如何给root以外的账户授予cmviewcl权限

Question

如何给root以外的账户授予cmviewcl,cmruncl,cmhaltcl集群相关权限和shutdown关机权限,

Answer 1

sudo也可以吧

Answer 2

楼上正解，虽然这样需求的人不多，但值班监控的人确实需要。

Answer 3

关于关机权限
查看/etc/shutdown.allow

/etc/shutdown.allow

Authorization file.

The file contains lines that consist of a system host name and the login name of a user who is authorized to reboot or halt the system. A superuser's login name must be included in this file in order to execute shutdown. However, if the file is missing or of zero length, the root user can run the shutdown program to bring the system down.

This file does not affect authorization to bring the system down to single-user state for maintenance purposes; that operation is permitted only when invoked by a superuser.

A comment character, #, at the beginning of a line causes the rest of the line to be ignored (comments cannot span multiple lines without additional comment characters). Blank lines are also ignored.

The wildcard character + can be used in place of a host name or a user name to specify all hosts or all users, respectively (see hosts.equiv(4)).

For example:

# user1 can shut down systemA and systemB
systemA user1
systemB user1
# root can shut down any system
+ root
# Any user can shut down systemC
systemC  +

Answer 4

本帖最后由 hp-ux民工 于 2010-08-18 15:04 编辑

集群配置文件里面有相关设置

# Access Control Policy Parameters.
#
# Three entries set the access control policy for the cluster:
# First line must be USER_NAME, second USER_HOST, and third USER_ROLE.
# Enter a value after each.
#
# 1. USER_NAME can either be ANY_USER, or a maximum of
#    8 login names from the /etc/passwd file on user host.
#    The following special characters are NOT supported for USER_NAME
#    ' ', '/', '', '*'
# 2. USER_HOST is where the user can issue Serviceguard commands.
#    If using Serviceguard Manager, it is the COM server.
#    Choose one of these three values: ANY_SERVICEGUARD_NODE, or
#    (any) CLUSTER_MEMBER_NODE, or a specific node. For node,
#    use the official hostname from domain name server, and not
#    an IP addresses or fully qualified name.
# 3. USER_ROLE must be one of these three values:
#    * MONITOR: read-only capabilities for the cluster and packages
#    * PACKAGE_ADMIN: MONITOR, plus administrative commands for packages
#      in the cluster
#    * FULL_ADMIN: MONITOR and PACKAGE_ADMIN plus the administrative
#      commands for the cluster.
#
# Access control policy does not set a role for configuration
# capability. To configure, a user must log on to one of the
# cluster's nodes as root (UID=0). Access control
# policy cannot limit root users' access.
#
# MONITOR and FULL_ADMIN can only be set in the cluster configuration file,
# and they apply to the entire cluster. PACKAGE_ADMIN can be set in the  
# cluster or a package configuration file. If set in the cluster
# configuration file, PACKAGE_ADMIN applies to all configured packages.
# If set in a package configuration file, PACKAGE_ADMIN applies to that
# package only.
#
# MONITOR is set by default in a new cluster configuration as of Serviceguard
# release A.11.19.00.  This is to support cluster discovery from other HP
# Administration products such as Systems Insight Manager (HP SIM) and
# Distributed Systems Administration (DSAU) tools. Removing MONITOR is allowed
# as an online configuration change within Serviceguard.  However removing MONITOR
# will break cluster management for HP SIM and HP VSE products
#
# Conflicting or redundant policies will cause an error while applying
# the configuration, and stop the process. The maximum number of access
# policies that can be configured in the cluster is 200.
#
# Example: to configure a role for user john from node noir to
# administer a cluster and all its packages, enter:
# USER_NAME  john
# USER_HOST  noir
# USER_ROLE  FULL_ADMIN

USER_NAME        ANY_USER
USER_HOST        ANY_SERVICEGUARD_NODE
USER_ROLE        MONITOR