Security Levels

There are five different security levels.

The security levels are:
Security Name Numeric Level Description
ANYBODY 1 No privilege to run any CLI command.
READONLY 2 Minimum privileges; a user can only browse the information but cannot change anything
USER 3 A user can only execute established flows and view non critical information.
In particular, a USER:
  • May create, modify or forget his own jobs
  • May create, modify or forget his own files
  • May create, modify or forget his own set
  • May modify or forget his dependencies
  • Create/modify/start/stop/forget own tasker
  • May not forget jobs owned by other users
  • May not modify jobs owned by other users
  • May not start and stop taskers
  • May not stop the server
LEADER 4 Intermediate privileges; a user can create and execute arbitrary flows and view all non-security related information.
A LEADER:
  • May start or stop his own taskers
  • May forget all jobs, including jobs owned by another user
  • May save trace DB to disk

This level is rarely used.

ADMIN 5 Administrator privileges; a user has access to most security information
An ADMIN:
  • May forget jobs owned by other users
  • May stop jobs owned by other users
  • May not modify jobs owned by another user (no user can modify another user's jobs)
  • May stop the server
  • May stop/modify/forget the taskers
  • May refresh tasker cache
  • May destroy user
  • May destroy host
  • May create or destroy alerts
  • May create, modify or destroy resource map
  • May reserve resource
  • May create, modify or destroy preemption rule
  • May create, modify or destroy multi-queue objects (Monitor sites, Accelerator queues, resources)
  • May create, modify or destroy Monitor objects (licdaemons, features)
  • May not modify jobs owned by another user (because no user can modify another user's jobs)

The Security File

The file security.tcl in the server working directory specifies the security policies. This file must be owned by the project owner and must have read/write access only for the owner.

To change the security file of an active server, use the vovproject reread command to make the changes effective.

The security policies are defined by the Tcl procedure vtk_security. A summary of the Tcl procedure follows:
vtk_security username|-group vovusergroupsecurityLevelhostNameOrIpRange ...
where:
username
The login name of a user or + to mean "anybody" or - to mean "nobody".
vovusergroup
The name of a VovUserGroups.
securityLevel
USER, LEADER or ADMIN (case insensitive)
hostListOrIpRange
For an IP range, it must have the form "x.x.x.x-y.y.y.y" (example 192.168.10.220-192.168.10.240). If it is not an IP range, it is either the name of a host or + to indicate "any host" or - to mean "no host".

Placing the order of the rules in this file is not important. The rules are automatically reordered from the most user specific to the least user specific and from the most liberal to the most restrictive with respect to the security level.

Example: least restrictive security

The least restrictive security grants every user full access from any host.
# All users (+) are administrators from all hosts (+).
vtk_security + ADMIN +

Example: most restrictive security

# No rule defined gives only the owner of the project ADMIN privileges 
# on the server host.

Example: typical case

The following example shows a typical security file, in which different privileges are granted to different users. Note the use of variables in the following example:
set servers      { reno milano } 
set allhosts     { reno milano elko tahoe } 

vtk_security mary    ADMIN   +
vtk_security john    ADMIN   tahoe
vtk_security dan     ADMIN   $servers
vtk_security pat     LEADER  elko 
vtk_security fred    USER    $allhosts
vtk_security bob     ADMIN   192.168.0.30-192.168.0.100
vtk_security -group mygroup USER    $allHosts

In the example, mary is an administrator from any host, and dan is an administrator only from reno and milano. The user pat is a LEADER from her machine elko, and fred has USER privileges with the four machines that are defined in the variable $allhosts. Additionally, members of the VovUserGroup "mygroup" have USER privileges from $allHosts.

Find the Security Level

To find the security level, use vtk_user_security from a Tcl script.

In a CGI environment, the variable SECURITY_LEVEL contains the numeric level of security. Example:
% vovsh -x "puts [vtk_user_security]"
5 ADMIN
% env SECURITY_LEVEL=3 vovsh -x "puts [vtk_user_security]"
3 USER