Volume Access Control
When enabled, the volumes that are owned by a specific user are accessible only to that user or to trusted other users.
The first time you configure ACSLS for volume access control follow these steps:
- Enable
volume access
control in ACSLS. - Associate a client application with a user name.
- Define which other users may have access to the user's volumes.
- Establish ownership of the volumes.
Enabling Volume Access Control
To enable volume access
control in ACSLS:
- Run the configuration utility,
acsss_config
.The main menu displays.
- Select Option 4 - Set Access Control Variables.
Each variable is listed one at a time, and its current setting is displayed.
- Click Enter to accept the current or default setting.
- Select
[TRUE]
and click Enter when the utility displays the message:Access control is active for volumes
- Select one of the following when the utility displays the message:
Default access for volumes [ACCESS/NOACCESS]
-
Select [
ACCESS]
if your goal is to disallow access to specific users and allow access to all others.This requires specific users to be listed in a
users.ALL.disallow
file or a specific users.COMMAND.disallow file. See Defining other users that are allowed access to the user's volumes. -
Select [
NOACCESS
] if your goal is to allow access to specific users and disallow access to all others.This requires specific users to be listed in a users.ALL.allow file or a specific
users.COMMAND.allow
file. See Defining other users that are allowed access to the user's volumes.If you want to log instances where access to volumes is denied, select [TRUE] in response to that prompt.
Whenever enabling or disabling volume access, you must restart ACSLS for the change to take effect.
-
Associating a Client Identity with a User Name
Not all client applications pass a user ID with its ACSLS request packets. In cases where the client is not identified by a user name, you can assign a user ID.
- Go to the access_control configuration directory:
$ACS_HOME/data/external/access_control
- Create a file by the name internet.addresses or copy
theinternet.addresses.SAMPLE
file. - In this file, create a record for each client. Each record contains at least two fields: the client IP address followed by a corresponding user name. You can include additional fields for comments.
Separate the fields with spaces or tabs, as shown in the following example:
192.0.2.1 ulyssis payroll department
You can create as many client-user associations as you have client applications.- Where client applications pass the user name with the ACSLS request, the internet.addresses file authenticates the user name with the designated IP address and denies access where both fields do not agree with the values in the request packet. Where multiple clients are hosted from a common platform, the same IP address may be included multiple times in this file, and this address can be associated with as many user names as are rightly applied to that IP address.
- Where client applications do not pass the user name with the request, the internet.addresses file establishes a user name for that client. In this case, only one user name may be associated with any client I address.
- Save any updates to the
internet.addresses
file:- Run
acsss_config
. - Select Option 6 - "Rebuild Access Control Information".
ACSLS dynamically recognizes the change.
or SNA and OSLAN clients that do not use TCP/IP, refer to the
lu62.names
oradi.names
file in theaccess_control
directory. - Run
Defining other users that are allowed access to the user's volumes
To grant other users access to a users' owned volumes:
Establishing Ownership of Your Volumes
Volume access control applies only to volumes that have explicit ownership. Unowned volumes in the library are accessible to any user. To explicitly set volume ownership use the cmd_proc interface:
ACSSA>set owner "daffy" volume V00100-V00199 Set: owner set for volumes V00100-V00199 Set: Set completed, Success.
You can remove ownership in a similar fashion by using an empty string:
ACSSA> set owner "" volume V00100-V00199 Set: owner set for volumes V00100-V00199
This operation clears the ownership from all of the volumes in the range. For more information, see set owner.
Volume ownership can be set automatically by the watch_vols utility. For more information, see watch_vols.
Ownership policies
A policy for setting and removing ownership automatically can also be defined in ACSLS. For example, you can set a policy in which any scratch volume that is mounted becomes owned by the user who mounted it. Thereafter, the volume is owned by that user. The same policy could be enhanced to remove ownership whenever the volume is returned to scratch status. A policy could be written such that all entered volumes are assigned to a default user, or to the user who requested the enter, or if the volume was previously owned, to its prior owner. Considerable flexibility is offered with this feature.
Ownership policies are defined in the ownership.assignments
file which resides in the access_control directory. You can set a policy in this file to assign or to un-assign ownership automatically with each enter or automatic enter, set scratch
, or mount scratch
operation. The ownership.assignments
file allows you to define a default owner. Whenever a volume encounters any of these operations, its ownership can be assigned to:
-
Owner_default
(the default owner) -
Same (the previous owner)
-
Requestor (the user issuing the current request)
-
Unowned (retract ownership from the volume)
Note:
Instructions for defining ownership policies are described in detail in theownership.assignments
file. This file includes a complete list of commands that can be used to set volume ownership. -
Save any updates to the policies you define:
-
Run
acsss_config
-
Select Option 6 - Rebuild Access Control Information.
ACSLS dynamically recognizes the change.
-
Volume Access Summary
The following commands are supported by Volume Access Control:
dismount* display eject enter lock set_clean set_scratch mount query_mount query_scratch query_volume unlock
Access control does not apply to dismount force
since the force option instructs StorageTek ACSLS to ignore the volume ID and to dismount to volume unconditionally, unless it is in STATUS_DRIVE_RESERVED
state.
The following table summarizes the contexts that apply when volume access control
is enabled.
Table 6-1 Volume Access is Enabled - ACCESS
Default access for volumes is ACCESS | Access Allowed | Access Denied |
---|---|---|
Access is through |
X |
- |
The specified volume is unowned |
X |
- |
The user is the owner of the volume |
X |
- |
The user is associated with the owner in |
- |
X |
If the user is not associated with the owner in |
X |
- |
Table 6-2 Volume Access is Enabled - NOACCESS
Default access for volumes is NOACCESS | Access Allowed | Access Denied |
---|---|---|
Access is through |
X |
- |
The specified volume is unowned |
X |
- |
The user is the owner of the volume |
X |
- |
The user is associated with the owner in |
X |
- |
If the user is not associated with the owner in |
- |
X |