[OpenAFS] readonly/readwrite

Nathan Rawling nrawling@firedrake.net
Thu, 1 Mar 2001 11:01:28 -0500 (EST)

> First, as far as read/write and read-only, I believe it's still the
> case that you have to be a member of system:administrators to do a vos
> release, so it isn't practical to make read-only volumes for ordinary
> users.  This is something I would love to see changed in OpenAFS - if
> I could give an ordinary user the ability to do a vos release on a
> particular volume, and if that permission were controllable
> volume-by-volume, it would be really nice.

Actually, greater granularity in the permissions system would be
nice. Things like the Umich recursive PTS groups are handy for really
large sites.

Bascially, you seem to end up with two groups of people:

1) Ordinary users who you don't have to worry about much.

2) Administrators who can completely trash your cell, largely without an
   audit trail.

After many years of working on medium size AFS installations at various
insitutions and companies, I have had to use the Carneige-Mellon ADM tool,
or various home-grown scripts to delegrate administrative authority.

Otherwise I needed too many administrators to handle the workload. Having
15 people with the highest authority doesn't work too well when you have
little control over those 15 people. In my case, they reported to other
departments which needed at least some partial control.

The downside however, is that anything to improve this situation,
complicates the authentication/authorization structure. In many ways, I
think it is the simplicity of the system that makes it popular.



Nathan Rawling      nrawling@firedrake.net       KC8BOA
"Rome did not create a great empire by having meetings,
   they did it by killing all those who opposed them."