[OpenAFS] Re: [OpenAFS-devel] Better Logging and Access Control

[Jimmy Engelbrecht]

Thomas Vincent <thomasv@apple.com> writes:

> Hi Folks,
> Perhaps there is a way to do this , and I haven't figured it out.
> It would be nice if there was tcp_wrapper type support built in. With

tcp ? AFS dont use TCP. AFS uses RX. And it would be really messy to
have tcp/ip/RX-wrapper builtin. There is no use for it, AFS do not belive
in authentication by IP-addresses, AFS does belive in KERBEROS_V4.

> the granularity to control access by ip , and go directory by
> directory or user by user.

I dont get your question, but you can put IP-acl's on directorys,
but this is generally a very very bad idea.

Of course you can also set privilges on directorys for users or groups.

type '/usr/afsws/bin/fs sa -help' for help.

> Also logging seems to be in pretty bad shape under afs.

there is logging, but only for the purpose of debugging.

> Are there any
> plans to say: Record reads, writes, executes. To the point where I can
> log all a persons actions if I so choose.

yes. Send a Siganal to the fileserver. I think SIGTSTP i am not sure,
then it will log, when you send a signal again to the process it will
log even more. (there are 3 different levels of logging) then you can
reset the debugginglevel with SIG_SOMETHING(HUP?).
Look at /usr/afs/logs while sending your signals.

I tested with full logging on a rediculous small filserver with rediculous few
accesses, for a rediculous short period of time and i got rediculous big logfiles.

/Jimmy