allowlist.conf reference

The allowlist.conf file enables you to control access to log files and directories in the cluster.

Location

The allowlist.conf file (with parameters commented out) is installed with IBM® Spectrum Symphony at $EGO_CONFDIR on Linux® and %EGO_CONFDIR% on Windows.

Without an allowlist configuration, users can retrieve all files and directories on the host; access to files through soft links is also allowed.

Note: The allowlist.conf file must be available on management and compute hosts in your cluster. After you update this file on the primary host, run the rsdeploy command to deploy the file to all hosts in your cluster. See Restricting log retrieval.

Parameters

EGO_RFA_ALLOW_SOFTLINK

(Linux only) Optional. Whether to allow access to files that are referenced by soft links. Valid values are y or Y to allow access and n or N to deny access. If the parameter is not defined or its value is not valid, access through soft links is allowed.

If EGO_RFA_ALLOW_SOFTLINK=n and a soft link is added to the allowlist in the ALLOWLIST parameter, the contents of the file referenced by the soft link cannot be retrieved.

Note: If you create soft (symbolic) links to files and directories on Windows hosts, you can access those files and directories even if they are not configured in the allowlist.conf file.

Default: Access through soft links is allowed.

ALLOWLIST

Optional. Specifies an allowlist of directories, separated by semi-colons, from which log files can be retrieved. Valid values are absolute paths to one or more directories, each of which is specified as a regular expression, up to a maximum of 1014 characters. Do not specify relative paths. Take care also to define any user-specified directories. If the directory is not listed, users cannot retrieve files from that directory. You can also include system environment variables in your expression.

The following regular expressions are supported:

Regular expression	Description
Character classes
`\s`	Blank space
`\S`	Not blank space
`\d`	Digit
`\D`	Not digit
`\w`	Word
`\W`	Not word
`\x`	Hexadecimal digit
`\O`	Octal digit
Special characters
`\n`	New line
`\r`	Carriage return
`\t`	Tab
`.`	Any character except line break
Anchors
`^`	Start of string, or start of line in multi-line pattern
`$`	End of string, or end of line in multi-line pattern
Quantifiers
`+`	One or more
`*`	Zero or more times
`{n}`	Exactly `n` times
`?`	Once or none
Group and Ranges
`(a\|b)`	`a` or `b`
`(….)`	Group
`[abc]`	Range (`a` or `b` or `c`)
`[^abc]`	Not (`a` or `b` or `c`)

Here are some examples of how you can use a regular expression in the ALLOWLIST parameter:

On Linux:

To allow access to all files and subdirectories under $EGO_TOP, use:
```
(${EGO_TOP}/.*)
```
When you specify multiple directories, use a semi-colon (;) to separate the directories and enclose each entry in parentheses (()), for example, (${EGO_TOP}/.*);(${SOAM_HOME}/.+).
To deny access to subdirectories relative to the top-level installation directory (such as $EGO_TOP/../forbidden), use:
```
(${EGO_TOP}/(?!.*\.\./).*)
```
To allow access to any file under a directory named log or logs under $EGO_TOP, use:
```
(${EGO_TOP}/.*/(log|logs)/.+)
```
To allow access to files under $EGO_LOGDIR with .log as the file extension or in the file name, use:
```
(${EGO_TOP}/kernel/log/.+\.log.*)
```
To allow access to files with .log. in the file name followed by a string (such as the host name) which might end with one or two digits, use:
```
(${EGO_TOP}/kernel/log/.+\.log\..+[0-9]??)
```

On Windows:

To allow access to all files and subdirectories under the top-level installation directory, use:
```
(${EGO_TOP}\\.*)
```
When you specify multiple directories, use semi-colons to separate the directories and enclose each entry in parentheses (()), for example, (${EGO_TOP}\\.*);(${SOAM_HOME}\\.+).
To deny access to subdirectories relative to the top-level installation directory (such as Installation_top\..\forbidden), use:
```
(${EGO_TOP}\$?!.*\.\.\$.*)
```
To allow access to any file under a directory named log or logs under the top-level installation directory, use:
```
(${EGO_TOP}\\.*\\(log|logs)\\.+)
```
To allow access to files under %EGO_LOGDIR% with .log as the file extension or in the file name, use:
```
(${EGO_TOP}\\kernel\\log\\.+\.log.*)
```
To allow access to files with .log. in the file name followed by a string (such as the host name) which might end with one or two digits, use:
```
(${EGO_TOP}\\kernel\\log\\.+\.log\..+[0-9]??)
```

Take care to ensure that your expression is valid and matches the directories you want to allow access to. If the ALLOWLIST parameter is not defined, users can retrieve all files and directories on the host.

Default: Access to all files and directories on the host is allowed.

Example

Linux:

EGO_RFA_ALLOW_SOFTLINK=ALLOWLIST=(${EGO_TOP}/kernel/log/.+\.log\..+[1-9]??);(${EGO_TOP}/kernel/log/*);(${EGO_TOP}/kernel/log/vemkd\.log*)

Windows:

ALLOWLIST=(${SOAM_HOME}\\.+)