[OpenAFS] a question about user capability for a given a directory with its ACL.

Giovanni Bracco giovanni.bracco@enea.it
Sun, 17 May 2020 19:32:27 +0200

thank you for your very detailed explanation and for pointing out the 
existence of fs getcalleraccess command!

On 17/05/20 18:53, Jeffrey E Altman wrote:
> Hi Giovanni,
> The cache manager doesn't know either the contents of the ACL or the PTS
> group memberships.  The computation of a caller's access rights are
> performed entirely by the fileserver.  The cache manager makes access
> decisions based upon the access rights obtained from the fileserver in
> the AFSFetchStatus structure.
> If you have a token for the user you can obtain a good approximation of
> the user's access rights by issuing the "fs getcalleraccess" (aka "fs
> gca") command.  This command will return the access rights returned from
> the fileserver for the requested path.  However, this is an
> approximation because the IBM AFS/OpenAFS fileservers only report the
> explicit access rights in the AFSFetchStatus structure returned to the
> cache manager.  There are also implicit rights granted to the file
> owner, volume owner and members of the system:administrators group.
> One difference in the AuriStorFS fileserver is that the AFSFetchStatus
> structure reports the computed access rights including the implicit
> rights.  This is important because if a cache manager makes a decision
> about whether or not to issue an RPC based upon the cached access rights
> for the user, the cache manager might deny a request that the fileserver
> would in fact perform.
> Operations that are permitted based upon implicit rights include
> fetching and storing access control lists, listing the contents of
> directories, fetching and storing status information.  Many of the
> implicitly permitted operations are blocked when a UNIX cache manager
> communicates with an OpenAFS fileserver because the permissions are not
> advertised in the AFSFetchStatus structure.
> To satisfy your request would require a new RXAFS RPC, something like
>    RXAFS_FetchStatusAsUser(
>    IN  AFSFid *Fid,
>    IN  UserId  User,
>    OUT AFSFetchStatus *OutStatus,
>    OUT AFSCallBack *CallBack,
>    OUT AFSVolSync *Sync)
> which could be issued only by the file owner, volume owner or members of
> the system:administrators group and then extend the
>    fs getcalleraccess [-path <dir/file path>+]
> command with a
>    -nameorid <user or group name or id>
> optional parameter.
> I believe that the addition of this functionality is a good idea and
> AuriStor will consider adding it to our August release.
> Jeffrey Altman
> On 5/17/2020 9:11 AM, Giovanni Bracco wrote:
>> Given an AFS directory and a userid, is there a direct way to understand
>> what are the user capabilities, according to the directory ACL?
>> Of course one can prepare a script which reads the directory ACL and the
>> user membership to PTS groups and make a combined analysis to discover
>> if  the user can, let's say, read the files in the directory, if any ,
>> but I wonder if there is  some OpenAFS command that provides directly
>> the answer, as of course the client has to know all that..
>> Giovanni

Giovanni Bracco
phone  +39 351 8804788
E-mail  giovanni.bracco@enea.it
WWW http://www.afs.enea.it/bracco