[OpenAFS] Re: Ideas for finer grain set acl controls

Michael Meffie mmeffie@sinenomine.net
Thu, 12 Nov 2009 11:47:12 -0500


Andrew Deason wrote:
> On Wed, 11 Nov 2009 14:42:53 -0500
> Derrick Brashear <shadow@gmail.com> wrote:
> 
>>>> You can't. If we allow you to specify the 'anonymous' user, you
>>>> could assign negative idwka rights to 'anonymous' on the
>>>> volume-level ACL to prevent system:anyuser write access. But there
>>>> is no way to prevent access for system:authuser.
>>>>
>>>> Note: giving a negative ACL on, say, system:anyuser would prevent
>>>> _any_ user from getting rights; that's not what we'd want.
>>> Since system:anyuser represents all users, it seems to me we could
>>> introduce a way to indicate anonymous users. Perhaps with a new
>>> system group, system:anonusers which represents users that are
>>> not authenticed?
> 
> While this could be helpful, this don't solve the problem for the
> various system:authuser groups or host groups.

Can you expand on that a bit? What is the problem with the host ip
groups? As far as I can see the host rights would still be honored
even if we had a negative rights for the anonymous user.

What are the issues with system:authuser groups that I'm not
seeing?

> 
>>> At that point we would specify a volume level negative right,
>>>
>>> Negative rights:
>>>  system:anonusers idwka
>> Why do you need a group, as opposed to simply mapping 32766 to a name?
> 
> We already have a name, too: anonymous. Why can't we specify that in
> normal ACLs now, anyway? Does it just have to do with how the ptserver
> returns errors?
> 

I suspect there are error handling implications, because 32766 cannot be a
pts id.