Operating System - HP-UX
1834033 Members
3143 Online
110063 Solutions
New Discussion

Re: managing a cluster by a non-root user

 
Atheer Tariq
Occasional Advisor

managing a cluster by a non-root user

How can I make non-root users to manage the service guard cluster?

I had upgarded the service guard to ver A.11.16; but still getting permission denied when trying to manage the cluster by a non-root user?
7 REPLIES 7
Steven E. Protter
Exalted Contributor

Re: managing a cluster by a non-root user

Shalom Atheer,

It is quite possible to provide sudo access to any SG commands needed to manage the cluster.

sudo is available here:

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111

You have not specified your OS, so I can't be more specific.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Torsten.
Acclaimed Contributor

Re: managing a cluster by a non-root user

It doesn't make sense for security reasons to allow such operation to a non-root user.

Use the root account instead.

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
Atheer Tariq
Occasional Advisor

Re: managing a cluster by a non-root user

sorry forgot to mention that the system is HP-UX 11.11
Mridul Shrivastava
Honored Contributor

Re: managing a cluster by a non-root user

Role-based access (also called Access Control Policy) is configured using
additional statements in the cluster configuration file and package
configuration files.

Cluster-level admin rights are granted via the cluster configuration file.
Package-level admin rights are granted per package configuration file.
Rights given at cluster-level need not be granted again at the package-level.

The parameters used in these files are:

Cluster Possible settings Meaning
--------- ----------------- --------------------------------
USER_NAME user listed in /etc/passwd

USER_HOST ANY_SERVICEGUARD_NODE may manage cluster from any node
loaded with Serviceguard

CLUSTER_MEMBER_NODE may manage cluster from a node
in this cluster

limited to managing cluster from
this specific node

USER_ROLE MONITOR read-only capabilities for the cluster
and packages

PACKAGE_ADMIN MONITOR, plus administrative commands for
packages in the cluster

FULL_ADMIN MONITOR and PACKAGE_ADMIN plus the
administrative commands for the cluster.


Package Possible settings Meaning
--------- ----------------- --------------------------------
USER_NAME ANY_USER Global authorization

list up to 8

USER_HOST ANY_SERVICEGUARD_NODE may manage package from any node
loaded with Serviceguard

CLUSTER_MEMBER_NODE may manage package from a node
in this cluster

USER_ROLE PACKAGE_ADMIN MONITOR, plus administrative commands
for
packages in the cluster



The A.11.16 cluster configuration file template gives this detail.
Time has a wonderful way of weeding out the trivial
Darrel Louis
Honored Contributor

Re: managing a cluster by a non-root user

Hi Atheer,

Is it a policy within the Company that you're not allowed to login as root via sudo?
If yes, you should implement sudo and give the users who need to manage the cluster the appropiate rights via sudoers file.

From a security point of view you don't want normal users to manage a cluster.

Darrel

Ninad_1
Honored Contributor

Re: managing a cluster by a non-root user

You can give cluster management roles to non-root users as well.
Please refer to manual Managing SG - chapter 5
http://docs.hp.com/en/B3936-90079/ch05s01.html#d0e9554

The roles are defined in the cluster config file
The extract of the sample configuration file shows
# Example: to configure a role for user john from node noir to
# administer a cluster and all its packages, enter:
# USER_NAME john
# USER_HOST noir
# USER_ROLE FULL_ADMIN

Also read the section
Preparing your systems to understand all the requirements to have proper access and settings - this can be found at the very beggining of the section pointed by the url given above.

Main things being
1. ip address resolution - /etc/nsswitch.conf - /etc/hosts DNS
2. User validation -
Serviceguard relies on the ident service of the client node to verify the username of the incoming network connection. If the Serviceguard daemon is unable to connect to the client's ident daemon, permission will be denied.


I would recommend to first read that chapter to understand where your problem could be.

Regards,
Ninad
rariasn
Honored Contributor

Re: managing a cluster by a non-root user

- Install Sguard product, minimum A.16.00

ServiceGuard A.11.16.00

- Define policie for users

USER_NAME operator
USER_HOST nodea
USER_ROLE package_admin (or full_admin)



- Install "Serviguar Manager"

SG-Manager A.05.00 Serviceguard Java GUI

its very easy for operator manager Cluster, Nodes and packages with this application.

rgs,

ran