[OpenAFS-devel] Re: Lockdown for VL and VOL RPC interfaces for non-authenticated
user
Andrew Deason
adeason@sinenomine.net
Mon, 17 Mar 2014 09:59:17 -0500
On Mon, 17 Mar 2014 15:13:46 +0100
Gergely Risko <gergely@risko.hu> wrote:
> > I also believe there needs to be an additional level to permit
> > system:authuser + authenticated foreign users.
>
> Forgive my unfamiliarity with foreign users in AFS, but is there already
> some mechanism to have "friendly zones", because just allowing anyone
> with an AFS ticket to any zone doesn't seem to be fruitful (it's easy to
> install a fake zone for yourself).
I think this will answer your queston, but I'm not following this very
closely so forgive me if I've missed what this is about:
Every foreign cell has its own 'authuser' group. That is,
system:authuser refers to any user that is authenticated to the local
cell, and system:authuser@example.com refers to any user that is
authenticated via the cell example.com.
So for any kind of access control you restrict to system:authuser, you
could add access additionally for any other specific system:authuser@*
group. In addition, I believe the local cell must create the e.g.
system:authuser@example.com group, so you can use the existence of such
a group to mean that the local group administrator deliberately allows
collaboration with that cell.
You generally have to setup all of the cross-realm krb5 stuff, too, but
that's 'outside' of the knowledge of AFS.
--
Andrew Deason
adeason@sinenomine.net