[OpenAFS] Re: Ideas for finer grain set acl controls
Thu, 12 Nov 2009 11:32:51 -0600
On Thu, 12 Nov 2009 11:47:12 -0500
Michael Meffie <firstname.lastname@example.org> wrote:
> Andrew Deason wrote:
> > While this could be helpful, this don't solve the problem for the
> > various system:authuser groups or host groups.
> Can you expand on that a bit? What is the problem with the host ip
> groups? As far as I can see the host rights would still be honored
> even if we had a negative rights for the anonymous user.
Yes, but what if you want to prevent people assigning rlidwka rights to
a very big host group, e.g. 22.214.171.124? I suppose maybe calling it a
"problem" is a bit much; I just meant a missing feature.
> What are the issues with system:authuser groups that I'm not
In the format I was using... "How do I prevent people from giving
system:authuser write/admin access?" You don't want to give a
volume-wide negative ACL for system:authuser idwa, as that prevents any
authenticated user from write/admin access. We don't have an entry
analogous to the 'anonymous' user for this case, because... well, the
acessing users aren't anonymous.
It seems to me that restricting system:authuser would be less common
than anyuser/anonymous, but it still could be useful; and we have other
methods that cover the use case.