Skip Navigation Links | |
Exit Print View | |
Oracle VM Server for SPARC 2.1 Administration Guide Oracle VM Server for SPARC |
Part I Oracle VM Server for SPARC 2.1 Software
1. Overview of the Oracle VM Server for SPARC Software
2. Installing and Enabling Software
Logical Domains Manager Authorization
Creating Authorizations and Profiles and Assigning Roles to User Accounts
Assign an Authorization to a User
Delete All Authorizations Assigned to a User
Configuring RBAC for Guest Console Access
Add an Authorization for a Domain Console
4. Setting Up Services and the Control Domain
12. Performing Other Administration Tasks
Part II Optional Oracle VM Server for SPARC Software
13. Oracle VM Server for SPARC Physical-to-Virtual Conversion Tool
14. Oracle VM Server for SPARC Configuration Assistant
15. Using the Oracle VM Server for SPARC Management Information Base Software
16. Logical Domains Manager Discovery
17. Using the XML Interface With the Logical Domains Manager
You can manage authorizations and profiles and assign roles to user accounts by using the role-based access control (RBAC) feature of the Oracle Solaris OS. For more information about RBAC, see System Administration Guide: Security Services.
Users, authorizations, profiles, and roles can be configured in the following ways:
Locally on the system by using files
Centrally in a naming service, such as LDAP
Installing the Logical Domains Manager adds the necessary authorizations and profiles to the local files. To configure users, authorizations, profiles, and roles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
Authorization for the Logical Domains Manager has two levels:
Read – Allows you to view but not modify the configuration
Read and write – Allows you to view and change the configuration
Following are the Logical Domains entries that are automatically added to the local Oracle Solaris OS /etc/security/auth_attr file:
solaris.ldoms.:::LDom administration::
solaris.ldoms.grant:::Delegate LDom configuration::
solaris.ldoms.read:::View LDom configuration::
solaris.ldoms.write:::Manage LDom configuration::
solaris.smf.manage.ldoms:::Manage Start/Stop LDoms::
The following procedures show how to manage user authorizations on the system by using local files. To manage user authorizations in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
Use this procedure to assign authorizations to Logical Domains Manager users. This authorization assignment information is stored in the local /etc/security/auth_attr file.
Note - Superuser already has the solaris.* authorization, which includes the solaris.ldoms.* authorizations.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Assign the read authorization to a user.
# usermod -A solaris.ldoms.read username
Assign the read and write authorization to a user.
# usermod -A solaris.ldoms.write username
Note - Ensure that you include any existing authorizations for the user in the usermod -A command. The authorizations that you specify with this command replace any authorizations that have already been assigned to the user. See the usermod(1M) man page.
For the list of user authorizations that are required by the ldm subcommands, see Table 3-1.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
# usermod -A "" username
The following procedures show how to manage user profiles on the system by using local files. To manage user profiles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
The SUNWldm package adds two system-defined RBAC profiles to the local /etc/security/prof_attr file. The following profiles are used to authorize access to the Logical Domains Manager by unprivileged users:
LDoms Review:::Review LDoms configuration:auths=solaris.ldoms.read
LDoms Management:::Manage LDoms domains:auths=solaris.ldoms.*
The SUNWldm package also defines the following execution attribute that is associated with the LDoms Management profile:
LDoms Management:suser:cmd:::/usr/sbin/ldm:privs=file_dac_read,file_dac_search
Users who have been directly assigned the LDoms Management profile must invoke a profile shell to run the ldm command with security attributes. For more information, see System Administration Guide: Security Services.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
You can assign either the LDoms Review profile or the LDoms Management profile to a user account.
# usermod -P "profile-name" username
The following command assigns the LDoms Management profile to user sam:
# usermod -P "LDoms Management" sam
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
# usermod -P "" username
The following procedure shows how to create a role and assign it to a user by using local files. To manage roles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
The advantage of using this procedure is that only a user who has been assigned a specific role can assume that role. When assuming a role, a password is required if the role has been assigned a password. These two layers of security prevent a user who has not been assigned a role, yet has the password, from assuming that role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
# roleadd -P "profile-name" role-name
You will be prompted to specify and then verify a new password.
# passwd role-name
# useradd -R role-name username
You will be prompted to specify and then verify a new password.
# passwd username
# su username
$ id uid=nn(username) gid=nn(group-name) $ roles role-name
$ su role-name
$ id uid=nn(role-name) gid=nn(group-name)
Example 3-1 Creating a Role and Assigning the Role to a User
This example shows how to create the ldm_read role, assign the role to the user_1 user, become the user_1 user, and assume the ldm_read role.
# roleadd -P "LDoms Review" ldm_read # passwd ldm_read New Password: ldm_read-password Re-enter new Password: ldm_read-password passwd: password successfully changed for ldm_read # useradd -R ldm_read user_1 # passwd user_1 New Password: user_1-password Re-enter new Password: user_1-password passwd: password successfully changed for user_1 # su user_1 Password: user_1-password $ id uid=95555(user_1) gid=10(staff) $ roles ldm_read $ su ldm_read Password: ldm_read-password $ id uid=99667(ldm_read) gid=14(sysadmin)