The /etc/evm.auth file defines which users and/or groups are authorized to post, subscribe (monitor), or retrieve particular events. The evm.auth file contains two types of entries:
event_rights
This entry type defines the rights for a particular event class. Each event_rights entry contains three fields:
event_rights { class event_class post rights_list access rights_list }
The class field contains the event class (e.g. @SYS_VP@.evm.msg.admin). The event must have a base template. See section 8.4 for more information.
The post field contains the list of who has permission to post this event class.
The access field contains the list of who has permission to retrieve or subscribe to this class of event.
The rights_list is defined in Table 8-6.
Event Authorization Rights | |
---|---|
+ | − [user | group=groupname] | |
Attribute | Value |
user | any login username |
groupname | any group |
+ | grant access |
− | deny access |
The rights_list must be enclosed in double-quotes ("") if it contains spaces. Multiple users and/or groups in the rights_list must be separated by a comma (,). The root user has implicit rights to all events and services unless explicitly denied.
For example:
event_rights { class @SYS_VP@.binlog # binary error log events post root access "root, group=adm" }
The root user can post events of type "sys.unix.binlog", and the root user and users in the adm group can retrieve the events. If you are concerned about future portability, you should use the @SYS_VP@ macro to refer to system (sys.unix) events.
service_rights
This entry type defines the rights for a particular service to be performed by the daemon for a requesting client. Each service_rights entry contains two fields:
service_rights { service service_name execute rights_list }
The service field contains the particular service. Services must be defined in /etc/evmdaemon.conf. User-defined services are not supported as of this writing.
The execute field contains the users and/or groups that are authorized to execute this service.
For example:
service_rights { service event_get # event_get service - handles evmget requests execute + }
All users can execute the event_get service. The event_get service is used by the evmget program.
For additional information, see the Tru64 UNIX System Administration Guide, chapter 13, and the evm.auth(4) reference page.
Remote access is disabled by default. To enable remote access, modify the remote_connection attribute to "true" in /etc/evmdaemon.conf.
As of this writing, there is no authentication for remote users. Remote users are granted the lowest level of access or posting privileges. For additional information, see the Tru64 UNIX System Administration Guide, chapter 13.
Writing applications that use EVM falls beyond the scope of this book. However, we would be remiss if we did not mention that there is a full API for EVM that enables you to write programs that can post events or subscribe to events. For additional information, see the Tru64 UNIX Programmer's Guide, chapter 14, as well as the reference pages in section 3 for the EVM API. To find all the "Evm*" calls, try the following command:
# man –k evm | grep -E '^(Evm)(.*)\(3\)'
Alternatively, you can use our sman script (see Appendix B for the URL) which is a section-based "man –k" script with formatted output.
# sman 3 Evm
There are also program examples in the /usr/examples/evm directory.