Sun Microsystems, Inc.  Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1010444.1
Update Date:2012-07-30
Keywords:
Solution Type  Technical Instruction Sure

Solution  1010444.1 :   Sun Fire 12K/15K/E20K/E25K Server: ACL usage and common error messages  

Related Items 
    

  • Sun Fire 12K Server
    •  
  • Sun Fire 15K Server
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>SPARC>Enterprise>SN-SPARC: SF-Exxk
    •  
  • .Old GCS Categories>Sun Microsystems>Servers>High-End Servers
    •  

PreviouslyPublishedAs
214352 


Applies to: 

Sun Fire 12K Server - Version All Versions to All Versions [Release All Releases]
Sun Fire 15K Server - Version All Versions to All Versions [Release All Releases]
Sun SPARC Sun OS



Goal


This document describes the usage and purpose of domain access control lists

(ACLs) on a Sun Fire[TM] 12K/15K/E25K/E20K Server and lists common error messages.


Fix


ACL usage and error messages



One of the tasks when setting up a Sun Fire 12K/15K/E20K/E25K Server is to assign boards to each domain's ACL, or access control list.

The purpose of these ACLs is to limit the domain administrator(s) ability to assign and unassign boards to a given domain.



A sample ACL list for a system with five system boards and five IO boards is shown below.



Available Component List for Domains:

=====================================

Available Component List for domain mc15k-da:

SB0 SB1 SB2 SB16 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain mc15k-db:

SB0 SB1 SB2 SB16 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain C:

SB0 SB1 SB2 SB16 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain D:

SB0 SB1 SB2 SB16 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain E:

SB0 SB1 SB2 SB16 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain F:

SB0 SB1 SB2 SB16 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain G:

SB0 SB1 SB2 SB16 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain H:

SB0 SB1 SB2 SB16 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain I:

SB0 SB1 SB2 SB16 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain J:

SB0 SB1 SB2 SB16 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain K:

SB0 SB1 SB2 SB16 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain L:

SB0 SB1 SB2 SB16 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain M:

SB0 SB1 SB2 SB16 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain N:

SB0 SB1 SB2 SB16 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain O:

SB0 SB1 SB2 SB16 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain P:

SB0 SB1 SB2 SB16 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain Q:

SB0 SB1 SB2 SB16 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain R:

SB0 SB1 SB2 SB16 SB17

IO0 IO1 IO2 IO16 IO17



Note that in this case any of the system boards or IO boards can be assigned to any domain.



In our test version, the altered ACL for domains A and B look like this:



Available Component List for Domains:

=====================================

Available Component List for domain mc15k-da:

SB0 SB1 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain mc15k-db:

SB0 SB1 SB2 SB17

IO0 IO1 IO2 IO16 IO17



Note that domain B has SB2 in its ACL but Domain A does not; neither domain has SB16 in its ACL.



If we become the domain admin for Domains A and B and attempt to addboard, we'll see the error below:






# addboard -d a sb16

ERROR: Invalid privileges for the requested function.

The domain admin cannot add a board for which the ACL is not present.




Now since my domain admin account has access to domain A and B, let's move a board from B to A where it is in B's ACL but not A's:






# showboards

Retrieving board information. Please wait.

.....

Location Pwr Type of Board Board Status Test Status Domain

-------- --- ------------- ------------ ----------- ------

SB0      On  CPU           Active       Passed      mc15k-da

SB1      On  CPU           Active       Passed      mc15k-da

SB2      Off CPU           Assigned     Unknown     mc15k-db

SB15     On  CPU           Assigned     Unknown     mc15k-db

SB17     -   Empty Slot    Available    -           Isolated

IO0      On  HPCI          Active       Passed      mc15k-da

IO1      On  HPCI          Active       Passed      mc15k-da

IO2      Off HPCI          Available    Unknown     Isolated

IO15     On  HPCI          Assigned     Unknown     mc15k-db

IO16     Off HPCI          Assigned     Unknown     mc15k-da

IO17     -   Empty Slot    Available    -           Isolated



# moveboard -d a sb2

You don't have the required privileges to perform the "-c assign" function on domain: A.

You must either have platadmn privileges, or the board must be in this domains ACL.

Do you want to go as far as your privileges allow?

(remove the board from the domain it is currently assigned to)

(yes/no)? yes

SB2 unassigned from domain: B



# showboards

Retrieving board information. Please wait.

..

Location Pwr Type of Board Board Status Test Status Domain

-------- --- ------------- ------------ ----------- ------

SB0      On  CPU           Active       Passed      mc15k-da

SB1      On  CPU           Active       Passed      mc15k-da

SB2      Off CPU           Available    Unknown     Isolated

SB15     On  CPU           Assigned     Unknown     mc15k-db

SB17     -   Empty Slot    Available    -           Isolated

IO0      On  HPCI          Active       Passed      mc15k-da

IO1      On  HPCI          Active       Passed      mc15k-da

IO2      Off HPCI          Available    Unknown     Isolated

IO15     On  HPCI          Assigned     Unknown     mc15k-db

IO16     Off HPCI          Assigned     Unknown     mc15k-da

IO17     -   Empty Slot    Available    -           Isolated




Now SB2 belongs to neither domain, although it is still in B's ACL.



Available Component List for Domains:

=====================================

Available Component List for domain mc15k-da:

SB0 SB1 SB17

IO0 IO1 IO2 IO16 IO17

Available Component List for domain mc15k-db:

SB0 SB1 SB2 SB17

IO0 IO1 IO2 IO16 IO17



Also, as implied by the messages above, the platform admin is NOT bound by the ACLs, and can add, delete, and move boards at will (subject to Solaris[TM] cooperating, and the HW being good for POST).



In summary, the ACLs on the Sun Fire 12K/15K/E20K/E25K Server are for limiting domain administrators from taking boards away from other domains and would be used in a situation where multiple administrators share responsibility for domains on a Sun Fire 12K/15K/E20K/E25K Server. The ACLs are not updated by the add/delete/move board commands, nor is the user sms-svc (or any platform admin user) prohibited from making board changes on the platform by ACLs.





Product

Sun Fire 15K Server

Sun Fire 12K Server

Sun Fire E20K Server

Sun Fire E25K Server





 Internal Section



 12K, 15K, E20K, E25K, ACL, domain, addboard, moveboard, deleteboard, cfgadm, showplatform, setupplatform

 Previously Published As 70834



Attachments

This solution has no attachment


















       

Copyright © 2012 Sun Microsystems, Inc.  All rights reserved.

 Feedback