Managing Serviceguard Nineteenth Edition, Reprinted June 2011

ManualsBrandsHP ManualsSoftwareHP Serviceguard Software

181

182

183

184

185

186

187

188

189

190

NOTE: For more information and advice, see the white paper Securing Serviceguard at http://

www.hp.com/go/hpux-serviceguard-docs.

Define access-control policies for a cluster in the cluster configuration file; see “Cluster Configuration

Parameters ” (page 105). You can define up to 200 access policies for each cluster. A root user

can create or modify access control policies while the cluster is running.

Define policies for a specific package in the package configuration file; see the entries for

user_name and related package-configuration parameters (page 240).

NOTE: Once nodes are configured into a cluster, the access-control policies you set in the cluster

and package configuration files govern cluster-wide security; changes to the “bootstrap”

cmclnodelist file are ignored (see “Allowing Root Access to an Unconfigured Node” (page 157)).

Access control policies are defined by three parameters in the configuration file:

• Each USER_NAME can consist either of the literal ANY_USER, or a maximum of 8 login names

from the /etc/passwd file on USER_HOST. The names must be separated by spaces or tabs,

for example:

# Policy 1:

USER_NAME john fred patrick

USER_HOST bit

USER_ROLE PACKAGE_ADMIN

• USER_HOST is the node where USER_NAME will issue Serviceguard commands.

NOTE: The commands must be issued onUSER_HOST but can take effect on other nodes;

for example patrick can use bit’s command line to start a package on gryf.

Choose one of these three values for USER_HOST:

◦ ANY_SERVICEGUARD_NODE - any node on which Serviceguard is configured, and which

is on a subnet with which nodes in this cluster can communicate (as reported

bycmquerycl -w full).

NOTE: If you set USER_HOST to ANY_SERVICEGUARD_NODE, set USER_ROLE to

MONITOR; users connecting from outside the cluster cannot have any higher privileges

(unless they are connecting via rsh or ssh; this is treated as a local connection).

Depending on your network configuration, ANY_SERVICEGUARD_NODE can provide

wide-ranging read-only access to the cluster.

◦ CLUSTER_MEMBER_NODE - any node in the cluster

◦ A specific node name - Use the hostname portion (the first of four parts) of a fully-qualified

domain name that can be resolved by the name service you are using; it should also be

in each node’s /etc/hosts. Do not use an IP addresses or the fully-qualified domain

name. If there are multiple hostnames (aliases) for an IP address, one of those must match

USER_HOST. See “Configuring Name Resolution” (page 159) for more information.

• USER_ROLE must be one of these three values:

◦ MONITOR

◦ FULL_ADMIN

◦ PACKAGE_ADMIN

MONITOR and FULL_ADMIN can be set only in the cluster configuration file and they apply

to the entire cluster. PACKAGE_ADMIN can be set in the cluster configuration file or a package

configuration file. If it is set in the cluster configuration file, PACKAGE_ADMIN applies to all

configured packages; if it is set in a package configuration file, it applies to that package

186 Building an HA Cluster Configuration