# sccsid = "@(#)16 1.7 src/rsct/rmc/mcdaemon/ctrmc.acls, mcdaemon, rsct_rady, rady2035a 11/12/15 16:31:56"
# IBM_PROLOG_BEGIN_TAG
# This is an automatically generated prolog.
#
#
#
# Licensed Materials - Property of IBM
#
# (C) COPYRIGHT International Business Machines Corp. 2001,2019
# All Rights Reserved
#
# US Government Users Restricted Rights - Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#
# IBM_PROLOG_END_TAG
# This file /opt/rsct/cfg/ctrmc.acls is the default Access Control List
# file for the Resource Monitoring and Control subsystem. It is used if the file
# /var/ct/cfg/ctrmc.acls does not exist. To change ACL entries modify the file
# /var/ct/cfg/ctrmc.acls or, if the file does not exist, copy this file to
# /var/ct/cfg/ctrmc.acls and then make the modifications. Once the
# modifications are complete execute the command
#
# refresh -s ctrmc
# The ACL file consists of one or more stanzas. A stanza consists of a
# stanza name beginning in column 1, followed by zero or more stanza lines.
# A stanza line must begin with one or more blanks or tabs and consists of
# a user identifier, an object type and optional permissions. Blank lines
# and lines where the first non-whitespace character is '#' are ignored.
# Any portion of a line that begins with // is ignored.
#
# A stanza name is the name of a Resource Class to which the stanza lines
# apply. A user identifier has one of the following four forms:
#
# UserName@HostName
# HostName
# *
# UNAUTHENT
#
# A HostName is a fully qualified host domain name or the keyword
# LOCALHOST. The first form specifies an authenticated user executing a
# RMC application on the named host. If the host name is the keyword
# LOCALHOST then the application is executing on the same machine as the
# RMC subsystem. The second form specifies any authenticated user executing
# a RMC application on the named host. The third form specifies any
# authenticated user executing a RMC application on any host. The fourth
# form, using the keyword UNAUTHENT, specifies any unauthenticated user.
#
# The object type is one of the characters 'C', 'R' or '*'. 'C' indicates
# that the line specifies permissions to access a resource class. 'R'
# indicates that the line specifies permissions to access all resource
# instances of the class. '*' indicates that the line specifies permissions
# to access the resource class and all resource instances of the class.
#
# Permissions consist of the characters 'r' and/or 'w', where 'r' specifies
# read permission and 'w' specifies write permission. If a line contains
# no permissions then the specified user has no permission to access the
# specified object type.
# IBM.FileSystem // ACLs for class IBM.FileSystem
# user1@host1 * rw
# user2@host1 C
# user2@host1 R r
# root@LOCALHOST * rw
# LOCALHOST * r
# UNAUTHENT *
# In the preceding example, user1 on host1 has read/write permissions to
# access the resource class IBM.FileSystem and all resource instances of
# the class. user2 on host1 has no permission to access the resource class
# but does have permission to read all instances of the resource class.
# root on this machine has permission to read/write the resource class and
# all of its resource instances. Any other user on this machine has only
# permission to read the resource class and all of its resource instances.
# Any unauthenticated user has no permission to access the resource nor any
# of its resource instances
# Note that ACL entries are examined in order. The first entry that matches
# the user executing the RMC application for the object type that is
# being accessed is used.
# The following stanza will enable anyone to read the information in the
# IBM.HostPublic class which provides public information about the node,
# mainly its public key.
IBM.HostPublic
* * r
UNAUTHENT * r
# The following stanza contains default ACL entries. These entries are appended
# to each ACL defined for a resource class and are examined after any entries
# explicitly defined for a resource class by the stanzas in this file,
# including the OTHER stanza.
DEFAULT
root@0x327db120fe38db28 * rw
0x327db120fe38db28 * r
root@61.81.244.239 * rw
61.81.244.239 * r
root@LOCALHOST * rw
LOCALHOST * r
root@localhost * rw
localhost * r
root@localhost.localdomain * rw
localhost.localdomain * r
none:clusteruser * r
none:root * rw
# In the following sample stanza the class name of OTHER indicates that the
# stanza applies to all resource classes not otherwise specified in the
# ACL file.
#
# OTHER
# user1@host1 * rw
# user2@host1 C
# As described above, a stanza need not contain any stanza lines. This is
# useful if the OTHER stanza is specified but the entries in the OTHER
# stanza should not apply to a specific resource class. For example, if
# the following three stanzas are specified in the ACL file
#
# IBM.FileSystem
#
# OTHER
# user1@host1 * rw
# user2@host1 C
#
# DEFAULT
# root@LOCALHOST * rw
# LOCALHOST * r
#
# then the only entries examined for IBM.FileSystem are those specified in the
# DEFAULT stanza. For all other resource classes the entries examined are,
# first, those specified in the OTHER stanza, and second, those specified in
# the DEFAULT stanza.
#
# In the preceding example, if the DEFAULT stanza also contains no entries,
# then access to the IBM.FileSystem class is denied for all users.
IBM.PublicKeyExchange
UNAUTHENT C x
IBM.MCP
root@0x327db120fe38db28 * rw
0x327db120fe38db28 * r
root@61.81.244.239 * rw
61.81.244.239 * r
root@LOCALHOST * rwx
root@localhost * rw
localhost * r
root@localhost.localdomain * rw
localhost.localdomain * r
IBM.PeerDomain
none:any_root C rw
none:root * rw