Manualshelf

Managing HP Serviceguard for Linux, Sixth Edition, August 2006

ManualsBrandsHP ManualsSoftwareHP Serviceguard for Linux
121122123124125126127128129130
Building an HA Cluster Configuration
Preparing Your Systems
Chapter 5130
Though hostsequiv allows defining any user on any node as equivalent
to root, Serviceguard will not grant root access to any user who is not
root on the remote node. Such a configuration would grant non-root
access to that user.
Setting Access Controls for a Configured Clusters
Once nodes are configured in a cluster, different cluster wide security
mechanisms are used. Changes to cmclnodelist file and hostsequiv
are ignored. Root users within the cluster are automatically granted root
access. All other users may be optionally authorized for non-root roles.
Root access cannot be given to root users on nodes outside the cluster.
Access control policies for a configured cluster are defined in the ascii
cluster configuration file. Access control policies for a specific package
are defined in the package configuration file. Any combination of hosts
and users may be assigned roles for the cluster. You can have up to 200
access policies defined for a cluster.
Access policies are defined by three parameters in the configuration file:
USER_NAME can either be ANY_USER, or a maximum of 8 login names
from the /etc/passwd file on user host.
USER_HOST is where the user can issue Serviceguard commands. If
using Serviceguard Manager, it is the COM server. Choose one of
these three values: ANY_SERVICEGUARD_NODE, or (any)
CLUSTER_MEMBER_NODE, or a specific node. For node, use the official
hostname from domain name server, and not an IP addresses or fully
qualified domain name.
USER_ROLE must be one of these three values: MONITOR,
PACKAGE_ADMIN, or FULL_ADMIN.
NOTE MONITOR and FULL_ADMIN can only be set in the cluster configuration file
and they apply to the entire cluster. PACKAGE_ADMIN can be set in the
cluster or a package configuration file. If set in the cluster configuration
file, PACKAGE_ADMIN applies to all configured packages. If set in a
package configuration file, PACKAGE_ADMIN applies to that package only.