[OpenAFS] Re: pts removeuser not resulting in loss of access

Andrew Deason adeason@sinenomine.net
Fri, 16 Mar 2012 17:39:56 -0500

On Fri, 16 Mar 2012 18:27:32 -0400
Oguzhan Eris <eris@ekls.com> wrote:

> Can someone explain why the "writes" don't at least try to recheck the
> pts memberships?

Group membership is calculated on connecting to a server, which usually
happens after token acquisition. Calculating this on every access from
the client (even just writes) could be prohibitively slow. This model is
pretty common; the same thing happens on unix systems if you add or
remove someone from a group.

There are ways of forcing the group membership to be recalculated if you
really need to revoke access _now_, but there's not much good tooling
for it. I just haven't really seen any demand.

Andrew Deason