[OpenAFS] Re: Ideas for finer grain set acl controls

Andrew Deason adeason@sinenomine.net
Thu, 12 Nov 2009 11:32:51 -0600


On Thu, 12 Nov 2009 11:47:12 -0500
Michael Meffie <mmeffie@sinenomine.net> wrote:

> Andrew Deason wrote:
> > While this could be helpful, this don't solve the problem for the
> > various system:authuser groups or host groups.
> 
> Can you expand on that a bit? What is the problem with the host ip
> groups? As far as I can see the host rights would still be honored
> even if we had a negative rights for the anonymous user.

Yes, but what if you want to prevent people assigning rlidwka rights to
a very big host group, e.g. 18.0.0.0? I suppose maybe calling it a
"problem" is a bit much; I just meant a missing feature.

> What are the issues with system:authuser groups that I'm not
> seeing?

In the format I was using... "How do I prevent people from giving
system:authuser write/admin access?" You don't want to give a
volume-wide negative ACL for system:authuser idwa, as that prevents any
authenticated user from write/admin access. We don't have an entry
analogous to the 'anonymous' user for this case, because... well, the
acessing users aren't anonymous.

It seems to me that restricting system:authuser would be less common
than anyuser/anonymous, but it still could be useful; and we have other
methods that cover the use case.

-- 
Andrew Deason
adeason@sinenomine.net