Managing HP Serviceguard for Linux, Seventh Edition, July 2007
Building an HA Cluster Configuration
Preparing Your Systems
Chapter 5 149
NOTE You do not have to halt the cluster or package to configure or modify
access control policies.
Here is an example of an access control policy:
USER_NAME john
USER_HOST bit
USER_ROLE PACKAGE_ADMIN
If this policy is defined in the package configuration for PackageA, then
user john from node bit has the PACKAGE_ADMIN role only for PackageA.
User john also has the MONITOR role for the entire cluster.
You will not be allowed to configure any specific roles that overlap. For
example, user john cannot be explicitly given two roles. Serviceguard
will fail applying the configuration with an error if you do. It is
acceptable for ANY_USER and john to be given different roles.
For example, consider what would happen if these entries were in the
cluster configuration file:
# Policy 1
USER_NAME john
USER_HOST bit
USER_ROLE PACKAGE_ADMIN
# Policy 2
USER_NAME john
USER_HOST bit
USER_ROLE MONITOR
# Policy 3
USER_NAME ANY_USER
USER_HOST ANY_SERVICEGUARD_NODE
USER_ROLE MONITOR
In the above example, the configuration will fail because user john is
assigned two roles. Policy 2 is also redundant because PACKAGE_ADMIN
already includes the role MONITOR.
Policy 3 does not conflict with either policy even though ANY_USER on
ANY_SERVICEGUARD_NODE includes user john.