How CDS Servers Gain Access to the Namespace
CDS servers require permission to the cell root directory and to lower-level directories to successfully execute the following CDS commands:
· clearinghouse create
· directory create - For directories and replicas
· directory delete - For directories and replicas
· directory synchronize
To automate the process of granting all CDS servers the permissions that they require, the CDS cell configuration process creates an authorization group for CDS servers under the fixed name
subsys/dce/cds-servers. The principal name of the initial server in the cell is added to this group as part of the configuration process. Immediately after the group is created, the
configuration process grants full permissions (r, w, i, d, t, c, a) to the cell root directory of the new namespace on behalf of the
group. ACL entries of the Object ACL and Initial Container Creation ACL types are created by specifying subsys/dce/cds-servers as the principal in each ACL entry. This ensures that the
group has full access to all future directories and their contents.
Thereafter, whenever a new server is configured in the cell, the server configuration process automatically adds the principal name of the new server to the group. Through this process, all CDS
Servers in the cell receive adequate permissions to all directories in the namespace.
|