The db2cluster command is the main interface
into DB2® cluster
services, and as such acts on both the cluster manager and shared
file system cluster provided for the IBM® DB2 pureScale® Feature. The db2cluster command options that
are available to a user depend on the user's authority.
In terms of the security model for the
db2cluster command, there are three user groups, broken down by the type of
tasks each user group is likely to perform:
- Anyone with a userid on the system
Users in this group are
able to use the db2cluster command to report information
about the DB2 pureScale instance, but not to make any changes.
- The SYSADM, SYSCTL or SYSMAINT group
Users in this group are
able to use the db2cluster command to keep the
instance up and running, and to perform some administrative tasks
on the cluster manager. By definition, a user in this group is either
the userid of the instance, a member of the primary group of the instance
owner, or a member of a non-primary group of the instance owner. DB2 recommends that normal day to
day activities are performed using a userid with membership in a non-primary
group of the instance owner
- The DB2 cluster
services administrator
Users in this group have no requirements
to access data in the database; this is an administrative role used
for:
- installation and configuration of the DB2 cluster
services portion of DB2
- maintaining clustered instances in the cluster domain and maintaining
the shared file system cluster
The
DB2 cluster
services administrator role is an end user with access to a root-owned
userid for the operating system; for example, an operating system
administrator.
DB2 cluster
services can affect all clustered environments, whether you are
using the
DB2 pureScale Feature or a partitioned database environment with integrated
HA. Therefore, roles such as DBADM, SECADM, SQLADM, WLMADM, EXPLAIN,
ACCESSCTRL, and DATAACCESS that act on databases, do not provide the
appropriate level of authority for cluster management. The
DB2 cluster
services administrator can be the same person as someone with a
userid in the SYSADM, SYSCTL or SYSMAINT groups.
Note: Just because
a user has SYSADM privileges, it does not necessarily mean the user
has operating system administration privileges.
Cluster manager tasks for db2cluster
- Anyone with a userid on the system can retrieve information about
the current state of the cluster domain using the -list and -verify options.
- Users in the SYSADM, SYSMAINT or SYSCTL group can query and change
the preferred primary cluster caching facility using the -list and -set options. As well, these users can use the -clear -alert option to clear alerts for any of the hosts, members, and cluster
caching facilities in the current instance (as defined by the DB2INSTANCE
registry variable). Users in this group can also create and delete
cluster resources, and repair the cluster manager resource model;
however, it is strongly recommended that these tasks be performed
only under the advisement of DB2 service personnel.
- The DB2 cluster
services administrator can perform administrative tasks that affect DB2 cluster
services as a whole across all clustered instances on all hosts
in the cluster domain. This user can perform configuration tasks such
as setting the tiebreaker device and the host failure detection time,
using the -set option. As well, the DB2 cluster
services administrator can perform maintenance-related tasks, such
as putting hosts into maintenance mode, using the -enter option, or committing changes or updates to the cluster manager,
using the -commit option. This user can also
perform advanced maintenance operations on the cluster manager peer
domain, such as creating, deleting, starting, or stopping the domain,
and adding or removing hosts; however, it is strongly recommended
that these tasks be performed only under the advisement of DB2 service personnel.
Shared file system tasks for db2cluster
- Anyone with a userid on the system can retrieve information about
the current state of the cluster domain using the -list and -verify options. These users can also perform
a wide variety of file system operations with the db2cluster command options, but what they can do is constrained by regular
file system permissions. As long as the userid running the command
has read and write ownership of the device being used, that user can
create file systems and add disks. Once a file system has been created
or mounted, access to that file system is limited to the userid that
created it and to the DB2 cluster
services administrator, so only those users can remove, delete,
or rebalance a file system. Either the userid that created it, or
the DB2 cluster
services administrator can create directories that are accessible
to other users, much as with a normal file system.
- The DB2 cluster
services administrator can perform administrative tasks that affect DB2 cluster
services as a whole across all clustered instances on all hosts
in the cluster domain. This user can perform change options for the
tiebreaker device, using the -set option. As
well, the DB2 cluster
services administrator can perform maintenance-related tasks, such
as putting hosts into maintenance mode, using the -enter option, or committing changes or updates to the shared file system,
using the -commit option. This user can also
perform advanced maintenance operations on the shared file system
cluster, such as creating, deleting, starting, or stopping the domain,
and adding or removing hosts; however, it is strongly recommended
that these tasks be performed only under the advisement of DB2 service personnel.