[AFS3-std] Re: [OpenAFS-devel] Re: Methods of Restricting AFS3 ACL rights

[Russ Allbery]

Jeffrey Hutzelman <jhutz@cmu.edu> writes:

> You could build into AFS the complexity of allowing anyone to be given
> the ability to set that policy, and allowing anyone to be given the
> ability to set policy about who can set that policy, and so on ad
> infinitum.  But what most sites do instead is either only have one level
> of administrator, or have some sort of privilege delegation service
> which understands that site's meta-policy (and meta-meta-policy, and so
> on), and exercises administrative level power on the request of
> authorized users.

> What we're talking about here won't create or eliminate the need for such
> a service, at sites which have sufficiently complex policy to need one.
> What it does do is create a new tool to allow access control policy to be
> expressed to AFS, so that it can be properly enforced.

What Jeff said.  Also, I would argue that once you have complex delegation
needs, AFS is the wrong place to solve that.  As soon as matters get
complex, there are usually a huge variety of site-local schemes that are
used to decide who does what, and that logic really cannot be handled by
AFS.  Sites will need their own policy layer where they can code their
local authorization rules and then enforce them.

A similar issue comes up with the kadmin ACLs of a Kerberos KDC.  Adding a
bunch of additional complexity to the kadmin ACL syntax is probably not a
good idea; once you outgrow the basic ACL structure, you probably want to
create a policy layer that sits between kadmin and the rest of your
infrastructure and can enforce custom rules.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>