[OpenAFS] Re: Ideas for finer grain set acl controls

Derrick Brashear shadow@gmail.com
Wed, 11 Nov 2009 14:42:53 -0500


>> You can't. If we allow you to specify the 'anonymous' user, you could
>> assign negative idwka rights to 'anonymous' on the volume-level ACL to
>> prevent system:anyuser write access. But there is no way to prevent
>> access for system:authuser.
>>
>> Note: giving a negative ACL on, say, system:anyuser would prevent _any_
>> user from getting rights; that's not what we'd want.
>
> Since system:anyuser represents all users, it seems to me we could
> introduce a way to indicate anonymous users. Perhaps with a new
> system group, system:anonusers which represents users that are
> not authenticed?
>
> At that point we would specify a volume level negative right,
>
> Negative rights:
> =A0system:anonusers idwka

Why do you need a group, as opposed to simply mapping 32766 to a name?

Derrick