Sun Storagetk ACSLS volume access control is a very useful feature when sharing a tape library between multiple hosts. Normal ACSLS operation allows all host to see all tapes - this is not wanted if you have multiple backup domain attached as tape may be overwritten. Careful configuring of host application may avoid this scenario - But this solution is vulnerable to errors. ACSLS's volume access control feature add a extra layer of security. This guide is intended as a "configuring guide" explaining in details how to configure.
Step 1: Enable volume access control by starting acsss_config option 4 " Set Access Control Variables".
Answer TRUE to "Access control is active for volumes"
Answer NOACCESS to "Default access for volumes ACCESS/NOACCESS".
Step 2: Go to /export/home/ACSSS/data/external and edit file vol_attr.dat. This file specify what ranges of tapes are owned by who. The owner is a definition, not a host.
Sample of vol_attr.dat - each field is delimited by a pipe sign |
000000-019999|ob-nile||force|
200000-299999|ob-nile||force|
300000-399999|ob-nile||force|
500000-599999|ob-main||force|
D20000-D39999|ob-triton||force|
D40000-D49999|ob-triton||force|
D10000-D19999|ob-proteus||force|
Field 1: tape rang - Specify a range. Cleaning tapes live their own lives - you can't set ownership on them.
Field 2: Owner of tape range (definition not host name). In this example ob means "owned by" - the last part is the master server name. But the same can be anything - just be careful with special charters. Some version of ACSLS have problem with underscore sign "_".
Field 3: pool id - not use at our site.
Field 4: force or blank. This option allow ACSLS to override previous volume owner ship. I recommend settings this field to "force".
Field 5: move-to-lsm (not use at our site). Here you can define a home LSM for the defined volume series. We let our tapes flow freely so this field is blank.
Step 3: Go to /export/home/ACSSS/data/externa/access_control/. Edit the file internet.addresses - This file converts IP addresses to names. The names do not need to be a DNS style conversion but I highly recommend it's kept that way. Add all host that will do mount/dismount reqests.
Sample from internet.addresses (shorted for easy reading):
10.1.1.1 main
10.1.1.2 triton
10.1.1.3 proteus
10.1.1.4 congo
10.1.1.5 tyne
Step 4: edit users.ALL.allow - This file decides which host defined internet.addresses are allow to see tape ranges defined in vol_attr.dat. Specify all servers who are allowed to share/see the same tapes.
Sample of users.ALL.allow
ob-nile donau ganges mekong volga tyne hudson oder
ob-triton triton atlas gaia nyx rhea
ob-main congo gobi klat darwin indus
You can read the file as tapes owned by "ob-nile" are accessible to hosts "donau ganges mekong volga tyne hudson and oder". All other tapes series are filter by ACSLS.
Step 5: Type the command acsss_config and chose option 6 - Rebuild Access Control information. Do a ps -ef and check the process watch_vols is stared.
Step 6: From now on all tapes entered through the cap will have have permissions set by ACSLS. Tapes already in LSM will need to have permission set by admin. From cmd_proc do a:
set owner {owner } volume {barcode star}-{barcode_end} or real world example "set owner "ob-nile" volume 000000-199999"
Tapes not matched in vol_attr.dat will be owned by SYSTEM. You can see volume ownership by issuing the command:
# /export/home/ACSSS/bin/volrpt -d -f /export/home/ACSSS/data/external/volrpt/owner_id.volrpt
Step 7: Keep an eye on acsss_event.log if a mis-configuration prevent tape mount/dismounts. A error message simelar to the one below is disaplayed:
16:15:31 29-09-2008 QUERY[0]:
728 N cl_ac_vol_access.c 1 265
cl_ac_vol_access: Volume Access Denied
Command <QUERY>, Volume <500499>, Host ID <10.1.22.102>, Access ID <>
