Managing HP Serviceguard for Linux, Tenth Edition, September 2012
NOTE: If you set USER_HOST to ANY_SERVICEGUARD_NODE, set USER_ROLE
to MONITOR; users connecting from outside the cluster cannot have any higher
privileges (unless they are connecting via rsh or ssh; this is treated as a local
connection).
Depending on your network configuration, ANY_SERVICEGUARD_NODE can
provide wide-ranging read-only access to the cluster.
◦ CLUSTER_MEMBER_NODE - any node in the cluster
◦ A specific node name - Use the hostname portion (the first part) of a fully-qualified
domain name that can be resolved by the name service you are using; it should
also be in each node’s /etc/hosts. Do not use an IP addresses or the
fully-qualified domain name. If there are multiple hostnames (aliases) for an IP
address, one of those must match USER_HOST. See “Configuring Name
Resolution” (page 159) for more information.
• USER_ROLE must be one of these three values:
MONITOR◦
◦ FULL_ADMIN
◦ PACKAGE_ADMIN
MONITOR and FULL_ADMIN can be set only in the cluster configuration file and
they apply to the entire cluster. PACKAGE_ADMIN can be set in the cluster
configuration file or a package configuration file. If it is set in the cluster configuration
file, PACKAGE_ADMIN applies to all configured packages; if it is set in a package
configuration file, it applies to that package only. These roles are not exclusive; for
example, more than one user can have the PACKAGE_ADMIN role for the same
package.
NOTE: You do not have to halt the cluster or package to configure or modify access
control policies.
Here is an example of an access control policy:
USER_NAME john
USER_HOST bit
USER_ROLE PACKAGE_ADMIN
If this policy is defined in the cluster configuration file, it grants user john the
PACKAGE_ADMIN role for any package on node bit. User john also has the MONITOR
role for the entire cluster, because PACKAGE_ADMIN includes MONITOR. If the policy is
190 Building an HA Cluster Configuration