Sun Microsystems, Inc.  Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1010444.1
Update Date:2011-02-04
Keywords:
Solution Type  Technical Instruction Sure

Solution  1010444.1 :   Sun Fire 12K/15K/E20K/E25K Server: ACL usage and common error messages  

Related Items 
    

  • Sun Fire 12K Server
    •  
  • Sun Fire 15K Server
    •  
Related Categories 
    

  • GCS>Sun Microsystems>Servers>High-End Servers
    •  

PreviouslyPublishedAs
214352 




Applies to: 
 
Sun Fire 12K Server
Sun Fire 15K Server
Sun SPARC Sun OS



Goal

This document describes the usage and purpose of domain access control lists
(ACLs) on a Sun Fire[TM] 12K/15K/E25K/E20K Server and lists common error messages.

Solution

ACL usage and error messages

One of the tasks when setting up a Sun Fire 12K/15K/E20K/E25K Server is to assign boards to each domain's ACL, or access control list.
The purpose of these ACLs is to limit the domain administrator(s) ability to assign and unassign boards to a given domain.

A sample ACL list for a system with five system boards and five IO boards is shown below.

Available Component List for Domains:
=====================================
Available Component List for domain  mc15k-da:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  mc15k-db:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  C:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  D:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  E:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  F:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  G:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  H:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  I:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  J:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  K:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  L:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  M:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  N:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  O:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  P:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  Q:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  R:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17

Note that in this case any of the system boards or IO boards can be assigned to any domain.

In our test version, the altered ACL for domains A and B look like this:

Available Component List for Domains:
=====================================
Available Component List for domain  mc15k-da:
SB0 SB1 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  mc15k-db:
SB0 SB1 SB2 SB17
IO0 IO1 IO2 IO16 IO17

Note that domain B has SB2 in its ACL but Domain A does not; neither domain has SB16 in its ACL.

If we become the domain admin for Domains A and B and attempt to addboard, we'll see the error below:




# addboard -d a sb16
ERROR: Invalid privileges for the requested function.
The domain admin cannot add a board for which the ACL is not present.

Now since my domain admin account has access to domain A and B, let's move a board from B to A where it is in B's ACL but not A's:




# showboards
Retrieving board information. Please wait.
.....
Location    Pwr    Type of Board   Board Status  Test Status   Domain
--------    ---    -------------   ------------  -----------   ------
SB0      On      CPU                       Active              Passed            mc15k-da
SB1              On      CPU                       Active             Passed             mc15k-da
SB2              Off    CPU                       Assigned          Unknown     mc15k-db
SB15     On  CPU                       Assigned         Unknown           mc15k-db
SB17             -   Empty Slot    Available            -                  Isolated
IO0              On      HPCI                     Active              Passed             mc15k-da
IO1              On      HPCI                     Active              Passed             mc15k-da
IO2              Off    HPCI          Available    Unknown           Isolated
IO15            On      HPCI                    Assigned          Unknown     mc15k-db
IO16            Off    HPCI                     Assigned          Unknown     mc15k-da
IO17             -       Empty Slot         Available    -                   Isolated

# moveboard -d a sb2
You don't have the required privileges to perform the "-c assign" function on domain: A.
You must either have platadmn privileges, or the board must be in this domains ACL.
Do you want to go as far as your privileges allow?
(remove the board from the domain it is currently assigned to)
(yes/no)? yes
SB2 unassigned from domain: B

# showboards
Retrieving board information. Please wait.
..
Location    Pwr    Type of Board   Board Status  Test Status   Domain
--------    ---    -------------   ------------  -----------   ------
SB0             On      CPU                       Active              Passed             mc15k-da
SB1              On      CPU                       Active              Passed             mc15k-da
SB2              Off    CPU                       Available       Unknown           Isolated
SB15            On      CPU                       Assigned         Unknown           mc15k-db
SB17             -       Empty Slot        Available            -                   Isolated
IO0              On      HPCI                    Active              Passed            mc15k-da
IO1              On      HPCI                     Active              Passed            mc15k-da
IO2              Off    HPCI          Available        Unknown          Isolated
IO15            On      HPCI                     Assigned          Unknown           mc15k-db
IO16            Off    HPCI                    Assigned         Unknown     mc15k-da
IO17             -       Empty Slot    Available            -                  Isolated

Now SB2 belongs to neither domain, although it is still in B's ACL.

Available Component List for Domains:
=====================================
Available Component List for domain  mc15k-da:
SB0 SB1 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain  mc15k-db:
SB0 SB1 SB2 SB17
IO0 IO1 IO2 IO16 IO17

Also, as implied by the messages above, the platform admin is NOT bound by the ACLs, and can add, delete, and move boards at will (subject to Solaris[TM] cooperating, and the HW being good for POST).

In summary, the ACLs on the Sun Fire 12K/15K/E20K/E25K Server are for limiting domain administrators from taking boards away from other domains and would be used in a situation where multiple administrators share responsibility for domains on a Sun Fire 12K/15K/E20K/E25K Server. The ACLs are not updated by the add/delete/move board commands, nor is the user sms-svc (or any platform admin user) prohibited from making board changes on the platform by ACLs.


Product
Sun Fire 15K Server
Sun Fire 12K Server
Sun Fire E20K Server
Sun Fire E25K Server



 Internal Section



 12K, 15K, E20K, E25K, ACL, domain, addboard, moveboard, deleteboard, cfgadm, showplatform, setupplatform


 Previously Published As 70834



Attachments

This solution has no attachment


















       

Copyright © 2011 Sun Microsystems, Inc.  All rights reserved.

 Feedback