IBM Support

Granting non-admin users access to log files

Troubleshooting


Problem

How do I grant read access to NPS log files?

Cause

Granting access to files in the/nz/kit/log directory structure to users other than the directory owner, the nz user, may be necessary for the following situations:

  • Monitoring applications that need to monitor the logs, but need to be set up with restricted permissions
  • Scripts that need to parse or otherwise read these logs, but do not require the full power of the nz user

Resolving The Problem

1. As root, edit the /etc/fstab file. This will need to be done on both hosts for an HA system. Find the line that defines the /nzfilesystem mountpoint and add 'acl' to the mount options as shown below: 
/dev/drbd1 /nz ext3 rw,suid,dev,exec,nouser,async,noauto,noatime,acl 1 0

2. During a maintenance period, remount the /nz filesystem so that the new mount option, acl, takes effect. This remount should not be done while the NPS system is running.

mount -o remount /nz



3. Create a user group that will have read access to the logs. In the example below, the nzlogs group is created. Add to this group the users that require read access to the logs.
groupadd -g 501 nzlogs

4. Using the setfacl command, grant to the nzlogs group read access to the /nz/kit/log directory. In the example below, a recursive grant allows members of the nzlogs group to have read access to all files and directories under the /nz/kit/log directory. If more restrictive permissions are required, use a more limited grant.
setfacl -R -m g:nzlogs:rx- /nz/kit/log

5. The setfacl command needs to be run periodically, as when the logs rotate -- either through the defined process in/etc/logrotate.d/netezza for the pg.log file, or through the internal log rotation means for the other logs -- the permissions need to be applied to the newly created log file.

 

For the pg.log file, add the setfacl command to the logrotation configuration by using the postrotate command as shown below:

/nz/kit/log/postgres/pg.log {
size 1024M
daily
rotate 28
missingok
postrotate
pkill -HUP -u nz -f postmaster 2>/dev/null || true
setfacl -m g:nzlogs:r-- /nz/kit/log/postgres/pg.log
endscript
}



For more information on the setfacl and getfacl commands, refer to the Linux man pages.

[{"Product":{"code":"SSULQD","label":"IBM PureData System"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":null,"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.0.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Historical Number

NZ465120

Document Information

Modified date:
17 October 2019

UID

swg21568014

Page Feedback