NAME
mxauth - add, remove, or list authorizations in Systems Insight
Manager
SYNOPSIS
mxauth -a|r -u username -R rolename -n nodename
mxauth -a|r -u username -R rolename -g groupname
mxauth -a|r -f filename
mxauth [-l f|t]
DESCRIPTION
mxauth is used by a Systems Insight Manager full rights user to manage
Systems Insight Manager authorizations. These associations between
users, roles and nodes or node groups may only be added or removed by
the Systems Insight Manager full rights user, but any Systems Insight
Manager user may list authorizations. Authorizations formed from
users, roles, and nodes are called node authorizations. Authorizations
formed from users, roles, and node groups are called node group
authorizations.
The first form of the command enables a full rights user to add or
remove one node authorization. All options and associated parameters
are required to completely specify a node authorization. Asterisks are
supported for the node parameter. The Systems Insight Manager
recognizes the asterisk as a wildcard to indicate adding the node
authorization for all nodes currently configured in the Systems
Insight Manager. Note that when using the wildcard character on the
command line, the user must enclose the wildcard character in either
double quotes("*") or single quotes('*') to prevent the shell
interpreter from preprocessing the wildcard character. An error
results if any option or its data is missing.
The second form of the command enables a full rights user to add or
remove one node group authorization. All options and associated
parameters are required to completely specify a node group
authorization. Asterisks are supported for the node group parameter.
The Systems Insight Manager recognizes the asterisk as a wildcard to
indicate adding the node group authorization for all node groups
currently configured in the Systems Insight Manager. An error results
if any option or its data is missing.
The third form of the command allows a full rights user to add or
remove multiple authorizations by specifying an input file containing
node and node group authorizations. The file must be formatted in the
eXtensible Markup Language (XML) format defined for Systems Insight
Manager. See mxauth(4).
The last form of the command allows information about one or more
authorizations to be listed.
When invoked with no options, mxauth lists all authorization names in
compact form with the authorization fields separated by colons (:).
Node authorizations display as
user:rolename:n:nodename
Node group authorizations display as user:rolename:g:groupname
When using the -l t option, mxauth lists all authorization in a
tabular format with column headings identifying each field.
When using the -l f option, mxauth lists all authorization in the XML
format.
File Processing
The mxauth command allows a full rights user to add or remove Systems
Insight Manager authorizations by specifying an XML file containing a
list of authorizations.
The Systems Insight Manager processes the input file data in three
passes.
The first pass attempts to parse the XML file and generate a list of
authorizations to process during the second pass. The first pass
ensures that the XML file is formatted properly, that the
authorization objects contain syntactically valid information. During
the first pass, if the Systems Insight Manager detects a error, the
Systems Insight Manager interrupts the process, issues an error
message describing the error, and leaves the Systems Insight Manager
repository unchanged.
During the second pass, the command tries to resolve the components in
each authorization from the first pass to real objects in the Systems
Insight Manager repository. The command determines if the user name
represents a existing Systems Insight Manager user, if the role name
represents a valid Systems Insight Manager role, if the node name
represents a valid Systems Insight Manager node, and if the node group
name represents a valid Systems Insight Manager node group. If the
command encounters a logic error, such as specifying a non-existent
user, role, node, or node group, the command issues an error message,
interrupts processing, and leaves the Systems Insight Manager
repository unchanged.
During the third pass, the command performs the requested add or
delete of the authorization list and updates the Systems Insight
Manager repository appropriately. During an add, the command ignores
duplicate authorizations. During a remove, the command ignores
undefined authorizations.
Options
mxauth recognizes the following options:
-a Add authorization(s). The wildcard character (*)
is supported for the node and group name
arguments.
-r Remove authorization(s). The wildcard character
(*) is supported for the node and group name
arguments.
-f filename Indicates that authorizations to be added or
removed are specified in filename.
-l t List all authorizations in the tabular format.
-l f List all authorization names in the Compact
Authorization Format. This option may be used to
edit authorizations that have been saved to a
file. This file may subsequently be used in
conjunction with the -f option to add or remove
authorizations.
Authorization Attributes
-u username|UID
Specifies the user for the authorization.
-R rolename Specifies the role name for the authorization.
Role names with embedded spaces must be enclosed
in quotes.
-n nodename Specifies the node name for the authorization. The
wildcard character (*) is supported for the node
name argument.
-g groupname Specifies the node group name for the
authorization. The wildcard character (*) is
supported for the node group name argument.
Note: When duplicate options are specified (for example, -f file1 -
f file2), the last instance of the option will be used by mxauth (in
this example, file2).
RETURN VALUE
mxauth returns one of the following values:
0 Successful completion.
1 Command line syntax error.
2 Error in a file operation.
3 Nonexistent user, role, node, or node group error.
21 Invalid name.
102 Systems Insight Manager Repository error.
222 Central Management Server (CMS) is not
initialized.
249 Unable to connect to the session manager.
DIAGNOSTICS
mxauth writes to stdout, stderr and the Systems Insight Manager log
file.
EXAMPLES
Add the authorizations defined in the file "my_auths.xml".
mxauth -a -f my_auths.xml
The contents of "my_auths.xml" might look like:
<?xml version="1.0" encoding="UTF-8"?>
<auth-list>
<node-authorization user-name="user1"
role-name="webadmin"
node-name="node1.corp.com" />
<node-authorization user-name="user2"
role-name="operator"
node-name="node1.corp.com" />
<node-authorization user-name="user3"
role-name="dbadmin"
node-name="node2.corp.com" />
</auth-list>
The first line above gives user "user1" the role of "webadmin" on the
node "node1.corp.com". The second line gives user "user2" the role of
"operator" on node "node1.corp.com". The third line gives user "user3"
the role of operator on node "node2.corp.com".
Add the node authorization to allow user "bill" to execute any tools
assigned to the "webadmin" role on node "web01".
mxauth -a -u bill -R webadmin -n web01
Use the wildcard character to add the node authorizations that allow
user "jane" to execute any tools assigned to the "webadmin" role on
all nodes configured on the Systems Insight Managed cluster at the
time the command is executed.
mxauth -a -u jane -R webadmin -n "*"
Remove the node authorization for user "martha" to execute any tools
assigned to the "sapadmin" role on node "sap01".
mxauth -r -u martha -n sap01 -R sapadmin
Use the wildcard character to remove the node authorizations that
allow user "wilma" to execute any tools assigned to the "webadmin"
role on all nodes configured on the Systems Insight Managed cluster at
the time the command is executed.
mxauth -r -u wilma -R webadmin -n '*'
Add the node group authorization to allow user "sue" to execute any
tools assigned to the "webadmin" role on nodegroup "webGroup".
mxauth -a -u sue -R webadmin -g webGroup
Use the wildcard character to add the node group authorizations that
allow user "jane" to execute any tools assigned to the "operator" role
on all node groups configured on the Systems Insight Managed cluster
at the time the command is executed.
mxauth -a -u jane -R operator -g "*"
Remove the node group authorization for user "john" to execute any
tools assigned to the "dbadmin" role on nodegroup "dbGroup".
mxauth -r -u john -R dbadmin -g dbGroup
Remove the node group authorizations that allow user "john" to execute
any tools assigned to the "dbadmin" role on all node groups currently
configured on the Systems Insight Managed cluster.
mxauth -r -u john -R dbadmin -g '*'
List, in a tabular format, all authorizations assigned to all users in
the Systems Insight Managed Cluster.
mxauth -l t
LIMITATIONS
This command may only be run on the CMS.
Removing Nonexistent Authorizations
It is not an error to remove an authorization that does not exist in
the Systems Insight Manager. This operation results in an exit code of
zero being returned by this command.
An authorization is nonexistent if all of its attributes (user name,
role name, node or node group name) are valid Systems Insight Manager
objects, but they are not associated as an authorization.
Adding Duplicate Authorizations
It is not an error to add an authorization that already exists in the
Systems Insight Manager. This operation results in an exit code of
zero being returned by this command.
AUTHOR
mxauth was developed by the Hewlett-Packard Company.
SEE ALSO for HP-UX
mxauth(4), mxuser(1M), mxngroup(1M), mxnode(1M), mxrole(1M).
SEE ALSO for Linux
mxauth(4), mxuser(8), mxngroup(8), mxnode(8), mxrole(8).