Manualshelf

Serviceguard Version A.11.16 Release Notes, 2nd Edition, September 2004

ManualsBrandsHP ManualsSoftwareHP Serviceguard Software
47484950515253545556
Serviceguard Version A.11.16 Release Notes, Second Edition
Known Problems and Workarounds
Chapter 1 51
JAGaf08686: It is not possible to configure some
combinations of roles
What was the problem? Duplicate roles and conflicting roles are not
allowed in Access Control Policies. This is especially problematic
when wild cards are used. For example, if ANY_USER from
ANY_SERVICEGUARD_NODE has a role, no other Access Control
Policy can be created that would not conflict or be redundant. Every
user possible user already has a role.
But, what if you want everyone in the lab to have monitor access, one
smaller group to have package admin, and the manager, Jon, to have
full cluster admin. Until you remove the double wild card, you cannot
define another role.
What was the workaround? Avoid broadly defined policies, especially
those with wildcards for both users and nodes. Instead define roles
for groups and individuals, or specify only certain nodes. For
example, the following policies have no conflicts or redundancies:
You can create an /etc/passwd entry for a user ITlab, and give
everyone in the lab the passwords to log in as ITlab
USER_NAME ITlab
USER_HOST ANY_SERVICEGUARD_NODE
USER_ROLE monitor
For a smaller group or an individual, you can list individual
names:
USER_NAME admin1 admin2 admin3 admin4
admin5 admin6 admin7 admin8
USER_HOST CLUSTER_MEMBER_NODE
USER_ROLE package_admin
USER_NAME jon
USER_HOST ANY_SERVICEGUARD_NODE
USER_ROLE full_admin