Skip Navigation Links | |
Exit Print View | |
Oracle VM Server for SPARC 2.1 Administration Guide Oracle VM Server for SPARC |
Part I Oracle VM Server for SPARC 2.1 Software
1. Overview of the Oracle VM Server for SPARC Software
2. Installing and Enabling Software
Logical Domains Manager Authorization
Creating Authorizations and Profiles and Assigning Roles to User Accounts
Assign an Authorization to a User
Delete All Authorizations Assigned to a User
Delete All Profiles Assigned to a User
Create a Role and Assign the Role to a User
4. Setting Up Services and the Control Domain
12. Performing Other Administration Tasks
Part II Optional Oracle VM Server for SPARC Software
13. Oracle VM Server for SPARC Physical-to-Virtual Conversion Tool
14. Oracle VM Server for SPARC Configuration Assistant
15. Using the Oracle VM Server for SPARC Management Information Base Software
16. Logical Domains Manager Discovery
17. Using the XML Interface With the Logical Domains Manager
The vntsd daemon provides a Service Management Facility (SMF) property named vntsd/authorization. This property can be configured to enable the authorization checking of users and roles for a domain console or a console group. To enable authorization checking, use the svccfg command to set the value of this property to true. While this option is enabled, vntsd listens and accepts connections only on localhost. If the listen_addr property specifies an alternate IP address when vntsd/authorization is enabled, vntsd ignores the alternate IP address and continues to listen only on localhost.
Caution - Do not configure the vntsd service to use a host other than localhost. If you specify a host other than localhost, you are no longer restricted from connecting to guest domain consoles from the control domain. If you use the telnet command to remotely connect to a guest domain, the login credentials are passed as clear text over the network. |
By default, an authorization to access all guest consoles is present in the local auth_attr database.
solaris.vntsd.consoles:::Access All LDoms Guest Consoles::
Use the usermod command to assign the required authorizations to other users or roles in local files. This permits only the user or role who has the required authorizations to access a given domain console or console group. To assign authorizations to other users or roles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
The following example gives user terry the authorization to access all domain consoles by updating local files:
# usermod -A "solaris.vntsd.consoles" terry
This procedure shows how to add a new authorization for a specific domain console and assign that authorization to a user by using local files. To manage authorizations and users in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
For more information about authorizations and RBAC, see System Administration Guide: Security Services.
solaris.vntsd.console-domain-name:::Access domain-name Guest Console::
# usermod -A "solaris.vntsd.console-domain-name" username
Example 3-2 Adding an Authorization for a Domain Console
The following example adds a new authorization for a specific domain console with the name ldg1 and assigns that authorization to user sam.
The following authorization entry is added to the local auth_attr file for domain ldg1:
solaris.vntsd.console-ldg1:::Access ldg1 Guest Console::
The following command assigns the new authorization to user sam:
# usermod -A "solaris.vntsd.console-ldg1" sam