[AFS3-std] Per-file ACLs - a few items for discussion

[Jeffrey Hutzelman]

--On Saturday, June 27, 2009 04:34:37 PM -0400 Jeffrey Altman 
<jaltman@secure-endpoints.com> wrote:

>> 1. means that granting additional access to a file (wrt the parent
>> directory) through a file ACL would not work for old clients.  That
>> may be acceptable, but it depends on what people intend to do with the
>> new facility.  Of course if it's an issue they have the option to
>> upgrade the clients.
> We will have to determine if this is even feasible to maintain.   ACLs
> do not change all that often but if there are thousands of objects in
> the directory with different ACL combinations it is going to be really
> hard to figure out what the restricted subset is supposed to be.

It's not hard, because you don't ever have to compute a most-restrictive 
ACL.  All you have to do is report the most restrictive set of rights 
granted to a particular user, which is straightforward, if time-consuming.

-- Jeff