Manualshelf

Managing Serviceguard Fifteenth Edition, reprinted May 2008

ManualsBrandsHP ManualsSoftwareHP Serviceguard Software
241242243244245246247248249250
Building an HA Cluster Configuration
Configuring the Cluster
Chapter 5 245
set in the cluster configuration file, PACKAGE_ADMIN applies to all
configured packages; if it is set in a package configuration file, it
applies to that package only. These roles are not exclusive; for
example, you can configure more than one PACKAGE_ADMIN for the
same package.
NOTE You do not have to halt the cluster or package to configure or modify
access control policies.
Here is an example of an access control policy:
USER_NAME john
USER_HOST bit
USER_ROLE PACKAGE_ADMIN
If this policy is defined in the cluster configuration file, it grants user
john the PACKAGE_ADMIN role for any package on node bit. User john
also has the MONITOR role for the entire cluster, because PACKAGE_ADMIN
includes MONITOR.
If the policy is defined in the package configuration file for PackageA,
then user john on node bit has the PACKAGE_ADMIN role only for
PackageA.
Plan the cluster’s roles and validate them as soon as possible. If your
organization’s security policies allow it, you may find it easiest to create
group logins. For example, you could create a MONITOR role for user
operator1 from ANY_CLUSTER_NODE. Then you could give this login
name and password to everyone who will need to monitor your clusters.
Role Conflicts Do not configure different roles for the same user and
host; Serviceguard treats this as a conflict and will fail with an error
when applying the configuration. “Wildcards”, such as ANY_USER and
ANY_SERVICEGUARD_NODE, are an exception: it is acceptable for ANY_USER
and john to be given different roles.