Sun Microsystems, Inc.  Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1010444.1
Update Date:2011-02-04
Keywords:

Solution Type  Technical Instruction Sure

Solution  1010444.1 :   Sun Fire 12K/15K/E20K/E25K Server: ACL usage and common error messages  


Related Items
  • Sun Fire 12K Server
  •  
  • Sun Fire 15K Server
  •  
Related Categories
  • GCS>Sun Microsystems>Servers>High-End Servers
  •  

PreviouslyPublishedAs
214352


Applies to:

Sun Fire 12K Server
Sun Fire 15K Server
Sun SPARC Sun OS

Goal

This document describes the usage and purpose of domain access control lists
(ACLs) on a Sun Fire[TM] 12K/15K/E25K/E20K Server and lists common error messages.

Solution

ACL usage and error messages

One of the tasks when setting up a Sun Fire 12K/15K/E20K/E25K Server is to assign boards to each domain's ACL, or access control list.
The purpose of these ACLs is to limit the domain administrator(s) ability to assign and unassign boards to a given domain.

A sample ACL list for a system with five system boards and five IO boards is shown below.

Available Component List for Domains:
=====================================
Available Component List for domain mc15k-da:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain mc15k-db:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain C:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain D:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain E:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain F:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain G:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain H:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain I:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain J:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain K:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain L:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain M:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain N:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain O:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain P:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain Q:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain R:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17

Note that in this case any of the system boards or IO boards can be assigned to any domain.

In our test version, the altered ACL for domains A and B look like this:

Available Component List for Domains:
=====================================
Available Component List for domain mc15k-da:
SB0 SB1 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain mc15k-db:
SB0 SB1 SB2 SB17
IO0 IO1 IO2 IO16 IO17

Note that domain B has SB2 in its ACL but Domain A does not; neither domain has SB16 in its ACL.

If we become the domain admin for Domains A and B and attempt to addboard, we'll see the error below:

# addboard -d a sb16
ERROR: Invalid privileges for the requested function.
The domain admin cannot add a board for which the ACL is not present.

Now since my domain admin account has access to domain A and B, let's move a board from B to A where it is in B's ACL but not A's:

# showboards
Retrieving board information. Please wait.
.....
Location Pwr Type of Board Board Status Test Status Domain
-------- --- ------------- ------------ ----------- ------
SB0      On  CPU           Active       Passed      mc15k-da
SB1      On  CPU           Active       Passed      mc15k-da
SB2      Off CPU           Assigned     Unknown     mc15k-db
SB15     On  CPU           Assigned     Unknown     mc15k-db
SB17     -   Empty Slot    Available    -           Isolated
IO0      On  HPCI          Active       Passed      mc15k-da
IO1      On  HPCI          Active       Passed      mc15k-da
IO2      Off HPCI          Available    Unknown     Isolated
IO15     On  HPCI          Assigned     Unknown     mc15k-db
IO16     Off HPCI          Assigned     Unknown     mc15k-da
IO17     -   Empty Slot    Available    -           Isolated

# moveboard -d a sb2
You don't have the required privileges to perform the "-c assign" function on domain: A.
You must either have platadmn privileges, or the board must be in this domains ACL.
Do you want to go as far as your privileges allow?
(remove the board from the domain it is currently assigned to)
(yes/no)? yes
SB2 unassigned from domain: B

# showboards
Retrieving board information. Please wait.
..
Location Pwr Type of Board Board Status Test Status Domain
-------- --- ------------- ------------ ----------- ------
SB0      On  CPU           Active       Passed      mc15k-da
SB1      On  CPU           Active       Passed      mc15k-da
SB2      Off CPU           Available    Unknown     Isolated
SB15     On  CPU           Assigned     Unknown     mc15k-db
SB17     -   Empty Slot    Available    -           Isolated
IO0      On  HPCI          Active       Passed      mc15k-da
IO1      On  HPCI          Active       Passed      mc15k-da
IO2      Off HPCI          Available    Unknown     Isolated
IO15     On  HPCI          Assigned     Unknown     mc15k-db
IO16     Off HPCI          Assigned     Unknown     mc15k-da
IO17     -   Empty Slot    Available    -           Isolated

Now SB2 belongs to neither domain, although it is still in B's ACL.

Available Component List for Domains:
=====================================
Available Component List for domain mc15k-da:
SB0 SB1 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain mc15k-db:
SB0 SB1 SB2 SB17
IO0 IO1 IO2 IO16 IO17

Also, as implied by the messages above, the platform admin is NOT bound by the ACLs, and can add, delete, and move boards at will (subject to Solaris[TM] cooperating, and the HW being good for POST).

In summary, the ACLs on the Sun Fire 12K/15K/E20K/E25K Server are for limiting domain administrators from taking boards away from other domains and would be used in a situation where multiple administrators share responsibility for domains on a Sun Fire 12K/15K/E20K/E25K Server. The ACLs are not updated by the add/delete/move board commands, nor is the user sms-svc (or any platform admin user) prohibited from making board changes on the platform by ACLs.


Product
Sun Fire 15K Server
Sun Fire 12K Server
Sun Fire E20K Server
Sun Fire E25K Server


Internal Section

12K, 15K, E20K, E25K, ACL, domain, addboard, moveboard, deleteboard, cfgadm, showplatform, setupplatform
Previously Published As 70834

Attachments
This solution has no attachment
  Copyright © 2011 Sun Microsystems, Inc.  All rights reserved.
 Feedback