1 02/27/85 register_resource, rgr
2
3 Syntax as a command: rgr type STR1 ... STRN -control_args
4
5
6 Function: makes a particular resource known to the system. The
7 registration process informs the system that the resource is available
8 for users who are authorized to access it.
9
10
11 Arguments:
12 type
13 is a resource type defined in the RTDT. See "Reserved Names" below
14 for additional information.
15 STRi
16 is the unique identifying name of the particular resource being
17 registered. If STR is specified in control argument format i.e.
18 if it is preceded by a hyphen, then it must be preceded by -name or
19 -nm. The string "scratch" is not permitted.
20
21
22 Control arguments:
23 -access_class accr, -acc accr
24 sets the initial AIM access class parameters, where accr is an
25 access class range. Users at any authorization within the access
26 class range inclusive are allowed to read and write to the resource
27 provided they also meet other access requirements.
28 -acs_path path
29 specifies the pathname of the access control segment ACS for this
30 resource. The ACS is not created by this command, but must be
31 created by the administrator, and the desired access control list
32 set see "Notes" below. If this control argument is not given, the
33 accounting owner of the resource is given rew access by default. If
34 path is a null string, the existing ACS, if any, is disassociated
35 from the resource.
36
37
38 -alloc STR
39 sets the allocation state of the resource to free or allocated,
40 where STR must be either the string on or the string off. If this
41 control argument is not given, the allocation state is free. The
42 allocation state flag is a convenience to the user and is largely
43 ignored by resource management. on sets the allocation state to
44 allocated off sets the allocation state to free
45 -attributes STR, -attr STR
46 specifies the initial values for the attributes of this resource.
47 If this control argument is not given, the default attributes
48 defined in the RTDT for this resource type are used see "Naming
49 Rules for Attributes" below.
50 -comment STR, -com STR
51 specifies the initial value of the comment string for this resource.
52
53
54 -location STR, -loc STR
55 specifies a descriptive location for the resource, to aid the
56 operator in locating it when it is stored in a special place e.g.
57 a vault a different room etc..
58 -lock STR
59 locks or unlocks the resource, preventing or allowing use of that
60 resource, where STR must be either the string on or the string off.
61 If this control argument is not specified the lock is off.
62
63 on prevents any use of the resource
64
65 off allows use of the resource
66
67
68 -owner STR, -ow STR
69 specifies that this resource, as part of the registration process,
70 is to be acquired on behalf of the user specified by STR. If STR is
71 the string "system", then the resource is acquired to the system
72 pool. If STR is of the form Person_id.Project_id where neither
73 Person_id nor Project_id may be a star, then the user specified has
74 all the rights of ownership to the resource as if he had acquired it
75 personally, except that if -release_lock on is specified, the owner
76 may not release give up ownership of the resource voluntarily. If
77 this control argument is not given, the resource is entered by
78 default into the free pool.
79
80
81 -potential_attributes STR, -pattr STR
82 specifies the potential attributes to be assigned to this resource.
83 If this control argument is not given, the default potential
84 attributes defined in the RTDT for this resource type are used see
85 "Naming Rules for Attributes" below.
86 -potential_access_class accr, -pacc accr
87 sets the potential AIM access class parameters, where accr is the
88 access class range. Users at any authorization within the access
89 class range inclusive are allowed to acquire the resource. If the
90 control argument is not given, the default potential access class
91 defined in the RTDT for this resources type is used. See "Access
92 Class Ranges" below, for additional information.
93
94
95 -release_lock STR, -rll STR
96 specifies whether this resource may be released by the owner, or may
97 only be released by a privileged process. The STR argument must be
98 either the string on or the string off. It is primarily useful to
99 implement special arrangements between a site and a user whereby the
100 user agrees to pay a fixed amount for the privilege of
101 administrative power over a resource for an agreed-upon length of
102 time. If this control argument is not specified, the resource may
103 be released by the owner does not require special privilege.
104
105 on resource may only be released by privileged processor
106
107 off resource may be released by owner
108
109
110 -type subtype_name, -tp subtype_name
111 specifies that defaults for this resource are to be taken from the
112 description of the resource subtype as defined in the RTDT see
113 "Application of Defaults" below for additional information.
114
115
116 Notes: If multiple resources are specified to the register_resource
117 command and an error occurs in the registration of any of these
118 resources, none of the resources specified is registered.
119
120 If no -owner is specified, the resource is placed in the free pool.
121
122 The use of the -access_class, -acs_path, -attributes, or -comment
123 control argument requires that the -owner control argument be
124 specified.
125
126
127 Access required: The use of this command requires execute access to
128 the rcp_admin_ gate.
129
130 Certain specifications of AIM access class parameters e.g. an access
131 class lower than the user's current authorization are rejected unless
132 the user has the AIM rcp privilege.
133
134
135 Notes on access control: There are three types of access control on
136 Multics, discretionary access control, which is regulated by access
137 control lists ACL; nondiscretionary access control, which is
138 regulated by the access isolation mechanism AIM; and intraprocess
139 access control, which is regulated by the ring structure. For
140 detailed information on types of access see the Multics Programmers'
141 Reference Manual Order No. AG91.
142
143
144 Notes on access control segments: An important feature of RCP is its
145 ability to control access to the various resources that it manages.
146 It does this through the use of access control segments ACSs. An
147 ACS is a zero length segment whose ACL and ring brackets are used to
148 define the discretionary access to a resource. RCP uses an ACS for
149 each resource that it controls; however, an ACS can be shared by more
150 than one resource. The name of an ACS consists of a name plus the
151 suffix, acs e.g. tape_01.acs. There are no restrictions on ACS
152 names other than the required suffix. The user creates an ACS and
153 generates/manipulates its ACL with the create, set_acl, and delete_acl
154 commands and ring brackets with the set_ring_brackets command.
155
156
157 The pathname of the ACS for a resource is usually specified when it is
158 acquired. The specified ACS can later be changed via the set_resource
159 command see the Multics Commands and Active Functions manual Order
160 No. AG92. If the ACS has not been specified or does not exist,
161 access is by default rew for the owner of the resource and null for all
162 other users.
163
164 RCP uses the ACS along with other nondiscretionary controls AIM to
165 determine the RCP effective access to a resource.
166
167
168 Notes on access class ranges: Access class ranges are used by RCP to
169 specify that a process within a range of authorizations can use a
170 particular resource.
171
172 An access class range is simply a pair of AIM access classes separated
173 by a colon. The first value of the pair is the minimum access class
174 and the second is the maximum access class. If only a single access
175 class is specified when an access class range is expected, the minimum
176 and maximum access class values are both the same i.e. a range of one
177 value. The second access class of the pair the maximum must be
178 greater than or equal to the first the minimum.
179
180
181 The user should be aware of results which occur when categories are
182 used in an access class range. For example, a process with
183 authorization of
184
185 level2,category1
186
187 would not be able to use a resource whose access class range was
188
189 level1,category1,category2:level3,category1,category2,category3
190
191
192 where level3 is greater than level2, which is greater than level1.
193 This is due to the fact that the authorization of the process is
194 isolated from the minimum of the access class range. In order to allow
195 this process access to the resource in question, the range would have
196 to exclude category2 or the user would have to have category2
197 authorization. In general, to include categories within an access
198 class range, both the minimum and maximum must include the categories
199 desired. If combinations of categories are desired, the minimum should
200 list only required categories and the maximum should include all
201 categories allowed. For example, the access class range
202
203 level1,category1:level3,category1,category2,category3
204
205 allows read and write access to any level1, level2, or level3 process
206 with category1 and any combination of category2 and category3.
207
208
209 Notes on RCP effective access: Viewed separately, each type of access
210 control answers the same question, "What access does a particular
211 process have for a particular item?" The access mode granted a
212 process to a resource by discretionary access control the ACL is
213 known as the raw access mode.
214
215
216 The way RCP determines effective access to a resource for a process
217 differs from the regular Multics method of determining effective access
218 as follows. First, the effective access to the ACS for the resource is
219 determined as for any segment. If the ACS does not exist, the user
220 appears to have read, execute, and write access if he is the owner of
221 the resource, or null access if he is not the owner. Then, two further
222 checks are made. First, the current authorization of the process is
223 compared to the maximum access class of the resource. If write access
224 is not allowed as defined by the write_allowed_ subroutine then write
225 and execute access are denied and only read is allowed. Next, the
226 current authorization of the process is compared to the minimum access
227 class of the resource. If read access is not allowed as defined by
228 the read_allowed_ subroutine then all access is denied. The resulting
229 access is termed the RCP effective access to the resource. One final
230 restriction enforced by RCP is that, in order to use a device, the RCP
231 effective access must include both read and write to that device a
232 restriction not imposed on volumes.
233
234
235 A user must have write RCP effective access to the resource named to
236 perform any modification on the status of the resource. In addition,
237 the user must have execute effective access to the resource named to
238 modify protected attributes. Only the accounting owner may modify the
239 ACS path.
240
241 For more information on AIM, access classes, authorizations, and
242 comparisons involving access classes and authorizations, see the
243 Multics Programmer's Reference manual, Order No. AG91.
244
245
246 Notes on manipulating RCP effective access: Since the access control
247 mechanisms described above operate together to determine the RCP
248 effective access of a process, there are actions that the user, as
249 well as an administrator, can perform to control this effective access.
250
251 First, the user creates an ACS via the create command. Then, the
252 desired ACL for that segment is established using the set_acl command
253 to add desired ACL entries, and the delete_acl command to delete
254 entries. The above three commands are described in the Multics
255 Commands and Active Functions manual Order No. AG92. To further
256 affect the ACS, the user may modify its ring brackets by using the
257 set_ring_brackets command described in the Multics Commands and Active
258 Functions manual Order No. AG92. The system security administrator
259 sets the AIM access class range of the resource itself at the time it
260 is registered using the register_resource command, and can change it by
261 using the set_resource command.
262
263
264 Notes on reserved names: RCP uses the information in the RTDT to
265 decide what classes of resources are known to the system, how they are
266 to be handled, and what important attributes they possess. In the
267 initial implementation, sites may use this flexibility to augment the
268 standard complement of attributes for certain resources. For example,
269 a site with tape drives in more than one location may register these
270 drives with an additional simple attribute, thereby allowing users to
271 request assignment of a tape drive in the remote location.
272 Additionally, the tape reels in the remote location may be tagged with
273 a matching attribute, marked in the RTDT as requiring that attribute
274 of its tape drive.
275
276
277 Although this mechanism is very flexible, the necessity of having
278 certain standard and reserved resource type names and attribute names
279 cannot be avoided. Standard software e.g. tape and disk I/O modules
280 needs to refer to a domain of resources by standard names, as well as
281 certain attributes of the resources. Since these strings must be the
282 same at all sites, certain resource types and certain resource
283 attributes must be contained in all RTMFs. The cv_rtmf command checks
284 for their existence and refuses to process an RTMF that lacks them.
285 This list of required resource type names and attributes is also found
286 in the include file, rcp_mandatories.incl.pl1.
287
288
289 RCP does not allow the name "scratch" to be used in registering a
290 resource. A scratch tape is one of the unmarked tapes in an unreserved
291 pool that is used for "scratch"--that is, no information is saved on it
292 from session to session. After every use, it is demounted and returned
293 to the system pool.
294
295
296 List of reserved resource names: The following resources are
297 mandatory and must appear in all RTMFs.
298
299 Device: disk_drive
300 Device: tape_drive
301 Volume: tape_vol
302 Volume: disk_vol
303
304
305 List of reserved attribute names: The following attributes are
306 mandatory for the devices named, and must appear in all RTMFs.
307
308 For the disk_drive device
309
310 model=400 model=451 model=181
311 model=191 model=500 model=402
312
313 For the tape_drive device
314
315 track=7 track=9
316 den=200 den=556
317 den=800 den=1600
318 model=400 model=500
319 model=600 model=610
320
321
322 Notes on naming rules for attributes: Attributes provide a description
323 of a volume or device that assists the resource management facility in
324 the proper matching of volumes with compatible devices. To produce
325 correct combinations, attribute names must comply with the set of rules
326 described below.
327
328 Attributes may be grouped or ungrouped. Grouped attributes specify a
329 set of properties applicable to a device or volume such that only one
330 attribute of that set can be currently active at any given time. For
331 example, a reel of tape may have potential attributes that allow it to
332 be recorded at densities of 556, 800, or 1600; however, at any given
333 time, the data on it is in only one of those densities. Grouped
334 attributes have names of the form shown below.
335
336 <identifier>=<value>
337
338
339 For example, the attributes mentioned above are named "den=556",
340 "den=800", and "den=1600". This notation allows RCP to recognize that
341 any request to make one of these attributes the current attribute of a
342 device or volume also implies that all other attributes in that
343 grouping must be made inactive.
344
345 When adding or changing an attribute in a string of attributes, all
346 attributes in the string must be respecified or else existing
347 attributes are nullified by the change. Also, any attribute string
348 must contain a value for each grouped attribute. For example, if the
349 attribute domain includes "track=..., model=..., and den=...," the
350 device you are setting the attributes for or registering must contain
351 values for each grouped attribute.
352
353
354 Ungrouped attributes have simple names, such as "trainok" to specify
355 that this device accepts a removable print train or "building_12" to
356 specify that this device or volume is located in building 12.
357
358
359 Notes on application of defaults: When the system administrator
360 registers a resource, that resource may be registered using the
361 defaults for the registration parameters that are specified in the
362 RTDT. Alternately, he may explicitly specify parameters for which
363 defaults may also be specified in the table, such as attributes and AIM
364 classes. If any such parameter is explicitly specified, the
365 corresponding default for that parameter is overridden.
366
367 When the resource is registered, any default parameters defined for
368 that resource type are applied in the absence of a corresponding
369 explicitly specified parameter.
370
371
372 If the resource is registered with the "-type <subtype_name>" control
373 argument, any default parameter defined for the special class named
374 <subtype_name> is applied in the absence of a corresponding explicitly
375 specified parameter. In the case of duplicate resource type and
376 special class parameters, the special class default parameters override
377 the general resource type parameters. In addition, any default
378 parameters specified for that resource other than those defaults in the
379 special class are applied.
380
381
382 If no special classes of a resource are defined, and the defaults for
383 the resource are not all present, it is always necessary for the
384 missing parameters to be explicitly specified for every registration
385 request for a resource of this type. If special classes of a resource
386 are defined, then defaults within the definition of special classes can
387 be used either to replace corresponding defaults specified for the
388 resource in general, or to supplement for missing defaults that are not
389 specified for the resource in general. In the latter case, the system
390 administrator cannot perform a simple default registration of the
391 resource, but must either specify the missing items explicitly in the
392 command line, or use the "-type <subtype_name>" control argument to
393 take advantage of the additional defaults provided in a special class.