Managing Serviceguard Seventeenth Edition, First Reprint December 2009

NOTE: For more information and advice, see the white paper Securing Serviceguard

at http://docs.hp.com -> High Availability -> Serviceguard ->

White Papers.

Define access-control policies for a cluster in the cluster configuration file; see “Cluster

Configuration Parameters ” (page 139). You can define up to 200 access policies for each

cluster. A root user can create or modify access control policies while the cluster is

running.

Define policies for a specific package in the package configuration file; see the entries

for user_name and related package-configuration parameters (page 285).

NOTE: Once nodes are configured into a cluster, the access-control policies you set

in the cluster and package configuration files govern cluster-wide security; changes to

the “bootstrap” cmclnodelist file are ignored (see “Allowing Root Access to an

Unconfigured Node” (page 197)).

Access control policies are defined by three parameters in the configuration file:

• Each USER_NAME can consist either of the literal ANY_USER, or a maximum of

8 login names from the /etc/passwd file on USER_HOST. The names must be

separated by spaces or tabs, for example:

# Policy 1:

USER_NAME john fred patrick

USER_HOST bit

USER_ROLE PACKAGE_ADMIN

• USER_HOST is the node where USER_NAME will issue Serviceguard commands.

NOTE: The commands must be issued onUSER_HOST but can take effect on

other nodes; for example patrick can use bit’s command line to start a package

on gryf.

Choose one of these three values for USER_HOST:

— ANY_SERVICEGUARD_NODE - any node on which Serviceguard is configured,

and which is on a subnet with which nodes in this cluster can communicate

(as reported bycmquerycl -w full).

Configuring the Cluster 231