Asset ID: |
1-71-1010444.1 |
Update Date: | 2012-07-30 |
Keywords: | |
Solution Type
Technical Instruction Sure
Solution
1010444.1
:
Sun Fire 12K/15K/E20K/E25K Server: ACL usage and common error messages
Related Items |
- Sun Fire 12K Server
- Sun Fire 15K Server
|
Related Categories |
- PLA-Support>Sun Systems>SPARC>Enterprise>SN-SPARC: SF-Exxk
- .Old GCS Categories>Sun Microsystems>Servers>High-End Servers
|
PreviouslyPublishedAs
214352
Applies to:
Sun Fire 12K Server - Version All Versions to All Versions [Release All Releases]
Sun Fire 15K Server - Version All Versions to All Versions [Release All Releases]
Sun SPARC Sun OS
Goal
This document describes the usage and purpose of domain access control lists
(ACLs) on a Sun Fire[TM] 12K/15K/E25K/E20K Server and lists common error messages.
Fix
ACL usage and error messages
One of the tasks when setting up a Sun Fire 12K/15K/E20K/E25K Server is to assign boards to each domain's ACL, or access control list.
The purpose of these ACLs is to limit the domain administrator(s) ability to assign and unassign boards to a given domain.
A sample ACL list for a system with five system boards and five IO boards is shown below.
Available Component List for Domains:
=====================================
Available Component List for domain mc15k-da:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain mc15k-db:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain C:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain D:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain E:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain F:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain G:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain H:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain I:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain J:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain K:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain L:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain M:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain N:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain O:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain P:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain Q:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain R:
SB0 SB1 SB2 SB16 SB17
IO0 IO1 IO2 IO16 IO17
Note that in this case any of the system boards or IO boards can be assigned to any domain.
In our test version, the altered ACL for domains A and B look like this:
Available Component List for Domains:
=====================================
Available Component List for domain mc15k-da:
SB0 SB1 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain mc15k-db:
SB0 SB1 SB2 SB17
IO0 IO1 IO2 IO16 IO17
Note that domain B has SB2 in its ACL but Domain A does not; neither domain has SB16 in its ACL.
If we become the domain admin for Domains A and B and attempt to addboard, we'll see the error below:
# addboard -d a sb16
ERROR: Invalid privileges for the requested function.
The domain admin cannot add a board for which the ACL is not present.
Now since my domain admin account has access to domain A and B, let's move a board from B to A where it is in B's ACL but not A's:
# showboards
Retrieving board information. Please wait.
.....
Location Pwr Type of Board Board Status Test Status Domain
-------- --- ------------- ------------ ----------- ------
SB0 On CPU Active Passed mc15k-da
SB1 On CPU Active Passed mc15k-da
SB2 Off CPU Assigned Unknown mc15k-db
SB15 On CPU Assigned Unknown mc15k-db
SB17 - Empty Slot Available - Isolated
IO0 On HPCI Active Passed mc15k-da
IO1 On HPCI Active Passed mc15k-da
IO2 Off HPCI Available Unknown Isolated
IO15 On HPCI Assigned Unknown mc15k-db
IO16 Off HPCI Assigned Unknown mc15k-da
IO17 - Empty Slot Available - Isolated
# moveboard -d a sb2
You don't have the required privileges to perform the "-c assign" function on domain: A.
You must either have platadmn privileges, or the board must be in this domains ACL.
Do you want to go as far as your privileges allow?
(remove the board from the domain it is currently assigned to)
(yes/no)? yes
SB2 unassigned from domain: B
# showboards
Retrieving board information. Please wait.
..
Location Pwr Type of Board Board Status Test Status Domain
-------- --- ------------- ------------ ----------- ------
SB0 On CPU Active Passed mc15k-da
SB1 On CPU Active Passed mc15k-da
SB2 Off CPU Available Unknown Isolated
SB15 On CPU Assigned Unknown mc15k-db
SB17 - Empty Slot Available - Isolated
IO0 On HPCI Active Passed mc15k-da
IO1 On HPCI Active Passed mc15k-da
IO2 Off HPCI Available Unknown Isolated
IO15 On HPCI Assigned Unknown mc15k-db
IO16 Off HPCI Assigned Unknown mc15k-da
IO17 - Empty Slot Available - Isolated
Now SB2 belongs to neither domain, although it is still in B's ACL.
Available Component List for Domains:
=====================================
Available Component List for domain mc15k-da:
SB0 SB1 SB17
IO0 IO1 IO2 IO16 IO17
Available Component List for domain mc15k-db:
SB0 SB1 SB2 SB17
IO0 IO1 IO2 IO16 IO17
Also, as implied by the messages above, the platform admin is NOT bound by the ACLs, and can add, delete, and move boards at will (subject to Solaris[TM] cooperating, and the HW being good for POST).
In summary, the ACLs on the Sun Fire 12K/15K/E20K/E25K Server are for limiting domain administrators from taking boards away from other domains and would be used in a situation where multiple administrators share responsibility for domains on a Sun Fire 12K/15K/E20K/E25K Server. The ACLs are not updated by the add/delete/move board commands, nor is the user sms-svc (or any platform admin user) prohibited from making board changes on the platform by ACLs.
Product
Sun Fire 15K Server
Sun Fire 12K Server
Sun Fire E20K Server
Sun Fire E25K Server
Internal Section
12K, 15K, E20K, E25K, ACL, domain, addboard, moveboard, deleteboard, cfgadm, showplatform, setupplatform
Previously Published As 70834
Attachments
This solution has no attachment