[OpenAFS] Re: pts removeuser not resulting in loss of access
Fri, 16 Mar 2012 17:39:56 -0500
On Fri, 16 Mar 2012 18:27:32 -0400
Oguzhan Eris <email@example.com> wrote:
> Can someone explain why the "writes" don't at least try to recheck the
> pts memberships?
Group membership is calculated on connecting to a server, which usually
happens after token acquisition. Calculating this on every access from
the client (even just writes) could be prohibitively slow. This model is
pretty common; the same thing happens on unix systems if you add or
remove someone from a group.
There are ways of forcing the group membership to be recalculated if you
really need to revoke access _now_, but there's not much good tooling
for it. I just haven't really seen any demand.