test

Sun Cluster System Administration Guide for Solaris OS

Chapter 2 Sun Cluster and RBAC

This chapter describes RBAC (Role-Based Access Control) in relation to Sun Cluster. Topics covered include:

Setting Up and Using RBAC With Sun Cluster

Use the following table to determine the documentation to consult about setting up and using RBAC. Specific steps that you follow to set up and use RBAC with Sun Cluster are presented later in this chapter.

To 

Refer to 

Learn more about RBAC 

Chapter 8, Using Roles and Privileges (Overview), in System Administration Guide: Security Services

Set up, manage elements of, and use RBAC 

Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services

Learn more about RBAC elements and tools 

Chapter 10, Role-Based Access Control (Reference), in System Administration Guide: Security Services

Sun Cluster RBAC Rights Profiles

SunPlex Manager and selected Sun Cluster commands and options that you issue on the command line use RBAC for authorization. Several RBAC rights profiles are included in Sun Cluster. You can assign these rights profiles to users or to roles to give them different levels of access to Sun Cluster. Sun provides the following rights profiles with Sun Cluster software.

Rights Profile 

Includes Authorizations 

This Authorization Permits the Role Identity to 

Sun Cluster Commands 

None, but includes a list of Sun Cluster commands that run with euid=0

Execute selected Sun Cluster commands that you use to configure and manage a cluster, including: 

scgdevs(1M)

scswitch(1M) (selected options)

scha_control(1HA)

scha_resource_get(1HA)

scha_resource_setstatus(1HA)

scha_resourcegroup_get(1HA)

scha_resourcetype_get(1HA)

Basic Solaris User 

This existing Solaris rights profile contains Solaris authorizations, as well as: 

Perform the same operations that the Basic Solaris User role identity can perform, as well as: 

 

solaris.cluster.device.read

Read information about device groups 

  

solaris.cluster.gui

Access SunPlex Manager 

  

solaris.cluster.network.read

Read information about IP Network Multipathing 

  

solaris.cluster.node.read

Read information about attributes of nodes 

  

solaris.cluster.quorum.read

Read information about quorum devices and the quorum state 

  

solaris.cluster.resource.read

Read information about resources and resource groups 

  

solaris.cluster.system.read

Read the status of the cluster 

  

solaris.cluster.transport.read

Read information about transports 

Cluster Operation 

solaris.cluster.appinstall

Install clustered applications 

  

solaris.cluster.device.admin

Perform administrative tasks on device group attributes 

 

solaris.cluster.device.read

Read information about device groups 

  

solaris.cluster.gui

Access SunPlex Manager 

  

solaris.cluster.install

Install clustering software 

  

solaris.cluster.network.admin

Perform administrative tasks on IP Network Multipathing attributes 

  

solaris.cluster.network.read

Read information about IP Network Multipathing 

  

solaris.cluster.node.admin

Perform administrative tasks on node attributes 

  

solaris.cluster.node.read

Read information about attributes of nodes 

  

solaris.cluster.quorum.admin

Perform administrative tasks on quorum devices and quorum state attributes 

  

solaris.cluster.quorum.read

Read information about quorum devices and the quorum state 

  

solaris.cluster.resource.admin

Perform administrative tasks on resource attributes and resource group attributes 

  

solaris.cluster.resource.read

Read information about resources and resource groups 

  

solaris.cluster.system.admin

Administer the system 

  

solaris.cluster.system.read

Read the status of the cluster 

  

solaris.cluster.transport.admin

Perform administrative tasks on transport attributes 

  

solaris.cluster.transport.read

Read information about transports 

System Administrator 

This existing Solaris rights profile contains the same authorizations that the Cluster Management profile contains. 

Perform the same operations that the Cluster Management role identity can perform, in addition to other system administration operations. 

Cluster Management 

This rights profile contains the same authorizations that the Cluster Operation profile contains, as well as the following authorizations: 

Perform the same operations that the Cluster Operation role identity can perform, as well as: 

  

solaris.cluster.device.modify

Modify device group attributes 

  

solaris.cluster.gui

Access SunPlex Manager 

  

solaris.cluster.network.modify

Modify IP Network Multipathing attributes 

  

solaris.cluster.node.modify

Modify node attributes 

  

solaris.cluster.quorum.modify

Modify quorum devices and quorum state attributes 

  

solaris.cluster.resource.modify

Modify resource attributes and resource group attributes 

  

solaris.cluster.system.modify

Modify system attributes 

  

solaris.cluster.transport.modify

Modify transport attributes 

Creating and Assigning an RBAC Role With a Sun Cluster Management Rights Profile

To create a role, you must either assume a role that has the Primary Administrator rights profile assigned to it or run as root user.

Table 2–1 Add Administrative Role Wizard: Dialog Boxes and Fields

Dialog Box 

Fields 

Field Description 

Step 1: Enter a role name 

Role Name 

Short name of the role. 

 

Full Name 

Long version of the name. 

 

Description 

Description of the role. 

 

Role ID Number 

UID for the role, automatically incremented. 

 

Role Shell 

The profile shells that are available to roles: Administrator's C, Administrator's Bourne, or Administrator's Korn shell. 

 

Create a role mailing list 

Makes a mailing list for users who are assigned to this role. 

Step 2: Enter a role password 

Role Password 

******** 

 

Confirm Password 

******** 

Step 3: Select role rights 

Available Rights / Granted Rights 

Assigns or removes a role's rights profiles. 

Note that the system does not prevent you from typing multiple occurrences of the same command. The attributes that are assigned to the first occurrence of a command in a rights profile have precedence and all subsequent occurrences are ignored. Use the Up and Down arrows to change the order. 

Step 4: Select a home directory 

Server 

Server for the home directory. 

 

Path 

Home directory path. 

Step 5: Assign users to this role 

Add 

Adds users who can assume this role. Must be in the same scope. 

 

Delete 

Deletes users who are assigned to this role. 

ProcedureHow to Create a Role by Using the Administrative Roles Tool

Steps

  1. Start the Administrative Roles tool.

    Run the Administrative Roles tool, start the Solaris Management Console, as described in How to Assume a Role in the Solaris Management Console in System Administration Guide: Security Services in System Administration Guide: Security Services. Then, open the User Tool Collection, and click the Administrative Roles icon.

  2. Start the Add Administrative Role wizard.

    Select Add Administrative Role from the Action menu to start the Add Administrative Role wizard for configuring roles.

  3. Set up a role to which the Cluster Management rights profile is assigned.

    Use the Next and Back buttons to navigate between dialog boxes. Note that the Next button does not become active until you have filled in all required fields. The last dialog box enables you to review the entered data, at which point you can go back to change entries or click Finish to save the new role. Table 2–1 summarizes the dialog boxes.

    Note –

    You need to place this profile first in the list of profiles that are assigned to the role.

  4. Add users who need to use the SunPlex Manager features or Sun Cluster commands to the newly created role.

    You use the useradd(1M) command to add a user account to the system. The -P option assigns a role to a user's account.

  5. Click Finish when you are done.

  6. Open a terminal window, become root, and start and stop the name service cache daemon.

    The new role does not take effect until the name service cache daemon is restarted. After becoming root, type as follows:


    # /etc/init.d/nscd stop
# /etc/init.d/nscd start

ProcedureHow to Create a Role From the Command Line

Steps

  1. Become superuser or assume a role that is capable of creating other roles.

  2. Select a method for creating a role:

    • For roles in the local scope, use the roleadd(1M) command to specify a new local role and its attributes.

    • Alternatively, for roles in the local scope, edit the user_attr(4) file to add a user with type=role.

      This method is recommended for emergencies only, as it is easy to make mistakes while you are typing.

    • For roles in a name service, use the smrole(1M) command to specify the new role and its attributes.

      This command requires authentication by superuser or a role that is capable of creating other roles. You can apply the smrole to all name services. This command runs as a client of the Solaris Management Console server.

  3. Start and stop the name service cache daemon.

    New roles do not take effect until the name service cache daemon is restarted. As root, type as follows:


    # /etc/init.d/nscd stop
# /etc/init.d/nscd start
Example 2–1 Creating a Custom Operator Role by Using the smrole Command

The following sequence demonstrates how a role is created with the smrole command. In this example, a new version of the Operator role is created that has assigned to it the standard Operator rights profile and the Media Restore rights profile.


% su primaryadmin 
# /usr/sadm/bin/smrole add -H myHost -- -c "Custom Operator" -n oper2 -a johnDoe \
-d /export/home/oper2 -F "Backup/Restore Operator" -p "Operator" -p "Media Restore"

Authenticating as user: primaryadmin

Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password :: <type primaryadmin password>

Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost
Login to myHost as user primaryadmin was successful.
Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful.

Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password ::<type oper2 password>

# /etc/init.d/nscd stop
# /etc/init.d/nscd start

To view the newly created role (and any other roles), use smrole with the list option, as follows:


# /usr/sadm/bin/smrole list --
Authenticating as user: primaryadmin

Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password :: <type  primaryadmin password>

Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost
Login to myHost as user primaryadmin was successful.
Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful.
root                    0               Super-User
primaryadmin            100             Most powerful role
sysadmin                101             Performs non-security admin tasks
oper2                   102             Custom Operator

Modifying a User's RBAC Properties

To modify a user's properties, you must either be running the User Tool Collection as root user or assume a role that has the Primary Administrator rights profile assigned to it.

ProcedureHow to Modify a User's RBAC Properties by Using the User Accounts Tool

Steps

  1. Start the User Accounts tool.

    To run the User Accounts tool, you need to start the Solaris Management Console, as described in How to Assume a Role in the Solaris Management Console in System Administration Guide: Security Services in System Administration Guide: Security Services. Then, open the User Tool Collection, and click the User Accounts icon.

    After the User Accounts tool starts, the icons for the existing user accounts are displayed in the view pane.

  2. Click the user account icon to be changed and select Properties from the Action menu (or simply double-click the user account icon).

  3. Click the appropriate tab in the dialog box for the property to be changed, as follows:

    • To change the roles that are assigned to the user, click the Roles tab and move the role assignment to be changed to the appropriate column: Available Roles or Assigned Roles.

    • To change the rights profiles that are assigned to the user, click the Rights tab and move it to the appropriate column: Available Rights or Assigned Rights.

      Note –

      It is not good practice to assign rights profiles directly to users. The preferred approach is to force users to assume roles in order to perform privileged applications. This strategy avoids the possibility of normal users abusing privileges.

ProcedureHow to Modify a User's RBAC Properties From the Command Line

Steps

  1. Become superuser or assume a role that can modify user files.

  2. Use the appropriate command:

    • To change the authorizations, roles, or rights profiles that are assigned to a user who is defined in the local scope, use the usermod(1M) command.

    • Alternatively, to change the authorizations, roles, or rights profiles that are assigned to a user who is defined in the local scope, edit the user_attr file.

      This method is recommended for emergencies only, as it is easy to make a mistake while you are typing.

    • To change the authorizations, roles, or rights profiles that are assigned to a user who is defined in a name service, use the smuser(1M) command.

      This command requires authentication as superuser or as a role that is capable of changing user files. You can apply smuser to all name services. smuser runs as a client of the Solaris Management Console server.