[OpenAFS] Question for admins regarding pts membership output
Ed Rude
erude1@umbc.edu
Wed, 13 Jul 2022 12:05:26 -0400
--000000000000a4c15305e3b1f477
Content-Type: text/plain; charset="UTF-8"
I second the inclusion of an explicit way of requesting one behavior or the
other. As long as I have a way to explicitly specify both behaviors working
around the change in anything that wraps the pts command should be simple
enough.
I think I prefer the new behavior you are suggesting as the default.
Thank you,
Ed
On Wed, Jul 13, 2022 at 10:08 Dave Botsch <botsch@cnf.cornell.edu> wrote:
> I suspect our user deprovisioning scripts would break by trying to
> explicitly remove users from those groups. Though would be easy enough
> to fix. And I'm in favor of having this extra output.
>
> Two questions/thoughts would be:
>
> 1) If this is a "backwards-incompatible" change (is it?) should it be
> reserved for the next major version upgrade (2.0) ?
>
> 2) Use of a flag to pts membership to include (or not include) explicit
> and implicit membership, as I might very well want to filter the
> output... the question then becomes which way should be the "default"?
>
> thanks.
>
> On Wed, Jul 13, 2022 at 09:49:29AM -0400, Jeffrey E Altman wrote:
> > The Protection Service groups fall into two categories. Those with
> > explicit membership lists and those with implicit membership lists. For
> > example, the "system:anyuser" and "system:authuser" groups are implicit
> > whereas "system:administrators", "system:ptsviewers", and
> > "system:authuser@foreign-realm" groups are explicit.
> >
> > The output of "pts membership" only includes memberships in explicit
> > membership groups. This has a negative impact inexperienced end users
> that
> > might be unaware that they are members of the "system:anyuser" and
> > "system:authuser" groups. This behavior also leads to an inconsistency
> > between the behavior for foreign and local users because foreign users
> are
> > not members of "system:authuser" and are members of
> > "system:authuser@foreign" which is included in the membership list
> because
> > that group has an explicit membership list.
> >
> > The AuriStorFS Protection service also makes a distinction between
> "user"
> > and "machine" or "network" entities where "machine" and "network"
> entities
> > are not members of the "system:authuser" or "system:authuser@foreign"
> > groups. This distinction is not apparent from the output of "pts
> > membership" because of the exclusion of implicit groups.
> >
> > AuriStor is considering a change to "pts membership" output to include
> > implicit memberships in the output of "pts membership". With this change
> the
> > output of these commands
> >
> > $ pts membership anonymous
> > Groups anonymous (id: 32766) is a member of:
> >
> > $ pts membership testuser
> > Groups anonymous (id: 112) is a member of:
> >
> > $ pts membership testuser@foreign
> > Groups anonymous (id: 43282) is a member of:
> > system:authuser@foreign
> >
> > becomes
> >
> > $ pts membership anonymous
> > Groups anonymous (id: 32766) is a member of:
> > system:anyuser
> >
> > $ pts membership testuser
> > Groups anonymous (id: 112) is a member of:
> > system:anyuser
> > system:authuser
> >
> > $ pts membership testuser@foreign
> > Groups anonymous (id: 43282) is a member of:
> > system:authuser@foreign
> > system:anyuser
> >
> > The question for cell admins is whether anyone is aware of any internal
> > scripts which process the output of "pts membership" which will break as
> a
> > result of the inclusion of the implicit groups "system:anyuser" and
> > "system:authuser" in output.
> >
> > Your assistance is appreciated.
> >
> > Jeffrey Altman
> > AuriStor, Inc.
> >
>
>
>
> --
> ********************************
> David William Botsch
> Programmer/Analyst
> @CornellCNF
> botsch@cnf.cornell.edu
> ********************************
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
--
Edward A. Rude
Systems Administrator - Unix Systems
Division of Information Technology
--000000000000a4c15305e3b1f477
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"auto">I second the inclusion of an explicit way of requesting o=
ne behavior or the other. As long as I have a way to explicitly specify bot=
h behaviors working around the change in anything that wraps the pts comman=
d should be simple enough.=C2=A0</div><div dir=3D"auto"><br></div><div dir=
=3D"auto">I think I prefer the new behavior you are suggesting as the defau=
lt.=C2=A0</div><div dir=3D"auto"><br></div><div dir=3D"auto">Thank you,</di=
v><div dir=3D"auto">Ed</div><div><br><div class=3D"gmail_quote"><div dir=3D=
"ltr" class=3D"gmail_attr">On Wed, Jul 13, 2022 at 10:08 Dave Botsch <<a=
href=3D"mailto:botsch@cnf.cornell.edu">botsch@cnf.cornell.edu</a>> wrot=
e:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0=
.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-=
left-color:rgb(204,204,204)">I suspect our user deprovisioning scripts woul=
d break by trying to<br>
explicitly remove users from those groups. Though would be easy enough<br>
to fix. And I'm in favor of having this extra output.<br>
<br>
Two questions/thoughts would be:<br>
<br>
1) If this is a "backwards-incompatible" change (is it?) should i=
t be<br>
reserved for the next major version upgrade (2.0) ?<br>
<br>
2) Use of a flag to pts membership to include (or not include) explicit<br>
and implicit membership, as I might very well want to filter the<br>
output... the question then becomes which way should be the "default&q=
uot;? <br>
<br>
thanks.<br>
<br>
On Wed, Jul 13, 2022 at 09:49:29AM -0400, Jeffrey E Altman wrote:<br>
> The Protection Service groups fall into two categories.=C2=A0=C2=A0 Th=
ose with<br>
> explicit membership lists and those with implicit membership lists.=C2=
=A0=C2=A0 For<br>
> example, the "system:anyuser" and "system:authuser"=
; groups are implicit<br>
> whereas "system:administrators", "system:ptsviewers&quo=
t;, and<br>
> "system:authuser@foreign-realm" groups are explicit.<br>
> <br>
> The output of "pts membership" only includes memberships in =
explicit<br>
> membership groups.=C2=A0=C2=A0 This has a negative impact inexperience=
d end users that<br>
> might be unaware that they are members of the "system:anyuser&quo=
t; and<br>
> "system:authuser" groups. This behavior also leads to an inc=
onsistency<br>
> between the behavior for foreign and local users because foreign users=
are<br>
> not members of "system:authuser" and are members of<br>
> "system:authuser@foreign" which is included in the membershi=
p list because<br>
> that group has an explicit membership list.<br>
> <br>
> The AuriStorFS=C2=A0 Protection service also makes a distinction betwe=
en "user"<br>
> and "machine" or "network" entities where "ma=
chine" and "network" entities<br>
> are not members of the "system:authuser" or "system:aut=
huser@foreign"<br>
> groups.=C2=A0=C2=A0 This distinction is not apparent from the output o=
f "pts<br>
> membership" because of the exclusion of implicit groups.<br>
> <br>
> AuriStor is considering a change to "pts membership" output =
to include<br>
> implicit memberships in the output of "pts membership". With=
this change the<br>
> output of these commands<br>
> <br>
> =C2=A0 $ pts membership anonymous<br>
> =C2=A0 Groups anonymous (id: 32766) is a member of:<br>
> <br>
> =C2=A0 $ pts membership testuser<br>
> =C2=A0 Groups anonymous (id: 112) is a member of:<br>
> <br>
> =C2=A0 $ pts membership testuser@foreign<br>
> =C2=A0 Groups anonymous (id: 43282) is a member of:<br>
> =C2=A0=C2=A0=C2=A0 system:authuser@foreign<br>
> <br>
> becomes<br>
> <br>
> =C2=A0 $ pts membership anonymous<br>
> =C2=A0 Groups anonymous (id: 32766) is a member of:<br>
> =C2=A0=C2=A0=C2=A0 system:anyuser<br>
> <br>
> =C2=A0 $ pts membership testuser<br>
> =C2=A0 Groups anonymous (id: 112) is a member of:<br>
> =C2=A0=C2=A0=C2=A0 system:anyuser<br>
> =C2=A0=C2=A0=C2=A0 system:authuser<br>
> <br>
> =C2=A0 $ pts membership testuser@foreign<br>
> =C2=A0 Groups anonymous (id: 43282) is a member of:<br>
> =C2=A0=C2=A0=C2=A0 system:authuser@foreign<br>
> =C2=A0=C2=A0=C2=A0 system:anyuser<br>
> <br>
> The question for cell admins is whether anyone is aware of any interna=
l<br>
> scripts which process the output of "pts membership" which w=
ill break as a<br>
> result of the inclusion of the implicit groups "system:anyuser&qu=
ot; and<br>
> "system:authuser" in output.<br>
> <br>
> Your assistance is appreciated.<br>
> <br>
> Jeffrey Altman<br>
> AuriStor, Inc.<br>
> <br>
<br>
<br>
<br>
-- <br>
********************************<br>
David William Botsch<br>
Programmer/Analyst<br>
@CornellCNF<br>
<a href=3D"mailto:botsch@cnf.cornell.edu" target=3D"_blank">botsch@cnf.corn=
ell.edu</a><br>
********************************<br>
_______________________________________________<br>
OpenAFS-info mailing list<br>
<a href=3D"mailto:OpenAFS-info@openafs.org" target=3D"_blank">OpenAFS-info@=
openafs.org</a><br>
<a href=3D"https://lists.openafs.org/mailman/listinfo/openafs-info" rel=3D"=
noreferrer" target=3D"_blank">https://lists.openafs.org/mailman/listinfo/op=
enafs-info</a><br>
</blockquote></div></div>-- <br><div dir=3D"ltr" class=3D"gmail_signature" =
data-smartmail=3D"gmail_signature"><div dir=3D"ltr">Edward A. Rude<br>Syste=
ms Administrator - Unix Systems<br>Division of Information Technology<div><=
img src=3D"https://docs.google.com/uc?export=3Ddownload&id=3D1sDR2npAzb=
Dyq-hkIWpERgZfXnS4NUNno&revid=3D0B0sQLLgSRdtncmxTRHBKVU4vZmJHT2c2dHZRRU=
8vTldsZmlJPQ" width=3D"96" height=3D"20" style=3D"color:rgb(136,136,136)"><=
/div></div></div>
--000000000000a4c15305e3b1f477--