[OpenAFS] Re: Supergroups and ACL inheritance

Michael Meffie mmeffie@sinenomine.net
Mon, 28 Feb 2011 09:46:52 -0500


Andrew Deason wrote:
>> It seemed like a more logical way to organize group memberships and
>> established relationships between groups and sub-groups. But maybe my
>> understanding on this topic is a little off.
> 
> I tend to think of groups with a colon in them as more... unofficial, or
> per-user/per-group. That is, they are "convenience" groups created by a
> user or group, and not something to be messed with by administrators, or
> as part of official policy ("the administrators of group0 go in group
> group0.admins"). Instead, they are groups like adeason:friends, for
> "adeason's friends", that's only really used by adeason, and only
> adeason controls it.

Note that the AFS Admin Guide refers to "regular" groups and
"prefix-less" groups.  A group like adeason:friends is called a regular
group and is owned by the regular user adeason.

Prefix-less groups do not have the colon and are meant to be used
for groups which do not have a specific user as an owner. Those groups
must be created by system:administrators.

You can create a group can set the owner of the group to be itself
or another group. The documentation calls the former a "self-owned"
group.  See, Creating Groups, http://doc.openafs.org/AdminGuide/ch14s05.html#HDRWQ545

As others have said, the term supergroups is something else. Supergroups
refers to the feature where a group can be a member of group, in
addition to users being members of groups.  This is not yet documented in
the Admin Guide.

> Say I want to let everyone in 'staff' access some new tool I wrote in
> ~adeason/code. But I don't want to let user mmeffie (who is in 'staff')
> access it, because he complains about the way I drink whiskey.

Fair point.