Managing HP Serviceguard for Linux, Eighth Edition, March 2008
Building an HA Cluster Configuration
Configuring the Cluster
Chapter 5 187
IMPORTANT Wildcards do not degrade higher-level roles that have been granted to
individual members of the class specified by the wildcard. For example,
you might set up the following policy to allow root users on remote
systems access to the cluster:
USER_NAME root
USER_HOST ANY_SERVICEGUARD_NODE
USER_ROLE MONITOR
This does not reduce the access level of users who are logged in as root on
nodes in this cluster; they will always have full Serviceguard root-access
capabilities.
Consider what would happen if these entries were in the cluster
configuration file:
# Policy 1:
USER_NAME john
USER_HOST bit
USER_ROLE PACKAGE_ADMIN
# Policy 2:
USER_NAME john
USER_HOST bit
USER_ROLE MONITOR
# Policy 3:
USER_NAME ANY_USER
USER_HOST ANY_SERVICEGUARD_NODE
USER_ROLE MONITOR
In the above example, the configuration would fail because user john is
assigned two roles. (In any case, Policy 2 is unnecessary, because
PACKAGE_ADMIN includes the role of MONITOR.)
Policy 3 does not conflict with any other policies, even though the
wildcard ANY_USER includes the individual user john.
NOTE Check spelling especially carefully when typing wildcards, such as
ANY_USER and ANY_SERVICEGUARD_NODE. If they are misspelled,
Serviceguard will assume they are specific users or nodes.