[OpenAFS] Re: Ideas for finer grain set acl controls

Michael Meffie mmeffie@sinenomine.net
Wed, 11 Nov 2009 14:48:21 -0500


Derrick Brashear wrote:
>>> You can't. If we allow you to specify the 'anonymous' user, you could
>>> assign negative idwka rights to 'anonymous' on the volume-level ACL to
>>> prevent system:anyuser write access. But there is no way to prevent
>>> access for system:authuser.
>>>
>>> Note: giving a negative ACL on, say, system:anyuser would prevent _any_
>>> user from getting rights; that's not what we'd want.
>> Since system:anyuser represents all users, it seems to me we could
>> introduce a way to indicate anonymous users. Perhaps with a new
>> system group, system:anonusers which represents users that are
>> not authenticed?
>>
>> At that point we would specify a volume level negative right,
>>
>> Negative rights:
>>  system:anonusers idwka
> 
> Why do you need a group, as opposed to simply mapping 32766 to a name?

Yes, I suppose just a way to represent ANONYMOUSID (32766) would
work, but the system: prefix seems intuitive to me and more
consistent with system:anyuser and system:authuser.

Mike --