Purpose
Changes the access controls for
the least-privilege (LP) resource class (IBM.LPCommands).
Syntax
To add one or more accesses to the IBM.LPCommands Class ACL or to overwrite the IBM.LPCommands Class ACL with one or more accesses:
chlpclacl [ -a │ -n host1[,host2,… ] ] [-o] [-h] [-TV] ID_1 perm1 [ID_2 perm2] …
To add one
or more accesses to the IBM.LPCommands Class
ACL or to overwrite the IBM.LPCommands Class
ACL with one or more accesses all using the same permissions:
chlpclacl [ -a │ -n host1[,host2,… ] ] -l [-o] [-h] [-TV] ID_1 [ID_2…] perm
To delete one or more accesses
from the IBM.LPCommands Class ACL:
chlpclacl [ -a │ -n host1[,host2,… ] ] -d [-h] [-TV] ID_1 [ID_2…]
To add accesses to (or
remove accesses from) the IBM.LPCommands Class ACL or to overwrite the IBM.LPCommands Class ACL, with the accesses specified in a file:
chlpclacl [ -a │ -n host1[,host2,… ] ] [ -o │ -d ] -f file_name [-h] [-TV]
To set the IBM.LPCommands Class
ACL to deny all accesses:
chlpclacl [ -a │ -n host1[,host2,… ] ] -x [-h] [-TV]
Description
The chlpclacl command changes the access control list (ACL) that is associated
with the least-privilege (LP) resource class (IBM.LPCommands). This command allows an access to be added to or removed
from the IBM.LPCommands Class ACL. This
ACL controls access to such class operations as creating LP resources
and deleting LP resources. One Class ACL exists on each node for
the IBM.LPCommands class.
To add
accesses to the IBM.LPCommands Class ACL,
specify the ID and the permission the ID is to have. More than one
ID and permission pair can be specified. If you want to add multiple
IDs and they will all have the same permission, use the -l flag to indicate that the format of the command
is a list of IDs followed by a single permission that applies to all
of the IDs. If you use the -o flag, the
IDs and permissions specified with the command will overwrite the
existing accesses. The previously-defined accesses in the Class ACL
are deleted.
To delete accesses from the IBM.LPCommands Class ACL, use the -d flag and
specify the IDs to be deleted.
Use the -f flag to indicate that the accesses are specified in a file.
Each line of the file will be an ID and permission for that ID. If
the -d flag is used with the -f flag, only the ID is needed on each line. Everything
after the first space is ignored.
This command runs on any
node. If you want this command to run on all of the nodes in a domain,
use the -a flag. If you want this command
to run on a subset of nodes in a domain, use the -n flag. Otherwise, this command runs on the local node.
Flags
- -a
- Changes IBM.LPCommands Class ACLs on
all nodes in the domain. The CT_MANAGEMENT_SCOPE environment variable's setting determines the cluster scope.
If CT_MANAGEMENT_SCOPE is not set, the
LP resource manager uses scope settings in this order:
- The management domain, if it exists
- The peer domain, if it exists
- Local scope
The chlpclacl command runs once for
the first valid scope that the LP resource manager finds. For example,
suppose a management domain and a peer domain exist and the CT_MANAGEMENT_SCOPE environment variable is not
set. In this case, chlpclacl –a runs in
the management domain. To run chlpclacl –a in the peer domain, you must set CT_MANAGEMENT_SCOPE to 2.
- -d
- Removes the ACL entry for the specified ID from the IBM.LPCommands Class ACL.
- -f file_name
- Indicates that the accesses are specified in file_name. Each line of this file consists of an ID and the permission
for that ID. If the -d flag is used with
the -f flag, only the ID is needed on each
line. Everything after the first space is ignored.
- -l
- Indicates that there is a list of IDs followed by a single permission
that is used for all of the IDs.
- -n host1[,host2,…]
- Specifies the nodes in the domain on which the IBM.LPCommands Class ACL should be changed. By default, the IBM.LPCommands Class ACL is changed on the local node.
This flag is valid only in a management domain or a peer domain.
If CT_MANAGEMENT_SCOPE is not set, first
the management domain scope is chosen if it exists, then the peer
domain scope is chosen if it exists, and then local scope is chosen,
until the scope is valid for the command. The command will run once
for the first valid scope found.
- -o
- Indicates that the specified accesses overwrite any existing ACL
entries for the IBM.LPCommands Class ACL.
Any ACL entries in the IBM.LPCommands Class
ACL are deleted.
- -x
- Sets the IBM.LPCommands Class ACL to
deny all accesses to the IBM.LPCommands class
attributes and class operations. Any ACL entries in the IBM.LPCommands Class ACL are deleted.
- -h
- Writes the command's usage statement to standard output.
- -T
- Writes the command's trace messages to standard error.
- -V
- Writes the command's verbose messages to standard output.
Parameters
- ID
- Specifies the network identity of the user. If the same ID is listed more than once, the last permission
specified is used. For a description of how to specify the network
identity, see the User identities section
of the lpacl information file.
- perm
- Specifies the permission allowed for ID. perm is specified as a string of one
or more characters, where each character represents a particular permission.
The valid values for perm are:
- r
- Read permission (consists of the q, l, e, and v permissions)
- w
- Write permission (consists of the d, c, s, and o permissions)
- a
- Administrator permission
- x
- Execute permission
- q
- Query permission
- l
- Enumerate permission
- e
- Event permission
- v
- Validate permission
- d
- Define and undefine permission
- c
- Refresh permission
- s
- Set permission
- o
- Online, offline, and reset permission
- 0
- No permission
See the User permissions section of the lpacl information file
for descriptions of these permissions.
Security
To run the chlpclacl command, you need read and administrator permission in
the Class ACL of the IBM.LPCommands resource
class. Permissions are specified in the LP ACLs on the contacted
system. See the lpacl information
file for general information about LP ACLs and the RSCT: Administration Guide for information about modifying them.
Exit Status
- 0
- The command has run successfully.
- 1
- An error occurred with RMC.
- 2
- An error occurred with the command-line interface (CLI) script.
- 3
- An incorrect flag was specified on the command line.
- 4
- An incorrect parameter was specified on the command line.
- 5
- An error occurred with RMC that was based on incorrect command-line
input.
- 6
- The resource was not found.
Environment Variables
- CT_CONTACT
- Determines the system where the session with the resource monitoring
and control (RMC) daemon occurs. When CT_CONTACT is set to a host name or IP address, the command contacts
the RMC daemon on the specified host. If CT_CONTACT is not set, the command contacts the RMC daemon on the local
system where the command is being run. The target of the RMC daemon
session and the management scope determine the resource classes or
resources that are processed.
- CT_IP_AUTHENT
- When the CT_IP_AUTHENT environment variable exists, the
RMC daemon uses IP-based network authentication to contact the RMC
daemon on the system that is specified by the IP address to which
the CT_CONTACT environment variable is set. CT_IP_AUTHENT only has meaning if CT_CONTACT is set to an IP address; it
does not rely on the domain name system (DNS) service.
- CT_MANAGEMENT_SCOPE
- Determines the management scope that is used for the session with
the RMC daemon in processing the resources of the least-privilege
(LP) resource manager. The management scope determines the set of
possible target nodes where resources can be processed. The valid
values are:
- 0
- Specifies local scope.
- 1
- Specifies local scope.
- 2
- Specifies peer domain scope.
- 3
- Specifies management domain scope.
If this environment variable is not set, local scope is used, unless the -a flag or
the -n flag is specified.
Implementation Specifics
This command is
part of the Reliable Scalable Cluster Technology (RSCT) fileset for AIX®.
Standard Output
When the -h flag is specified, this command's usage statement is written
to standard output. When the -V flag is
specified, this command's verbose messages are written to standard
output.
Standard Error
All trace messages are written
to standard error.
Examples
- To give user joe on nodeA write permission to the IBM.LPCommands class so that he can create LP resources on nodeA, run one of these commands on nodeA:
chlpclacl joe@NODEID w
chlpclacl joe@LOCALHOST w
- nodeA and nodeB are in a peer domain. To give user joe on nodeB write permission to the IBM.LPCommands class so that he can create LP
resources on nodeB, run this command on nodeA:
chlpclacl -n nodeB joe@LOCALHOST w
In this example, specifying joe@NODEID instead of joe@LOCALHOST gives joe on nodeA write
permission to the IBM.LPCommands class on nodeB.
- To give user joe on nodeA write permission to the IBM.LPCommands class and bill on nodeA administrator permission and write permission
to the IBM.LPCommands class on nodeA, run this command on nodeA:
chlpclacl joe@LOCALHOST w bill@LOCALHOST wa
- To give user joe on nodeA administrator permission to the IBM.LPCommands class on nodeA, overwriting the
current IBM.LPCommands Class ACL so that
this is the only access allowed, run this command on nodeA:
chlpclacl -o joe@LOCALHOST a
- To give users joe, bill, and jane on nodeA read and write permissions to the IBM.LPCommands class on nodeA, run this command
on nodeA:
chlpclacl -l joe@LOCALHOST bill@LOCALHOST jane@LOCALHOST rw
- To delete access for joe on nodeA from the IBM.LPCommands class on nodeA, run this command on nodeA:
chlpclacl -d joe@LOCALHOST
- To add a list of accesses that are in a file named /mysecure/aclfile on nodeA to the IBM.LPCommands class on nodeA, run this command on nodeA:
chlpclacl -f /mysecure/aclfile
The contents of /mysecure/aclfile on nodeA could be: joe@LOCALHOST w
bill@LOCALHOST wa
jane@LOCALHOST rw
- To deny all accesses to the IBM.LPCommands class on nodeA, run this command on nodeA:
chlpclacl -x
Location
- /usr/sbin/rsct/bin/chlpclacl
- Contains the chlpclacl command