[AFS3-std] Re: Methods of Restricting AFS3 ACL rights (delegation in AFS)

Russ Allbery rra@stanford.edu
Sun, 17 Jan 2010 18:00:16 -0800


Adam Megacz <adam@megacz.com> writes:
> Andrew Deason <adeason@sinenomine.net> writes:

>> The definition of 'administrator' is deliberately vague. We haven't yet
>> determined whether or not the person changing the volume policy will be
>> a member of system:administrators, an SUser, or some to-be-created list
>> of users.

> Good point.  I should have phrased my comment in terms of "any single
> site-wide list" rather than "system:administrators".

Please note that in order to address the use case that we (Stanford) have
for this feature, limiting volume policy changes to a single cell-wide
list is exactly what we need.  Anything more generous will not actually
address the problem unless it can be configured to be functionally
equivalent to that.  So while I would have no objections to something more
complicated, such as something that allows a custom policy ACL to be
associated with each volume, it's both not necessary for our use case and
needs to be reduced to a single cell-wide list at our site to work the way
that we want it to work.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>