90 An Introduction to Security in a CSM 1.3 for AIX 5L Environment
6.2.1 Configuration files for Resource Monitoring and Control
RMC is part of RSCT. The original RSCT configuration files are located in
/usr/sbin/rsct/cfg. These original files should not be changed. If CSM needs to
modify one of these files it creates a copy of it in /var/ct/cfg and modifies the copy.
RSCT searches /var/ct/cfg for configuration files first. If the file exists in this
directory, it uses it. If it does not exist, RSCT uses the original configuration file
found in /usr/sbin/rsct/cfg.
Table 6-3 shows an important configuration file for RMC, if it is copied from the
original place to /var/ct/cfg, and when you need to modify it.
Table 6-3 Configuration file for Resource Monitoring and Control
6.2.2 Allowing a non-root user to administer CSM
Adding non-root users to the RMC environment is necessary if you want to allow
other users to administer or monitor the Cluster Systems Management (CSM)
cluster without being root. In order to do this, you need to change to the following
configuration files:
ctrmc.acls
ctsec_map.global, if local identity mapping will be used
If you want to add more than one user, or if the user administers the cluster from
different hosts, it may be easier to use local identity mapping. To understand how
mapping works, see 3.2.5, “Identity mapping service” on page 29.
The following two examples show how to configure RMC to allow non-root users
access to cluster resources.
The examples allow the user read and write access to every resource. If you
want to allow read-only access (for example, for monitoring only), you need to
change the permissions. If, in either case, you do not want to allow access to all
resources, you need to specify permissions for each resource. For more details
about adding users and permissions to the ACL file, see
IBM Reliable Scalable
Cluster Technology for AIX 5L: RSCT Guide and Reference
, SA22-7889.
Important: You should not modify any of the original RSCT configuration files
in /usr/sbin/rsct/cfg. To modify a file, first copy it to /var/ct/cfg, and then modify
the copy in that directory only
Configuration file name Copied to /var/ct/cfg When to change?
ctrmc.acls Yes Administration of client
access to resources
Chapter 6. Security administration 91
Allowing a user ID to administer the cluster from one server
This example adds one user to the configuration files. This user can administer
the cluster from the management server only. The RMC ACL file
/var/ct/cfg/ctrmc.acls on the management server and all the nodes this user can
administer must be changed.
1. On the management server, open the file with
vi /var/ct/cfg/ctrmc.acls
and go to the DEFAULT stanza.
2. Edit the stanza to add user
david
, as shown in Example 6-5.
Example 6-5 Allowing a user ID to administer the cluster from one server: The ACL file
DEFAULT
root@LOCALHOST * rw
david@csmserver1 * rw
LOCALHOST * r
3. Save the file and distribute it to all the nodes using dsh or CFM.
Allowing a user ID to administer the cluster from any node
This example adds one user to the configuration files. This user can administrate
the cluster from every node within the cluster. The RMC ACL file
/var/ct/cfg/ctrmc.acls on the management server and all nodes this user can
administer must be changed. For easier administration, this example also uses
local identity mapping.
Add the local identity mapping entry to the mapping file:
1. Copy the global mapping file to /var/ct/cfg if the file does not exist. If the file
already exists, do not overwrite it.
cp /usr/sbin/rsct/cfg/ctsec_map.global /var/ct/cfg/
2. Edit this file with vi /var/ct/cfg/ctsec_map.global and add the following
line to allow user david access to the cluster resources:
unix:david@<cluster>=mapped_david
This maps user david coming from every node within the active cluster to the
local identity mapped_david. Remember, this mapped identity does not need
to exist as a real user ID on the operating system.
You also can map this user to the local identity root by adding the following
line:
unix:david@<cluster>=root
In this case, you do not need to change the RMC ACL file, because root
already has all permissions to access the resources within the cluster.
Get An Introduction to Security in a CSM 1.3 for AIX 5L Environment now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
