Consider what would happen if these entries were in the cluster configuration file:

# Policy 1:

USER_NAME john

USER_HOST bit

USER_ROLE PACKAGE_ADMIN

# Policy 2:

USER_NAME john

USER_HOST bit

USER_ROLE MONITOR

# Policy 3:

USER_NAME ANY_USER

USER_HOST ANY_SERVICEGUARD_NODE

USER_ROLE MONITOR

In the above example, the configuration would fail because user john is assigned two roles. (In

any case, Policy 2 is unnecessary, because PACKAGE_ADMIN includes the role of MONITOR).

Policy 3 does not conflict with any other policies, even though the wildcard ANY_USER includes

the individual user john.

NOTE: Check spelling especially carefully when typing wildcards, such as ANY_USER and

ANY_SERVICEGUARD_NODE. If they are misspelled, Serviceguard will assume they are specific

users or nodes.

156 Building an HA Cluster Configuration