Managing Serviceguard 12th Edition, March 2006
Building an HA Cluster Configuration
Preparing Your Systems
Chapter 5196
Using Equivalent Hosts
For installations that wish to use hostsequiv, the primary IP addresses
or hostnames for each node in the cluster need to be authorized. For
more information on using hostsequiv, see man hosts.equiv(4) or the
HP-UX guide, Managing Systems and Workgroups, posted at
http://docs.hp.com.
Though hostsequiv allows defining any user on any node as equivalent to
root, Serviceguard will not grant root access to any user who is not root
on the remote node. Such a configuration would grant non-root access to
that user.
Setting Access Controls for a Configured Cluster
Once nodes are configured in a cluster, different cluster-wide security
mechanisms aer used. Changes to cmclnodelist and hostsequiv are
ignored. Root users within the cluster are automatically granted root
access. All other users can be authorized for non-root roles.
NOTE Root access cannot be given to root users on nodes outside the cluster.
Access control policies for a configured cluster are defined in the ASCII
cluster configuration file. Access control policies for a specific package
are defined in the package configuration file. Any combination of hosts
and users may be assigned roles for the cluster. You can have up to 200
access policies defined for a cluster.
Access policies are defined by three parameters in the configuration file:
• USER_NAME can either be ANY_USER, or a maximum of 8 login names
from the /etc/passwd file on user host.
• USER_HOST is the node where USER_NAME will issue Serviceguard
commands. If using Serviceguard Manager, it is the COM server.
Choose one of these three values:
— ANY_SERVICEGUARD_NODE - any node on the subnet
— CLUSTER_MEMBER_NODE - any node in the cluster
— A specific node name - use the official hostname from domain
name server, and not an IP addresses or fully qualified name.
• USER_ROLE must be one of these three values: