Managing Serviceguard 14th Edition, June 2007
Building an HA Cluster Configuration
Preparing Your Systems
Chapter 5 209
USER_NAME ANY_USER
USER_HOST ANY_SERVICEGUARD_NODE
USER_ROLE MONITOR
In the above example, the configuration would fail because user john is
assigned two roles. (In any case, Policy 2 is unnecessary, because
PACKAGE_ADMIN includes the role of MONITOR.)
Policy 3 does not conflict with any other policies, even though the
wildcard ANY_USER includes the individual user john.
NOTE Be careful when granting access to ANY_SERVICEGUARD_NODE. This
allows access from any node on the subnet.
Plan the cluster’s roles and validate them as soon as possible. If your
organization’s security policies allow it, you may find it easiest to create
group logins. For example, you could create a MONITOR role for user
operator1 from ANY_CLUSTER_NODE. Then you could give this login
name and password to everyone who will need to monitor your clusters.
Defining Name Resolution Services
When you employ any user-level Serviceguard command (including
cmviewcl), the command uses name lookup to obtain the addresses of all
the cluster nodes. If name services (such as DNS) are not available, the
command could hang or return an unexpected networking error message.
NOTE If such a hang or error occurs, Serviceguard and all protected
applications will continue working even though the command you issued
does not. That is, only the Serviceguard configuration commands (and
corresponding Serviceguard Manager functions) are affected, not the
cluster daemon or package services.
To avoid this problem, configure all cluster nodes to use the /etc/hosts
file in addition to DNS or NIS. This also allows Serviceguard to continue
functioning fully following a primary LAN failure. See “Safeguarding
against Loss of Name Resolution Services” on page 210 for more
information.