[OpenAFS] account deletions

Jeffrey Hutzelman jhutz@cmu.edu
Tue, 13 Sep 2005 15:21:52 -0400

On Tuesday, September 13, 2005 03:10:43 PM -0400 Brian Davidson 
<bdavids1@gmu.edu> wrote:

> What's the best way to handle deleting accounts and ensuring that the
> deleted user's ACLs have been removed?  I ask because I find myself
> needing to delete about 25,000 accounts and create about 10,000.  Of
> those 10,000 a fair number will re-use previously used PTS ids.  I'm
> hoping we'll be able to switch to an accounts management process that
> doesn't re-use uids, but for now I'm stuck with what we've got.

(1) Don't reuse PTS ID's.  But you figured that out.
(2) Whenever possible, ACL's should contain groups, not users.  When a
    PTS user is deleted, its group memberships automatically go away.
(3) 'fs cleanacl' will "clean" the ACL of a directory, removing entries
    for ID's which do not currently exist in PTS.  So, you could do
    something like this (assuming GNU find and xargs):

find /afs/gmu.edu -noleaf -type d -print0 | xargs -0 fs cleanacl -path

(4) if you have a backup system which conveniently has volume dumps of
    all your volumes, you can scan them to see which ACL's contain a
    given PTS ID (or any of a given set of 10000 ID's).  For this purpose,
    even an incremental dump will do, since even incrementals contain the
    contents and metadata (including ACL) of every directory.

(5) If you get really ambitious, you could not just scan dumps, but also
    emit new dumps with different ACL's, and then restore them.

A good starting point for options (4) and (5) might be the dump scanning 
tools, an early version of which can be found somewhere in src/tests. 
Contact me offline if you'd like an up-to-date version (I really should 
package this stuff up already)

-- Jeff