.TH mmauth 02/16/06
mmauth Command
.SH "Name"
.PP
\fBmmauth\fR - Manages secure access to GPFS file systems.
.SH "Synopsis"
.PP
\fBmmauth\fR \fBgenkey {new | commit}\fR
.PP
Or,
.PP
\fBmmauth\fR \fBadd\fR \fIRemoteClusterName\fR \fB-k\fR
\fIKeyFile\fR \fB-l\fR \fICipherList\fR
.PP
Or,
.PP
\fBmmauth\fR \fBupdate\fR \fIRemoteClusterName\fR \fB-C\fR
\fINewClusterName\fR \fB-k\fR \fIKeyFile\fR [\fB-l\fR
\fICipherList\fR]
.PP
Or,
.PP
\fBmmauth\fR \fBdelete\fR \fB{\fR\fIRemoteClusterName\fR \fB|
all }\fR
.PP
Or,
.PP
\fBmmauth\fR \fBgrant \fR \fB{\fR\fIRemoteClusterName\fR
\fB| all }\fR \fB-f {\fR \fIDevice\fR \fB| all }\fR \fB[-a {\fB\fIrw\fR\fR | ro}\fR \fB] [-r
{\fR\fIuid\fR\fB:\fR\fIgid\fR | \fB\fIno\fR\fR\fB}]\fR
.PP
Or,
.PP
\fBmmauth\fR \fBdeny\fR \fB{\fR\fIRemoteClusterName\fR
\fB| all }\fR \fB-f {\fR \fIDevice\fR \fB| all }\fR
.PP
Or,
.PP
\fBmmauth\fR \fBshow\fR [\fIRemoteClusterName\fR \fB|
all\fR]
.SH "Description"
.PP
The \fBmmauth\fR command prepares a cluster to grant secure access to file
systems owned locally. The \fBmmauth\fR command also prepares a
cluster to receive secure access to file systems owned by another
cluster. Use the \fBmmauth\fR command to generate a public/private
key pair for the local cluster. A public/private key pair must be
generated on both the cluster owning the file system and the cluster desiring
access to the file system. The administrators of the clusters are
responsible for exchanging the public portion of the public/private key
pair. Use the \fBmmauth\fR command to add or delete permission for a
cluster to mount file systems owned by the local cluster.
.PP
When a cluster generates a new public/private key pair,
administrators of clusters participating in remote file system mounts are
responsible for exchanging their respective public key file
\fB/var/mmfs/ssl/id_rsa.pub\fR generated by this
command.
.PP
The administrator of a cluster desiring to mount a file system from another
cluster must provide the received key file as input to the \fBmmremotecluster\fR command. The administrator
of a cluster allowing another cluster to mount a file system must provide the
received key file to the \fBmmauth\fR command.
.PP
The keyword appearing after \fBmmauth\fR determines which action is
performed:
.PP
.RS +3
\fBadd
\fR
.RE
.RS +9
Adds a cluster and its associated public key to the list of clusters
authorized to connect to this cluster for the purpose of mounting file systems
owned by this cluster.
.RE
.PP
.RS +3
\fBdelete
\fR
.RE
.RS +9
Deletes a cluster and its associated public key from the list of clusters
authorized to mount file systems owned by this cluster.
.RE
.PP
.RS +3
\fBdeny
\fR
.RE
.RS +9
Denies a cluster the authority to mount a specific file system owned by
this cluster.
.RE
.PP
.RS +3
\fBgenkey {new | commit}
\fR
.RE
.RS +9
.PP
.RS +3
\fBnew
\fR
.RE
.RS +9
Generates a new public/private key pair for this cluster. The key
pair is placed in \fB/var/mmfs/ssl\fR. This must be done at least
once before \fBcipherList\fR, the GPFS configuration parameter that enables
GPFS with OpenSSL, is set. 
.PP
The new key is in addition to the currently in effect committed
key. Both keys are accepted until the administrator runs \fBmmauth
genkey commit\fR.
.RE
.PP
.RS +3
\fBcommit
\fR
.RE
.RS +9
Commits the new public/private key pair for this cluster. Once
\fBmmauth genkey commit\fR is run, the old key pair will no longer be
accepted, and remote clusters that have not updated their keys (by running
\fBmmauth update\fR or
\fBmmremotecluster
update\fR) will be disconnected.
.RE
.RE
.PP
.RS +3
\fBgrant
\fR
.RE
.RS +9
Allows a cluster to mount a specific file system owned by this
cluster.
.RE
.PP
.RS +3
\fBshow
\fR
.RE
.RS +9
Shows the list of clusters authorized to mount file system owned by this
cluster.
.RE
.PP
.RS +3
\fBupdate
\fR
.RE
.RS +9
Updates the public key and other information associated with a cluster
authorized to mount file systems owned by this cluster.
.PP
When the local cluster name (or ".") is specified, \fBmmauth update
-l\fR can be used to set the \fIcipherList\fR value for the local
cluster. Note that you cannot use this command to change the name of
the local cluster. Use the
\fBmmchcluster\fR
command for this purpose.
.RE
.SH "Parameters"
.PP
.RS +3
\fB\fIRemoteClusterName\fR
\fR
.RE
.RS +9
Specifies the remote cluster name requesting access to local GPFS file
systems. The value \fBall\fR indicates all remote clusters defined
to the local cluster.
.RE
.SH "Options"
.PP
.RS +3
\fB-a {\fB\fIrw\fR\fR | ro}
\fR
.RE
.RS +9
The type of access allowed:
.PP
.RS +3
\fBro
\fR
.RE
.RS +9
Specifies read-only access.
.RE
.PP
.RS +3
\fBrw
\fR
.RE
.RS +9
Specifies read/write access. This is the default.
.RE
.RE
.PP
.RS +3
\fB-C \fINewClusterName\fR
\fR
.RE
.RS +9
Specifies a new, fully-qualified cluster name for the already-defined
cluster \fIremoteClusterName\fR.
.RE
.PP
.RS +3
\fB-f \fIDevice \fR
\fR
.RE
.RS +9
The device name for a file system owned by this cluster. The
\fIDevice \fR argument is required. If \fBall\fR is specified,
the command applies to all file systems owned by this cluster at the time that
the command is issued.
.RE
.PP
.RS +3
\fB-k \fIKeyFile\fR
\fR
.RE
.RS +9
Specifies the public key file generated by the \fBmmauth\fR
command in the cluster requesting to remotely mount the local GPFS file
system.
.RE
.PP
.RS +3
\fB-l \fICipherList\fR
\fR
.RE
.RS +9
Specifies the cipher list to be associated with the cluster specified by
\fIremoteClusterName\fR, when connecting to this cluster for the purpose of
mounting file systems owned by this cluster.
.PP
See the Frequently Asked Questions at: publib.boulder.ibm.com/infocenter/
clresctr/topic/com.ibm.cluster.gpfs.doc/gpfs_faqs/
gpfsclustersfaq.html for a list of the ciphers supported by GPFS.
.RE
.PP
.RS +3
\fB-r {\fIuid\fR:\fIgid\fR | \fB\fIno\fR\fR}
\fR
.RE
.RS +9
Specifies a root credentials remapping (\fIroot squash\fR)
option. The UID and GID of all processes with root credentials from the
remote cluster will be remapped to the specified values. 
.PP
The default is not to remap the root UID and GID. The \fIuid\fR
and \fIgid\fR must be specified as unsigned integers or as symbolic names
that can be resolved by the operating system to a valid UID and GID.
Specifying \fBno\fR, \fBoff\fR, or \fBDEFAULT\fR turns off the
remapping.
.RE
.SH "Exit status"
.PP
.PP
.RS +3
\fB0
\fR
.RE
.RS +9
Successful completion. After a successful completion of the
\fBmmauth\fR command, the configuration change request will have been
propagated to all nodes in the cluster.
.RE
.PP
.RS +3
\fBnonzero
\fR
.RE
.RS +9
A failure has occurred.
.RE
.SH "Security"
.PP
You must have root authority to run the \fBmmauth\fR command.
.PP
You may issue the \fBmmauth\fR command from any node in the GPFS
cluster.
.SH "Examples"
.RS +3
.HP 3
1. This is an example of an \fB mmauth genkey new\fR command:
.sp
.nf
 mmauth genkey new
.fi
.sp
The output is similar to this:
.sp
.nf
Generating RSA private key, 512 bit long modulus
\&.\&.\&..........++++++++++++.++++++++++++
e is 65537 (0x10001)
mmauth: Command successfully completed
mmauth: Propagating the cluster configuration data to all 
affected nodes. This is an asynchronous process.
.fi
.sp
.HP 3
2. This is an example of an \fB mmauth genkey commit\fR
command:
.sp
.nf
 mmauth genkey commit
.fi
.sp
The output is similar to this:
.sp
.nf
mmauth: Command successfully completed
mmauth: Propagating the cluster configuration data to all 
affected nodes. This is an asynchronous process.
.fi
.sp
.HP 3
3. This is an example of an \fB mmauth add\fR command:
.sp
.nf
mmauth add clustA.kgn.ibm.com -k /u/admin/keys/clustA.pub\ 
.fi
.sp
The output is similar to this:
.sp
.nf
mmauth: Propagating the changes to all affected nodes.
This is an asynchronous process.
.fi
.sp
.HP 3
4. This is an example of an \fB mmauth update\fR command:
.sp
.nf
mmauth update clustA.kgn.ibm.com -k /u/admin/keys/clustA_new.pub\ 
.fi
.sp
The output is similar to this:
.sp
.nf
mmauth: Propagating the changes to all affected nodes.
This is an asynchronous process.
.fi
.sp
.HP 3
5. This is an example of an \fBmmauth grant\fR command:
.sp
.nf
mmauth grant clustA.kgn.ibm.com -f /dev/gpfs1 -a ro
.fi
.sp
The output is similar to this:
.sp
.nf
mmauth:Propagating the changes to all affected nodes.
This is an asynchronous process.
.fi
.sp
.HP 3
6. This is an example on how to set or change the cipher list for the
local cluster:
.sp
.nf
mmauth update . -l NULL-SHA
.fi
.sp
The output is similar to this:
.sp
.nf
mmauth: Command successfully completed
mmauth: Propagating the changes to all affected nodes.
This is an asynchronous process.
.fi
.sp
.HP 3
7. This is an example of an \fBmmauth show\fR command:
.sp
.nf
mmauth show all
.fi
.sp
The output is similar to this:
.sp
.nf
Cluster name:        clustA.kgn.ibm.com
Cipher list:         NULL-SHA
SHA digest:          a3917c8282fca7a27d951566940768dcd241902b
File system access:  gpfs1 (ro)\ 
.fi
.sp
.sp
.nf
Cluster name:        clustB.kgn.ibm.com (this cluster)
Cipher list:         NULL-SHA
SHA digest:          6ba5e3c1038246fe30f3fc8c1181fbb2130d7a8a
SHA digest (new):    3c1038246fe30f3fc8c1181fbb2130d7a8a9ab4d
File system access:  (all rw)
.fi
.sp
.sp
For \fBclustB.kgn.ibm.com\fR, the \fBmmauth
genkey new\fR command has been issued, but the \fBmmauth genkey commit\fR
command has not yet been issued.
.sp
For more information on the SHA digest, see
\fIGeneral Parallel File System: Problem
Determination Guide\fR and search on \fISHA digest\fR.
.HP 3
8. This is an example of an \fBmmauth deny\fR command: 
.sp
.nf
mmauth deny clustA.kgn.ibm.com -f all
.fi
.sp
The output is similar to this:
.sp
.nf
mmauth:Propagating the changes to all affected nodes.
This is an asynchronous process.
.fi
.sp
.HP 3
9. This is an example of an \fBmmauth delete\fR command:
.sp
.nf
mmauth delete all
.fi
.sp
The output is similar to this:
.sp
.nf
mmauth: Propagating the changes to all affected nodes.
This is an asynchronous process.
.fi
.sp
.RE
.SH "See also"
.PP
mmremotefs Command
.PP
mmremotecluster Command
.PP
\fIAccessing GPFS file systems from other
GPFS clusters\fR in
\fIGeneral Parallel
File System: Advanced Administration Guide\fR.
.SH "Location"
.PP
\fB/usr/lpp/mmfs/bin\fR
.PP