Here is an example of a policy table in a hierarchical cluster. You do not have to add anything to the defaults configured by xCAT for it to work.
#priority,name,host,commands,noderange,parameters,time,rule,comments,disable "1","root",,,,,,"allow",, "1.2","manage-02",,,,,,"trusted",, "2",,,"getbmcconfig",,,,"allow",, "2.3",,,"lsxcatd",,,,"allow",, "3",,,"nextdestiny",,,,"allow",, "4",,,"getdestiny",,,,"allow",, "4.4",,,"getpostscript",,,,"allow",, "4.5",,,"getcredentials",,,,"allow",, "4.6",,,"syncfiles",,,,"allow",, "4.7",,,"litefile",,,,"allow",, "4.8",,,"litetree",,,,"allow",, "2.1",,,"remoteimmsetup",,,,"allow",, Lissa K. Valletta 8-3/B10 Poughkeepsie, NY 12601 (tie 293) 433-3102 From: Lissa Valletta/Poughkeepsie/IBM@IBMUS To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>, Cc: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> Date: 01/13/2014 08:19 AM Subject: Re: [xcat-user] Policy table question Make sure the credential on the service node and manage node has master.local in it all so look on the service node at the file /etc/xcat/cert/server-cred.pem for the line Subject: CN=manage-02 make sure it says master.local. I should be the same as /etc/xcat/cert/server-cred.pem on the management node. If it is not run updatenode <servicenode> -K to update the credentials on the service nodes from the MN. Another problem could be the domain does not match what is in site.domain. What database are you running. Make sure you service node is configured correctly . Run lsxcatd -a on the Service Node and check that it is picking up the policy table from the database on the Managment Node. Monitoring the commands in syslog on the management node as Xiao Peng suggests you should see the error from xcatd why the command is rejected. Also take these out, there is no need to add the service nodes. "5.1",,"master.local",,,,,"allow",, "6.1","root","master.local",,,,,"allow",, "6.2","root","servicefarm01",,,,,"allow",, "6.3","root","servicefarm02",,,,,"allow",, "6.4","root","servicefarm03",,,,,"allow",, You should only need the following: "1","root",,,,,,"allow",, "1.2","master.local",,,,,,"trusted",, Lissa K. Valletta 8-3/B10 Poughkeepsie, NY 12601 (tie 293) 433-3102 Inactive hide details for Xiao Peng Wang ---01/12/2014 08:54:14 PM---What I can think of is the user/certificates/permission thXiao Peng Wang ---01/12/2014 08:54:14 PM---What I can think of is the user/certificates/permission things are not correct on your service node. From: Xiao Peng Wang <w...@cn.ibm.com> To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>, Cc: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> Date: 01/12/2014 08:54 PM Subject: Re: [xcat-user] Policy table question What I can think of is the user/certificates/permission things are not correct on your service node. Try to run 'rpower' or 'lsdef' on service node directly and check the syslog to see the xCAT log like this 'xCAT: Allowing lsdef for <root> from xxx' to get the current user. Thanks Best Regards ---------------------------------------------------------------------- Wang Xiaopeng (王晓朋) IBM China System Technology Laboratory Tel: 86-10-82453455 Email: w...@cn.ibm.com Address: 28,ZhongGuanCun Software Park,No.8 Dong Bei Wang West Road, Haidian District Beijing P.R.China 100193 Inactive hide details for Russell Jones ---2014/01/11 04:34:56---Hi all, What are the default policy attributes service nodes sRussell Jones ---2014/01/11 04:34:56---Hi all, What are the default policy attributes service nodes should have in the From: Russell Jones <russell-l...@jonesmail.me> To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>, Date: 2014/01/11 04:34 Subject: [xcat-user] Policy table question Hi all, What are the default policy attributes service nodes should have in the policy table for xCAT 2.8+? Unless I specifically add, for example, "rpower" to the below list, I get a "permission denied" when a compute node is configured to a service node. If the compute node is not configured to use a service node, it works fine. This doesn't seem right given that I have granted the root user full access. Any ideas what's going on? Table is below. Thanks! #priority,name,host,commands,noderange,parameters,time,rule,comments,disable "1","root",,,,,,"allow",, "1.2","master.local",,,,,,"trusted",, "2",,,"getbmcconfig",,,,"allow",, "2.1",,,"remoteimmsetup",,,,"allow",, "2.3",,,"lsxcatd",,,,"allow",, "3",,,"nextdestiny",,,,"allow",, "4",,,"getdestiny",,,,"allow",, "4.1",,,"rpower",,,,"allow",, "4.2",,,"makedhcp",,,,"allow",, "4.3",,,"nodeset",,,,"allow",, "4.4",,,"getpostscript",,,,"allow",, "4.5",,,"getcredentials",,,,"allow",, "4.6",,,"syncfiles",,,,"allow",, "4.7",,,"litefile",,,,"allow",, "4.8",,,"litetree",,,,"allow",, "5.1",,"master.local",,,,,"allow",, "6.1","root","master.local",,,,,"allow",, "6.2","root","servicefarm01",,,,,"allow",, "6.3","root","servicefarm02",,,,,"allow",, "6.4","root","servicefarm03",,,,,"allow",, ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
<<inline: graycol.gif>>
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user