This chapter describes RBAC (Role-Based Access Control)
in relation to Sun Cluster. Topics covered include:
Use the
following table to determine the documentation to consult about setting up
and using RBAC. Specific steps that you follow to set up and use RBAC with
Sun Cluster are presented later in this chapter.
SunPlex Manager and selected Sun
Cluster commands and options that you issue on the command line use RBAC for
authentication. Several RBAC rights profiles are included in Sun Cluster.
You can assign these rights profiles to users or to roles to give them different
levels of access to Sun Cluster. Sun provides the following rights profiles
with Sun Cluster software.
Rights Profile | Includes
Authorizations | This Authorization Permits the Role
Identity to |
|---|
Sun Cluster Commands | None, but includes a list of Sun Cluster commands
that run with euid=0 | Execute selected Sun Cluster commands that you use to configure and manage
a cluster, including: scgdevs(1M) scswitch(1M) (selected
options) scha_control(1HA) scha_resource_get(1HA) scha_resource_setstatus(1HA) scha_resourcegroup_get(1HA) scha_resourcetype_get(1HA) |
Basic Solaris User | This existing Solaris rights profile contains Solaris
authorizations, as well as: | Perform the same operations that the Basic Solaris User role identity can
perform, as well as: |
| solaris.cluster.device.read | Read information about device groups |
| solaris.cluster.gui | Access SunPlex Manager |
| solaris.cluster.network.read | Read information about IP Network Multipathing
Note - This authorization
does not apply to SunPlex Manager.
|
| solaris.cluster.node.read | Read information about attributes of nodes |
| solaris.cluster.quorum.read | Read information about quorum devices and the quorum state |
| solaris.cluster.resource.read | Read information about resources and resource groups |
| solaris.cluster.system.read | Read the status of the cluster |
| solaris.cluster.transport.read | Read information about transports |
Cluster Operation | solaris.cluster.appinstall | Install clustered applications |
| solaris.cluster.device.admin | Perform administrative tasks on device group attributes |
| solaris.cluster.device.read | Read information about device groups |
| solaris.cluster.gui | Access SunPlex Manager |
| solaris.cluster.install | Install clustering software
Note - This authorization does not
apply to SunPlex Manager.
|
| solaris.cluster.network.admin | Perform administrative tasks on IP Network Multipathing attributes
Note - This authorization does not apply to SunPlex Manager.
|
| solaris.cluster.network.read | Read information about IP Network Multipathing
Note - This authorization
does not apply to SunPlex Manager.
|
| solaris.cluster.node.admin | Perform administrative tasks on node attributes |
| solaris.cluster.node.read | Read information about attributes of nodes |
| solaris.cluster.quorum.admin | Perform administrative tasks on quorum devices and quorum state attributes |
| solaris.cluster.quorum.read | Read information about quorum devices and the quorum state |
| solaris.cluster.resource.admin | Perform administrative tasks on resource attributes and resource group attributes |
| solaris.cluster.resource.read | Read information about resources and resource groups |
| solaris.cluster.system.admin | Administer the system
Note - This authorization does not apply
to SunPlex Manager.
|
| solaris.cluster.system.read | Read the status of the cluster |
| solaris.cluster.transport.admin | Perform administrative tasks on transport attributes |
| solaris.cluster.transport.read | Read information about transports |
System Administrator | This existing Solaris rights profile contains the
same authorizations that the Cluster Management profile contains. | Perform the same operations that the Cluster
Management role identity can perform, in addition to other system administration
operations. |
Cluster Management | This rights
profile contains the same authorizations that the Cluster Operation profile
contains, as well as the following authorizations: | Perform the same operations that the Cluster Operation role identity can perform,
as well as: |
| solaris.cluster.device.modify | Modify device group attributes |
| solaris.cluster.gui | Access SunPlex Manager |
| solaris.cluster.network.modify | Modify IP Network Multipathing attributes
Note - This authorization
does not apply to SunPlex Manager.
|
| solaris.cluster.node.modify | Modify node attributes
Note - This authorization does not apply
to SunPlex Manager.
|
| solaris.cluster.quorum.modify | Modify quorum devices and quorum state attributes |
| solaris.cluster.resource.modify | Modify resource attributes and resource group attributes |
| solaris.cluster.system.modify | Modify system attributes
Note - This authorization does not apply
to SunPlex Manager.
|
| solaris.cluster.transport.modify | Modify transport attributes |
To create a role, you must either assume a role that has the Primary
Administrator rights profile assigned to it or run as root
user.
Start the Administrative Roles tool.
Run the Administrative Roles tool, start the Solaris Management Console,
as described in "How to Assume a Role in the Console Tools" in System Administration Guide: Security Services. Then,
open the User Tool Collection, and click the Administrative Roles icon.
Start the Add Administrative Role wizard.
Select Add Administrative Role from the Action menu to start the Add
Administrative Role wizard for configuring roles.
Set up a role to which the Cluster Management rights profile is assigned.
Use the Next and Back buttons to navigate between dialog boxes. Note
that the Next button does not become active until you have filled in all required
fields. The last dialog box enables you to review the entered data, at which
point you can go back to change entries or click Finish to save the new role.Table 2-1 summarizes the dialog boxes.
Note - You need to place this profile first in the list of profiles that
are assigned to the role.
Add users who need to use the SunPlex Manager features or Sun Cluster
commands to the newly created role.
You use the useradd(1M)
command to add a user account to the system. The -P option
assigns a role to a user's account.
Click Finish when you are done.
Open a terminal window, become root, and start and
stop the name service cache daemon.
The new role does not take effect until the name service cache daemon
is restarted. After becoming root, type as follows:
# /etc/init.d/nscd stop
# /etc/init.d/nscd start
|
Dialog Box | Fields | Field Description |
|---|
Step 1: Enter a role name | Role Name | Short name of the role. |
| Full Name | Long version of the
name. |
| Description | Description of the
role. |
| Role ID Number | UID for the role,
automatically incremented. |
| Role Shell | The profile shells
that are available to roles: Administrator's C, Administrator's Bourne, or
Administrator's Korn shell. |
| Create a role mailing list | Makes a mailing list for users who are assigned to this role. |
Step 2: Enter a role password | Role Password | ******** |
| Confirm Password | ******** |
Step 3: Select role rights | Available Rights / Granted Rights | Assigns or removes a role's rights profiles. Note that the system does not prevent you from typing multiple
occurrences of the same command. The attributes that are assigned to the first
occurrence of a command in a rights profile have precedence and all subsequent
occurrences are ignored. Use the Up and Down arrows to change the order. |
Step 4: Select a home directory | Server | Server for the home directory. |
| Path | Home directory path. |
Step 5: Assign users to this role | Add | Adds users who can assume this role. Must be in the same scope. |
| Delete | Deletes users who are
assigned to this role. |
How to Create a Role From the Command Line
Previous Contents Index Next 