[OpenAFS] Re: Ideas for finer grain set acl controls

Andrew Deason adeason@sinenomine.net
Wed, 11 Nov 2009 13:51:30 -0600

On Wed, 11 Nov 2009 14:42:53 -0500
Derrick Brashear <shadow@gmail.com> wrote:

> >> You can't. If we allow you to specify the 'anonymous' user, you
> >> could assign negative idwka rights to 'anonymous' on the
> >> volume-level ACL to prevent system:anyuser write access. But there
> >> is no way to prevent access for system:authuser.
> >>
> >> Note: giving a negative ACL on, say, system:anyuser would prevent
> >> _any_ user from getting rights; that's not what we'd want.
> >
> > Since system:anyuser represents all users, it seems to me we could
> > introduce a way to indicate anonymous users. Perhaps with a new
> > system group, system:anonusers which represents users that are
> > not authenticed?

While this could be helpful, this don't solve the problem for the
various system:authuser groups or host groups.

> > At that point we would specify a volume level negative right,
> >
> > Negative rights:
> > =A0system:anonusers idwka
> Why do you need a group, as opposed to simply mapping 32766 to a name?

We already have a name, too: anonymous. Why can't we specify that in
normal ACLs now, anyway? Does it just have to do with how the ptserver
returns errors?

Andrew Deason