This chapter describes role-based access control (RBAC) in relation to Sun Cluster. Topics covered include:
Use the following table to determine the documentation to consult about setting up and using RBAC. Specific steps that you follow to set up and use RBAC with Sun Cluster software are provided later in this chapter.
Task |
Instructions |
---|---|
Learn more about RBAC |
Chapter 8, Using Roles and Privileges (Overview), in System Administration Guide: Security Services |
Set up, manage elements, and use RBAC | |
Learn more about RBAC elements and tools |
Chapter 10, Role-Based Access Control (Reference), in System Administration Guide: Security Services |
Sun Cluster Manager and selected Sun Cluster commands and options that you issue at the command line use RBAC for authorization. Sun Cluster commands and options that require RBAC authorization will require one or more of the following authorization levels. Sun Cluster RBAC rights profiles apply to both voting and non-voting nodes in a global cluster.
Authorization for list, show, and other read operations.
Authorization to change the state of a cluster object.
Authorization to change properties of a cluster object.
For more information about the RBAC authorization required by a Sun Cluster command, see the command man page.
RBAC rights profiles include one or more RBAC authorizations. You can assign these rights profiles to users or to roles to give them different levels of access to Sun Cluster. Sun provides the following rights profiles with Sun Cluster software.
The RBAC rights profiles listed in the following table continue to support the old RBAC authorizations as defined in previous Sun Cluster releases.
Use this task to create a new RBAC role with a Sun Cluster Management Rights Profile and to assign users to this new role.
To create a role, you must either assume a role that has the Primary Administrator rights profile assigned to it or run as root user.
Start the Administrative Roles tool.
To run the Administrative Roles tool, start the Solaris Management Console, as described in How to Assume a Role in the Solaris Management Console in System Administration Guide: Security Services. Open the User Tool Collection and click the Administrative Roles icon.
Start the Add Administrative Role wizard.
Select Add Administrative Role from the Action menu to start the Add Administrative Role wizard for configuring roles.
Set up a role to which the Cluster Management rights profile is assigned.
Use the Next and Back buttons to navigate between dialog boxes. Note that the Next button does not become active until you have filled in all required fields. The last dialog box enables you to review the entered data, at which point you can use the Back button to change entries or click Finish to save the new role. The following list summarizes the dialog box fields and buttons.
Short name of the role.
Long version of the name.
Description of the role.
UID for the role, automatically incremented.
The profile shells that are available to roles: Administrator's C, Administrator's Bourne, or Administrator's Korn shell.
Makes a mailing list for users who are assigned to this role.
Assigns or removes a role's rights profiles.
Note that the system does not prevent you from typing multiple occurrences of the same command. The attributes that are assigned to the first occurrence of a command in a rights profile have precedence and all subsequent occurrences are ignored. Use the Up and Down arrows to change the order.
Server for the home directory.
Home directory path.
Adds users who can assume this role. Must be in the same scope.
Deletes users who are assigned to this role.
You need to place this profile first in the list of profiles that are assigned to the role.
Add users who need to use the Sun Cluster Manager features or Sun Cluster commands to the newly created role.
You use the useradd(1M) command to add a user account to the system. The -P option assigns a role to a user's account.
Click Finish.
Open a terminal window and become root.
Start and stop the name service cache daemon.
The new role does not take effect until the name service cache daemon is restarted. After becoming root, type the following text:
# /etc/init.d/nscd stop # /etc/init.d/nscd start |
Become superuser or assume a role that provides solaris.cluster.admin RBAC authorization.
Select a method for creating a role:
For roles in the local scope, use the roleadd(1M) command to specify a new local role and its attributes.
Alternatively, for roles in the local scope, edit the user_attr(4) file to add a user with type=role.
Use this method only for emergencies.
For roles in a name service, use the smrole(1M) command to specify the new role and its attributes.
This command requires authentication by superuser or a role that is capable of creating other roles. You can apply the smrole to all name services. This command runs as a client of the Solaris Management Console server.
Start and stop the name service cache daemon.
New roles do not take effect until the name service cache daemon is restarted. As root, type the following text:
# /etc/init.d/nscd stop # /etc/init.d/nscd start |
The following sequence demonstrates how a role is created with the smrole command. In this example, a new version of the Operator role is created that has assigned to it the standard Operator rights profile and the Media Restore rights profile.
% su primaryadmin # /usr/sadm/bin/smrole add -H myHost -- -c "Custom Operator" -n oper2 -a johnDoe \ -d /export/home/oper2 -F "Backup/Restore Operator" -p "Operator" -p "Media Restore" Authenticating as user: primaryadmin Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: <type primaryadmin password> Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost Login to myHost as user primaryadmin was successful. Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful. Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password ::<type oper2 password> # /etc/init.d/nscd stop # /etc/init.d/nscd start |
To view the newly created role (and any other roles), use smrole with the list option, as follows:
# /usr/sadm/bin/smrole list -- Authenticating as user: primaryadmin Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: <type primaryadmin password> Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost Login to myHost as user primaryadmin was successful. Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful. root 0 Super-User primaryadmin 100 Most powerful role sysadmin 101 Performs non-security admin tasks oper2 102 Custom Operator |
You can modify a user's RBAC properties by using either the user accounts tool or the command line. To modify a user's RBAC properties, choose one of the following procedures.
How to Modify a User's RBAC Properties by Using the User Accounts Tool
How to Modify a User's RBAC Properties From the Command Line
To modify a user's properties, you must run the User Tool Collection as root user or assume a role that has the primary administrator rights profile assigned to it.
Start the User Accounts tool.
To run the user accounts tool, start the Solaris Management Console, as described in How to Assume a Role in the Solaris Management Console in System Administration Guide: Security Services. Open the User Tool Collection and click the User Accounts icon.
After the User Accounts tool starts, the icons for the existing user accounts are displayed in the view pane.
Click the User Account icon to be changed and select Properties from the Action menu (or double-click the user account icon).
Click the appropriate tab in the dialog box for the property to be changed, as follows:
To change the roles that are assigned to the user, click the Roles tab and move the role assignment to be changed to the appropriate column: Available Roles or Assigned Roles.
To change the rights profiles that are assigned to the user, click the Rights tab and move it to the appropriate column: Available Rights or Assigned Rights.
Avoid assigning rights profiles directly to users. The preferred approach is to require users to assume roles in order to perform privileged applications. This strategy discourages users from abusing privileges.
Become superuser or assume a role that provides solaris.cluster.modify RBAC authorization.
Choose the appropriate command:
To change the authorizations, roles, or rights profiles that are assigned to a user who is defined in the local scope, use the usermod(1M) command.
Alternatively, to change the authorizations, roles, or rights profiles that are assigned to a user who is defined in the local scope, edit the user_attr file.
Use this method for emergencies only.
To change the authorizations, roles, or rights profiles that are assigned to a user who is defined in a name service, use the smuser(1M) command.
This command requires authentication as superuser or as a role that is capable of changing user files. You can apply smuser to all name services. smuser runs as a client of the Solaris Management Console server.