[Dev] Cynara buckets

Aleksander Zdyb a.zdyb at samsung.com
Fri Aug 21 12:53:47 GMT 2015

On 21.08.2015 14:16, Patrick Ohly wrote:
> On Fri, 2015-08-21 at 13:25 +0200, Aleksander Zdyb wrote:
>> As for Security Manager, there is indeed more than half of dozen buckets
>> used:
>> It's been designed this way, so it's easier to maintain them and faster to
>> get matching rules. But this is Tizen 3.0 specific. Other
>> implementations can
>> use buckets concept in any other way (see example above) or don't use it
>> at all.
> One more question about this.
> When I use security-manager-policy-reload to create the Cynara DB, it'll
> create these user profile buckets with:
> # Import user-type policies
> find "$POLICY_PATH" -name "usertype-*.profile" |
> while read file
> do
> ...
>      # Link the bucket to ADMIN bucket
>      cyad --set-policy --client="*" --user="*" --privilege="*" --type=BUCKET \
>          --bucket="$bucket" --metadata="ADMIN"
> This creates a BUCKET rule in, for example, USER_TYPE_ADMIN:
> *;*;*;0xFFFE;ADMIN
> Isn't that the wrong way around? Buckets are linked as follows:
> "" (the unnamed bucket) -> MAIN -> MANIFESTS
> Nothing links to USER_TYPE_ADMIN, so ADMIN is also not reached.
> Does that look right? Then what is the purpose of these usertype
> profiles? How do they get activated in Cynara?

Privacy Manager rules will be added to unnamed bucket.
Users will be added to MAIN. Maybe there is currently no admin,
so nothing points USER_TYPE_ADMIN bucket. Security Manager
adds rules as users are created or removed.

You can play with security-manager-cmd to add and remove users
and see what happens.

Please refer to this diagram for more details:


Aleksander Zdyb
Samsung R&D Institute Poland
Samsung Electronics

More information about the Dev mailing list