#!/bin/ksh93 # ALTRAN_PROLOG_BEGIN_TAG # This is an automatically generated prolog. # # Copyright (C) Altran ACT S.A.S. 2019,2021. All rights reserved. # # ALTRAN_PROLOG_END_TAG # # @(#) 7d4c34b 43haes/usr/sbin/cluster/cspoc/utilities/cl_rbac_permissions_conf.sh, 726, 2147A_aha726, Feb 05 2021 09:50 PM ##MAIN START## #This code is executed on all the nodes of the cluster #as part of enabling or diabling RBAC on the nodes. #This is called with an argument either of the two values #"enable" during enabling RBAC or "disable" during disabling RBAC. #This code changes the others' execute permissions for the #PowerHA sources from executable to non executable during #enabling RBAC and vice versa during diabling RBAC. Also #the group for the HACMP* ODMs will be changed from hacmp #to ldapha during enabling RBAC and vice versa during disabling #RBAC. [[ "$VERBOSE_LOGGING" == "high" ]] && set -x . /usr/es/sbin/cluster/cspoc/cl_federatedsec_source fsec_init export PATH=$(/usr/es/sbin/cluster/utilities/cl_get_path all) #==================================================== # Get the location of the clutils.log file #==================================================== CLUTIL_LOG_DIR=$(clodmget -q "name = clutils.log" -n -f value HACMPlogs) if [[ -z $CLUTIL_LOG_DIR ]] then CLUTIL_LOG_DIR="/var/hacmp/log" fi CLUTIL_LOG="$CLUTIL_LOG_DIR/clutils.log" typeset CMD_FILE="/usr/es/sbin/cluster/cspoc/cl_rbac_perms_list" typeset ACL_LIST_FILE="/usr/es/sbin/cluster/cspoc/cl_rbac_acl_perm_list" if [[ $1 == "enable" ]];then STD_ERR=$(chgrp ldapha /etc/es/objrepos/HACMP* 2>&1 1>/dev/null) [[ -n $STD_ERR ]] && ret_fail "Failed to set ldapha group for HACMP odm." 1 STD_ERR=$(chgrp ldapha /usr/es/sbin/cluster/etc 2>&1 1>/dev/null) [[ -n $STD_ERR ]] && ret_fail "Failed to set ldapha group for /usr/es/sbin/cluster/etc." 1 STD_ERR=$(chmod g+w /usr/es/sbin/cluster/etc 2>&1 1>/dev/null) [[ -n $STD_ERR ]] && ret_fail "Failed to add write permission to ldapha group for /usr/es/sbin/cluster/etc." 1 #Removing PowerHA source files' others' #executable permissions. while read LINE do [[ $LINE == \#* ]] && continue chmod o-x $LINE done < $CMD_FILE #Changing ACL permissions for the files provided in cl_rbac_acl_perm_list.sh #The following code provides extended ACL permissions to ldapha group. while read LINE do [[ $LINE == \#* ]] && continue typeset file_name="" file_name=${LINE%%:*} cl_rbac_acl_conf $file_name enable done < $ACL_LIST_FILE elif [[ $1 == "disable" ]];then STD_ERR=$(chgrp hacmp /etc/es/objrepos/HACMP* 2>&1 1>/dev/null) [[ -n $STD_ERR ]] && ret_fail "Failed to unset ldapha group for HACMP odm." 1 STD_ERR=$(chgrp system /usr/es/sbin/cluster/etc 2>&1 1>/dev/null) [[ -n $STD_ERR ]] && ret_fail "Failed to unset ldapha group for /usr/es/sbin/cluster/etc." 1 chmod g-w /usr/es/sbin/cluster/etc >> $CLUTIL_LOG [[ -n $STD_ERR ]] && ret_fail "Failed to remove write permission to ldapha group for /usr/es/sbin/cluster/etc." 1 #Removing temporary file created with ldapha gorup find /var/hacmp/tmp/ -type f -group ldapha -exec rm -fr {} \; #Adding the PowerHA source files' others' #executable permissions. while read LINE do [[ $LINE == \#* ]] && continue chmod o+x $LINE done < $CMD_FILE #Changing ACL permissions for the files provided in cl_rbac_acl_perm_list.sh #The following code revoking extended ACL permissions to ldapha group. while read LINE do [[ $LINE == \#* ]] && continue typeset file_name="" file_name=${LINE%%:*} cl_rbac_acl_conf $file_name disable done < $ACL_LIST_FILE fi exit 0