HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Equivalent Restricted SAM Functionality With SMH?

 
jkolodziej
Occasional Advisor

Equivalent Restricted SAM Functionality With SMH?

SysAdm Gurus:

 

We have two rx2800 Integrity Servers running HP-UX11i v3 with March 2014 patches and a 3PAR StoreServ 7200. Our Integrity Servers are running Serviceguard.This equipment replaces three HP9000 Servers running HP-UX 10.20 and Serviceguard (we actually have three identical Systems - 6 Integrity Servers replacing 9 K-Servers). With our current System, we have technicians that use Restricted SAM to monitor our Serviceguard packages. If, for some reason, a package goes down, the technicians have the ability to restart the package.

 

I want to provide analogous functionality with the Integrity Servers, without giving root permission to the technicians. From what I have seen, SMH only allows starting/stopping Serviceguard packages to root users. I have looked at the restricted SMH, but this does not seem to work for two reasons (I want a GUI, not a TUI; and even if the TUI was OK it appears Serviceguard is not one of the options). I have looked at Settings->Add Custom Menu, and maybe this could work. I would need to enter the cmhaltpkg/cmmodpkg/cmrunpkg commands in /usr/sbin for "Command/URL", and I could run this as root. I just do not know enough to determine whether this is a good solution. I find it hard to believe that I am the first person who wants RSAM functionality with SMH.

 

How can I provide our technicians with a similar environment like they had with Restriced SAM via SMH (and not give them root permissions)? Should I just RTFM some more?

 

Any help is appreciated.

 

Regards,

 

Jeff Kolodziej

jeffrey.a.kolodziej@nasa.gov

 

4 REPLIES

Re: Equivalent Restricted SAM Functionality With SMH?

You may want to use sudo to limit this.  Or possibly RBAC.

Bill Hassell
Honored Contributor

Re: Equivalent Restricted SAM Functionality With SMH?

No GUI or TUI menu for SG.

 

However, it is quite simple to write a menu of choices, even making that script autostart when the tech logs in as sgmaint or something similar. The script would show the choices, then determine if the choice makes sense in the current environment (ie, start SG when SG is already running, etc). The script could be expanded to move packages between nodes, essentially any task where no special sysadmin handwork is required such as editing scripts. The script would then use sudo to run the actual commands (and log accordingly).



Bill Hassell, sysadmin
jkolodziej
Occasional Advisor

Re: Equivalent Restricted SAM Functionality With SMH?

Dear Mr. Handly:

 

Thanks for the quick reply and the info. I am actually just a Developer trying to help out as best I can. Our System Administrator's preference is to use sudo to solve the problem. I know he has downloaded sudo to our Integrity Servers, but I do not know if he has taken any additional action (he's very busy). As for RBAC, we have arrived at the same conclusion. I was poking around in the Managing Serviceguard manuals and came across the Access Control Policies for the Cluster Configuration File. I like this approach, but it's ultimately up to our SysAdm how to proceed.

 

Thanks again for the help. I will assign kudos.

 

Regards,

 

Jeff Kolodziej

jeffrey.a.kolodziej@nasa.gov

jkolodziej
Occasional Advisor

Re: Equivalent Restricted SAM Functionality With SMH?

Dear Mr. Hassell:

 

Thanks for the quick reply and the suggestions. Our System Administrator (I am just a Developer) does prefer to implement a solution via sudo. I would "say" that your suggestions appear to align closely with what our SysAdm would want to implement. I will make sure our SysAdm sees your suggestions.

 

Thanks again for the help. I will assign kudos.

 

Regards,

 

Jeff Kolodziej

jeffrey.a.kolodziej@nasa.gov