NOTE: For more information and advice, see the white paper Securing Serviceguard at http:// www.hp.com/go/hpux-serviceguard-docs.

Define access-control policies for a cluster in the cluster configuration file; see “Cluster Configuration Parameters ” (page 109). You can define up to 200 access policies for each cluster. A root user can create or modify access control policies while the cluster is running.

Define policies for a specific package in the package configuration file; see the entries for user_name and related package-configuration parameters (page 253).

NOTE: Once nodes are configured into a cluster, the access-control policies you set in the cluster and package configuration files govern cluster-wide security; changes to the “bootstrap” cmclnodelist file are ignored (see “Allowing Root Access to an Unconfigured Node” (page 166)).

Access control policies are defined by three parameters in the configuration file:

Each USER_NAME can consist either of the literal ANY_USER, or a maximum of 8 login names from the /etc/passwd file on USER_HOST. The names must be separated by spaces or tabs, for example:

# Policy 1:

USER_NAME john fred patrick USER_HOST bit

USER_ROLE PACKAGE_ADMIN

USER_HOST is the node where USER_NAME will issue Serviceguard commands.

NOTE: The commands must be issued onUSER_HOST but can take effect on other nodes; for example patrick can use bit’s command line to start a package on gryf.

Choose one of these three values for USER_HOST:

ANY_SERVICEGUARD_NODE - any node on which Serviceguard is configured, and which is on a subnet with which nodes in this cluster can communicate (as reported bycmquerycl -w full).

NOTE: If you set USER_HOST to ANY_SERVICEGUARD_NODE, set USER_ROLE to

MONITOR; users connecting from outside the cluster cannot have any higher privileges (unless they are connecting via rsh or ssh; this is treated as a local connection).

Depending on your network configuration, ANY_SERVICEGUARD_NODE can provide wide-ranging read-only access to the cluster.

CLUSTER_MEMBER_NODE - any node in the cluster

A specific node name - Use the hostname portion (the first of four parts) of a fully-qualified domain name that can be resolved by the name service you are using; it should also be in each node’s /etc/hosts. Do not use an IP addresses or the fully-qualified domain name. If there are multiple hostnames (aliases) for an IP address, one of those must match USER_HOST. See “Configuring Name Resolution” (page 168) for more information.

USER_ROLE must be one of these three values:

MONITOR

FULL_ADMIN

PACKAGE_ADMIN

MONITOR and FULL_ADMIN can be set only in the cluster configuration file and they apply to the entire cluster. PACKAGE_ADMIN can be set in the cluster configuration file or a package configuration file. If it is set in the cluster configuration file, PACKAGE_ADMIN applies to all configured packages; if it is set in a package configuration file, it applies to that package

Configuring the Cluster 195

Page 194 Page 196
Page 195
Image 195
HP Serviceguard manual Userrole must be one of these three values, Monitor Fulladmin Packageadmin
Page 194 Page 196
Top Page Image Contents