[OpenAFS-devel] Re: Lockdown for VL and VOL RPC interfaces for non-authenticated user

[Andrew Deason]

On Mon, 17 Mar 2014 15:13:46 +0100
Gergely Risko <gergely@risko.hu> wrote:

> > I also believe there needs to be an additional level to permit
> > system:authuser + authenticated foreign users.
> 
> Forgive my unfamiliarity with foreign users in AFS, but is there already
> some mechanism to have "friendly zones", because just allowing anyone
> with an AFS ticket to any zone doesn't seem to be fruitful (it's easy to
> install a fake zone for yourself).

I think this will answer your queston, but I'm not following this very
closely so forgive me if I've missed what this is about:

Every foreign cell has its own 'authuser' group. That is,
system:authuser refers to any user that is authenticated to the local
cell, and system:authuser@example.com refers to any user that is
authenticated via the cell example.com.

So for any kind of access control you restrict to system:authuser, you
could add access additionally for any other specific system:authuser@*
group. In addition, I believe the local cell must create the e.g.
system:authuser@example.com group, so you can use the existence of such
a group to mean that the local group administrator deliberately allows
collaboration with that cell.

You generally have to setup all of the cross-realm krb5 stuff, too, but
that's 'outside' of the knowledge of AFS.

-- 
Andrew Deason
adeason@sinenomine.net