[AFS3-std] Re: Methods of Restricting AFS3 ACL rights (correctness+performance)

Adam Megacz adam@megacz.com
Sun, 17 Jan 2010 21:52:05 +0000


Andrew Deason <adeason@sinenomine.net> writes:
> That is, say you set some MAC or 'transitive ACL' or something on path
> ./foo/dir in a volume. Anyone with the necessary rights can then just
> move foo/dir out of the way, create a new foo/dir, and copy the data
> from the old foo/dir.

If you are talking about my transitive ACLs proposal, then the new
foo/dir is still subject to the transitive acl on foo/.

> For a directory N levels deep in a volume, this either makes access
> checks take O(N) time (checking all of the parents for transitive ACLs),
> or makes mkdir operations take O(N) time and transitive setacl
> operations take O(N^2) time (if we mark the transitive ACL on all
> subdirectories).

No, they can all be done in O(log N) by propagating the data up and down
the tree on demand.  If you want the gory details ask and I will explain
how.

>>   fs sa /afs/@cell/web/ !system:authuser a -negative -transitive

> This does not _quite_ do what we were aiming for, as this also prevents
> 'a' access for foreign-cell users (but that may be good enough).

Then create a supergroup containing system:authuser@realm for all realms
known to this one.

> '!(system:authuser || system:authuser@other.cell)'

That's just a (complemented) supergroup.  You get those for free.

  - a