Managing HP Serviceguard for Linux, Eighth Edition, March 2008
Building an HA Cluster Configuration
Configuring the Cluster
Chapter 5186
MONITOR and FULL_ADMIN can be set only in the cluster configuration
file and they apply to the entire cluster. PACKAGE_ADMIN can be set in
the cluster configuration file or a package configuration file. If it is
set in the cluster configuration file, PACKAGE_ADMIN applies to all
configured packages; if it is set in a package configuration file, it
applies to that package only. These roles are not exclusive; for
example, more than one user can have the PACKAGE_ADMIN role for
the same package.
NOTE You do not have to halt the cluster or package to configure or modify
access control policies.
Here is an example of an access control policy:
USER_NAME john
USER_HOST bit
USER_ROLE PACKAGE_ADMIN
If this policy is defined in the cluster configuration file, it grants user
john the PACKAGE_ADMIN role for any package on node bit. User john
also has the MONITOR role for the entire cluster, because PACKAGE_ADMIN
includes MONITOR.
If the policy is defined in the package configuration file for PackageA,
then user john on node bit has the PACKAGE_ADMIN role only for
PackageA.
Plan the cluster’s roles and validate them as soon as possible. If your
organization’s security policies allow it, you may find it easiest to create
group logins. For example, you could create a MONITOR role for user
operator1 from CLUSTER_MEMBER_NODE (that is, from any node in the
cluster). Then you could give this login name and password to everyone
who will need to monitor your clusters.
Role Conflicts Do not configure different roles for the same user and
host; Serviceguard treats this as a conflict and will fail with an error
when applying the configuration. “Wildcards”, such as ANY_USER and
ANY_SERVICEGUARD_NODE, are an exception: it is acceptable for ANY_USER
and john to be given different roles.