There should be a single MDS service per system. Conventions for locating MDS application information must be defined on a per-platform basis. The MDS application attributes that should be available to applications include:
CDSA-related installation programs use the MDS registry information to discover if the appropriate MDS is available on the system. It may be necessary to upgrade MDS binaries or update MDS schema before CSSM, EMM, or service provider modules can be installed. For this reason, a CDSA installation package must include MDS installation programs.
The MDS installation program creates the databases and relations defined in this specification.
Elective module manager (EMM) installation programs may contain MDS installation programs that update the MDS schema to accommodate EMM service providers.
Mapping the DL database access flags to file permissions is
platform-specific. If the host operating system supports User, Group,
Other privileges controlling Read, Write, and Execute permission bits,
the following table suggests how the DL access flags, of type
CSSM_DB_ACCESS_TYPE, could be mapped on a UNIX* platform.
DL Access Flags | Permission Bits | Process Privilege |
---|---|---|
CSSM_DB_ACCESS_READ | r-- | other |
CSSM_DB_ACCESS_WRITE | rw- | group |
CSSM_DB_ACCESS_PRIVILEGED | rw- | user |
CSSM_DB_ACCESS_ASYNCHRONOUS | N/A | group |
Read-only access is granted to all processes. This enables the DbQuery interfaces. Read/Write access it granted to installation programs and services handling dynamic service provider insert and remove events. Write access is enabled for DbInsert, DbUpdate and DbDelete. An administration application that updates the MDS schema or reorganizes the database must own the database files to obtain privileged access. This, along with read/write privileges, allows exclusive access to the MDS database. When opened with CSSM_DB_ACCESS_PRIVILEGED, no other processes may open the database. In order to make changes to the MDS schema, the database needs to be opened with CSSM_DB_ACCESS_PRIVILEGED; in this case, the user/application has also the rights to query and insert/delete/update records in any user relation.
A privileged user can set use of CSSM_DB_ACCESS_ASYNCHRONOUS. It is MDS administration policy that determines the degree of perceived risk due to cached write operations. By default CSSM_DB_ACCESS_ASYNCHRONOUS is enabled.
Contents | Next section | Index |