[OpenAFS] Re: Ideas for finer grain set acl controls

Michael Meffie mmeffie@sinenomine.net
Thu, 12 Nov 2009 14:51:11 -0500

Andrew Deason wrote:
> On Thu, 12 Nov 2009 11:47:12 -0500
> Michael Meffie <mmeffie@sinenomine.net> wrote:
>> Andrew Deason wrote:
>>> While this could be helpful, this don't solve the problem for the
>>> various system:authuser groups or host groups.
>> Can you expand on that a bit? What is the problem with the host ip
>> groups? As far as I can see the host rights would still be honored
>> even if we had a negative rights for the anonymous user.
> Yes, but what if you want to prevent people assigning rlidwka rights to
> a very big host group, e.g. I suppose maybe calling it a
> "problem" is a bit much; I just meant a missing feature.

Ok, I see your point there, you mean to control of the
creating of host ip groups and the acls for those.  Yes,
but that seems to be a different issue I think.

>> What are the issues with system:authuser groups that I'm not
>> seeing?
> In the format I was using... "How do I prevent people from giving
> system:authuser write/admin access?" You don't want to give a
> volume-wide negative ACL for system:authuser idwa, as that prevents any
> authenticated user from write/admin access. We don't have an entry
> analogous to the 'anonymous' user for this case, because... well, the
> acessing users aren't anonymous.
> It seems to me that restricting system:authuser would be less common
> than anyuser/anonymous, but it still could be useful; and we have other
> methods that cover the use case.

I'm failing to see a use case here. Anyone on this list have a
concrete example?

Mike --