source: gpfs_3.1_ker2.6.20/share/man/man8/mmauth.8 @ 84

Last change on this file since 84 was 16, checked in by rock, 17 years ago
File size: 10.0 KB
Line 
1.TH mmauth 02/16/06
2mmauth Command
3.SH "Name"
4.PP
5\fBmmauth\fR - Manages secure access to GPFS file systems.
6.SH "Synopsis"
7.PP
8\fBmmauth\fR \fBgenkey {new | commit}\fR
9.PP
10Or,
11.PP
12\fBmmauth\fR \fBadd\fR \fIRemoteClusterName\fR \fB-k\fR
13\fIKeyFile\fR \fB-l\fR \fICipherList\fR
14.PP
15Or,
16.PP
17\fBmmauth\fR \fBupdate\fR \fIRemoteClusterName\fR \fB-C\fR
18\fINewClusterName\fR \fB-k\fR \fIKeyFile\fR [\fB-l\fR
19\fICipherList\fR]
20.PP
21Or,
22.PP
23\fBmmauth\fR \fBdelete\fR \fB{\fR\fIRemoteClusterName\fR \fB|
24all }\fR
25.PP
26Or,
27.PP
28\fBmmauth\fR \fBgrant \fR \fB{\fR\fIRemoteClusterName\fR
29\fB| all }\fR \fB-f {\fR \fIDevice\fR \fB| all }\fR \fB[-a {\fB\fIrw\fR\fR | ro}\fR \fB] [-r
30{\fR\fIuid\fR\fB:\fR\fIgid\fR | \fB\fIno\fR\fR\fB}]\fR
31.PP
32Or,
33.PP
34\fBmmauth\fR \fBdeny\fR \fB{\fR\fIRemoteClusterName\fR
35\fB| all }\fR \fB-f {\fR \fIDevice\fR \fB| all }\fR
36.PP
37Or,
38.PP
39\fBmmauth\fR \fBshow\fR [\fIRemoteClusterName\fR \fB|
40all\fR]
41.SH "Description"
42.PP
43The \fBmmauth\fR command prepares a cluster to grant secure access to file
44systems owned locally. The \fBmmauth\fR command also prepares a
45cluster to receive secure access to file systems owned by another
46cluster. Use the \fBmmauth\fR command to generate a public/private
47key pair for the local cluster. A public/private key pair must be
48generated on both the cluster owning the file system and the cluster desiring
49access to the file system. The administrators of the clusters are
50responsible for exchanging the public portion of the public/private key
51pair. Use the \fBmmauth\fR command to add or delete permission for a
52cluster to mount file systems owned by the local cluster.
53.PP
54When a cluster generates a new public/private key pair,
55administrators of clusters participating in remote file system mounts are
56responsible for exchanging their respective public key file
57\fB/var/mmfs/ssl/id_rsa.pub\fR generated by this
58command.
59.PP
60The administrator of a cluster desiring to mount a file system from another
61cluster must provide the received key file as input to the \fBmmremotecluster\fR command. The administrator
62of a cluster allowing another cluster to mount a file system must provide the
63received key file to the \fBmmauth\fR command.
64.PP
65The keyword appearing after \fBmmauth\fR determines which action is
66performed:
67.PP
68.RS +3
69\fBadd
70\fR
71.RE
72.RS +9
73Adds a cluster and its associated public key to the list of clusters
74authorized to connect to this cluster for the purpose of mounting file systems
75owned by this cluster.
76.RE
77.PP
78.RS +3
79\fBdelete
80\fR
81.RE
82.RS +9
83Deletes a cluster and its associated public key from the list of clusters
84authorized to mount file systems owned by this cluster.
85.RE
86.PP
87.RS +3
88\fBdeny
89\fR
90.RE
91.RS +9
92Denies a cluster the authority to mount a specific file system owned by
93this cluster.
94.RE
95.PP
96.RS +3
97\fBgenkey {new | commit}
98\fR
99.RE
100.RS +9
101.PP
102.RS +3
103\fBnew
104\fR
105.RE
106.RS +9
107Generates a new public/private key pair for this cluster. The key
108pair is placed in \fB/var/mmfs/ssl\fR. This must be done at least
109once before \fBcipherList\fR, the GPFS configuration parameter that enables
110GPFS with OpenSSL, is set.
111.PP
112The new key is in addition to the currently in effect committed
113key. Both keys are accepted until the administrator runs \fBmmauth
114genkey commit\fR.
115.RE
116.PP
117.RS +3
118\fBcommit
119\fR
120.RE
121.RS +9
122Commits the new public/private key pair for this cluster. Once
123\fBmmauth genkey commit\fR is run, the old key pair will no longer be
124accepted, and remote clusters that have not updated their keys (by running
125\fBmmauth update\fR or
126\fBmmremotecluster
127update\fR) will be disconnected.
128.RE
129.RE
130.PP
131.RS +3
132\fBgrant
133\fR
134.RE
135.RS +9
136Allows a cluster to mount a specific file system owned by this
137cluster.
138.RE
139.PP
140.RS +3
141\fBshow
142\fR
143.RE
144.RS +9
145Shows the list of clusters authorized to mount file system owned by this
146cluster.
147.RE
148.PP
149.RS +3
150\fBupdate
151\fR
152.RE
153.RS +9
154Updates the public key and other information associated with a cluster
155authorized to mount file systems owned by this cluster.
156.PP
157When the local cluster name (or ".") is specified, \fBmmauth update
158-l\fR can be used to set the \fIcipherList\fR value for the local
159cluster. Note that you cannot use this command to change the name of
160the local cluster. Use the
161\fBmmchcluster\fR
162command for this purpose.
163.RE
164.SH "Parameters"
165.PP
166.RS +3
167\fB\fIRemoteClusterName\fR
168\fR
169.RE
170.RS +9
171Specifies the remote cluster name requesting access to local GPFS file
172systems. The value \fBall\fR indicates all remote clusters defined
173to the local cluster.
174.RE
175.SH "Options"
176.PP
177.RS +3
178\fB-a {\fB\fIrw\fR\fR | ro}
179\fR
180.RE
181.RS +9
182The type of access allowed:
183.PP
184.RS +3
185\fBro
186\fR
187.RE
188.RS +9
189Specifies read-only access.
190.RE
191.PP
192.RS +3
193\fBrw
194\fR
195.RE
196.RS +9
197Specifies read/write access. This is the default.
198.RE
199.RE
200.PP
201.RS +3
202\fB-C \fINewClusterName\fR
203\fR
204.RE
205.RS +9
206Specifies a new, fully-qualified cluster name for the already-defined
207cluster \fIremoteClusterName\fR.
208.RE
209.PP
210.RS +3
211\fB-f \fIDevice \fR
212\fR
213.RE
214.RS +9
215The device name for a file system owned by this cluster. The
216\fIDevice \fR argument is required. If \fBall\fR is specified,
217the command applies to all file systems owned by this cluster at the time that
218the command is issued.
219.RE
220.PP
221.RS +3
222\fB-k \fIKeyFile\fR
223\fR
224.RE
225.RS +9
226Specifies the public key file generated by the \fBmmauth\fR
227command in the cluster requesting to remotely mount the local GPFS file
228system.
229.RE
230.PP
231.RS +3
232\fB-l \fICipherList\fR
233\fR
234.RE
235.RS +9
236Specifies the cipher list to be associated with the cluster specified by
237\fIremoteClusterName\fR, when connecting to this cluster for the purpose of
238mounting file systems owned by this cluster.
239.PP
240See the Frequently Asked Questions at: publib.boulder.ibm.com/infocenter/
241clresctr/topic/com.ibm.cluster.gpfs.doc/gpfs_faqs/
242gpfsclustersfaq.html for a list of the ciphers supported by GPFS.
243.RE
244.PP
245.RS +3
246\fB-r {\fIuid\fR:\fIgid\fR | \fB\fIno\fR\fR}
247\fR
248.RE
249.RS +9
250Specifies a root credentials remapping (\fIroot squash\fR)
251option. The UID and GID of all processes with root credentials from the
252remote cluster will be remapped to the specified values.
253.PP
254The default is not to remap the root UID and GID. The \fIuid\fR
255and \fIgid\fR must be specified as unsigned integers or as symbolic names
256that can be resolved by the operating system to a valid UID and GID.
257Specifying \fBno\fR, \fBoff\fR, or \fBDEFAULT\fR turns off the
258remapping.
259.RE
260.SH "Exit status"
261.PP
262.PP
263.RS +3
264\fB0
265\fR
266.RE
267.RS +9
268Successful completion. After a successful completion of the
269\fBmmauth\fR command, the configuration change request will have been
270propagated to all nodes in the cluster.
271.RE
272.PP
273.RS +3
274\fBnonzero
275\fR
276.RE
277.RS +9
278A failure has occurred.
279.RE
280.SH "Security"
281.PP
282You must have root authority to run the \fBmmauth\fR command.
283.PP
284You may issue the \fBmmauth\fR command from any node in the GPFS
285cluster.
286.SH "Examples"
287.RS +3
288.HP 3
2891. This is an example of an \fB mmauth genkey new\fR command:
290.sp
291.nf
292 mmauth genkey new
293.fi
294.sp
295The output is similar to this:
296.sp
297.nf
298Generating RSA private key, 512 bit long modulus
299\&.\&.\&..........++++++++++++.++++++++++++
300e is 65537 (0x10001)
301mmauth: Command successfully completed
302mmauth: Propagating the cluster configuration data to all
303affected nodes. This is an asynchronous process.
304.fi
305.sp
306.HP 3
3072. This is an example of an \fB mmauth genkey commit\fR
308command:
309.sp
310.nf
311 mmauth genkey commit
312.fi
313.sp
314The output is similar to this:
315.sp
316.nf
317mmauth: Command successfully completed
318mmauth: Propagating the cluster configuration data to all
319affected nodes. This is an asynchronous process.
320.fi
321.sp
322.HP 3
3233. This is an example of an \fB mmauth add\fR command:
324.sp
325.nf
326mmauth add clustA.kgn.ibm.com -k /u/admin/keys/clustA.pub\
327.fi
328.sp
329The output is similar to this:
330.sp
331.nf
332mmauth: Propagating the changes to all affected nodes.
333This is an asynchronous process.
334.fi
335.sp
336.HP 3
3374. This is an example of an \fB mmauth update\fR command:
338.sp
339.nf
340mmauth update clustA.kgn.ibm.com -k /u/admin/keys/clustA_new.pub\
341.fi
342.sp
343The output is similar to this:
344.sp
345.nf
346mmauth: Propagating the changes to all affected nodes.
347This is an asynchronous process.
348.fi
349.sp
350.HP 3
3515. This is an example of an \fBmmauth grant\fR command:
352.sp
353.nf
354mmauth grant clustA.kgn.ibm.com -f /dev/gpfs1 -a ro
355.fi
356.sp
357The output is similar to this:
358.sp
359.nf
360mmauth:Propagating the changes to all affected nodes.
361This is an asynchronous process.
362.fi
363.sp
364.HP 3
3656. This is an example on how to set or change the cipher list for the
366local cluster:
367.sp
368.nf
369mmauth update . -l NULL-SHA
370.fi
371.sp
372The output is similar to this:
373.sp
374.nf
375mmauth: Command successfully completed
376mmauth: Propagating the changes to all affected nodes.
377This is an asynchronous process.
378.fi
379.sp
380.HP 3
3817. This is an example of an \fBmmauth show\fR command:
382.sp
383.nf
384mmauth show all
385.fi
386.sp
387The output is similar to this:
388.sp
389.nf
390Cluster name:        clustA.kgn.ibm.com
391Cipher list:         NULL-SHA
392SHA digest:          a3917c8282fca7a27d951566940768dcd241902b
393File system access:  gpfs1 (ro)\
394.fi
395.sp
396.sp
397.nf
398Cluster name:        clustB.kgn.ibm.com (this cluster)
399Cipher list:         NULL-SHA
400SHA digest:          6ba5e3c1038246fe30f3fc8c1181fbb2130d7a8a
401SHA digest (new):    3c1038246fe30f3fc8c1181fbb2130d7a8a9ab4d
402File system access:  (all rw)
403.fi
404.sp
405.sp
406For \fBclustB.kgn.ibm.com\fR, the \fBmmauth
407genkey new\fR command has been issued, but the \fBmmauth genkey commit\fR
408command has not yet been issued.
409.sp
410For more information on the SHA digest, see
411\fIGeneral Parallel File System: Problem
412Determination Guide\fR and search on \fISHA digest\fR.
413.HP 3
4148. This is an example of an \fBmmauth deny\fR command:
415.sp
416.nf
417mmauth deny clustA.kgn.ibm.com -f all
418.fi
419.sp
420The output is similar to this:
421.sp
422.nf
423mmauth:Propagating the changes to all affected nodes.
424This is an asynchronous process.
425.fi
426.sp
427.HP 3
4289. This is an example of an \fBmmauth delete\fR command:
429.sp
430.nf
431mmauth delete all
432.fi
433.sp
434The output is similar to this:
435.sp
436.nf
437mmauth: Propagating the changes to all affected nodes.
438This is an asynchronous process.
439.fi
440.sp
441.RE
442.SH "See also"
443.PP
444mmremotefs Command
445.PP
446mmremotecluster Command
447.PP
448\fIAccessing GPFS file systems from other
449GPFS clusters\fR in
450\fIGeneral Parallel
451File System: Advanced Administration Guide\fR.
452.SH "Location"
453.PP
454\fB/usr/lpp/mmfs/bin\fR
455.PP
Note: See TracBrowser for help on using the repository browser.