[OpenAFS] Re: Supergroups and ACL inheritance

Derrick Brashear shadow@gmail.com
Fri, 25 Feb 2011 19:16:34 -0500

On Fri, Feb 25, 2011 at 12:11 AM, Andrew Deason <adeason@sinenomine.net> wrote:
> On Thu, 24 Feb 2011 18:01:10 -0700
> Thomas Smith <theitsmith@gmail.com> wrote:
>> Groups:
>> * group0 - The primary group for office location "group0".
>> * group0:admins - Office administrations for "group0".
> I assume you added group0:admins to group0? You don't say that, but you
> mention supergroups... but it doesn't seem to be too relevant to this. A
> 'supergroup' is when you add a group as a member of another group; I'm
> not sure if that's what you meant. You do that by running something like
> 'pts addu group0:admins group0'.

He means that thing Esther Filderman also calls supergroups, that I
have never heard anyone else speak of.

> You also probably don't want to name the groups that way. The colon in
> group names is a special delimeter, indicating that group0:admins is
> owned by group0 (iirc, pts will not let you create that group unless you
> specify it as owned by group0).

pts chown group0:admins group0:admins

> So, members of group0 will be able to
> add and remove members to/from group0:admins. That doesn't seem like
> what you want.
> You could create a group called group0 and a group called group0.admins
> (or groups called group0.members and group0.admins), and have the admins
> 'own' the non-admin group. You can specify ownership via 'pts createg
> -owner' or 'pts chown'.

note that you can't make a self-owned group directly:
pts cg group0:foo -o group0:foo -c dem
pts: User or group doesn't exist ; unable to create group group0:foo
with id 0 owned by 'group0:foo'

>> I've looked for examples of how to setup supergroups as well as how to
>> work with AFS's ACL inheritance and haven't found much.
> We surprisingly don't mention supergroups in any manpages except for
> 'pts membership'. We should add something in 'pts adduser' and 'pts
> removeuser', probably. But they should be rather intuitive; I don't
> think you're getting tripped up on supergroups.

see above for this confusion.

> "ACL inheritence" doesn't happen much in AFS, if I'm understanding that
> term correctly. That is, the permissions you have or not have in parent
> directories don't really affect you in lower directories (except
> inasmuch as you can actually reach the lower directories).

ACL inheritance happens when you create a child directory, one time,
and subsequent changes to the parent are not inherited.

Otherwise, I agree with Andrew.