[OpenAFS] pts removeuser not resulting in loss of access
Jeffrey Altman
jaltman@secure-endpoints.com
Sat, 17 Mar 2012 00:17:05 -0400
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig9399A4DD14FFFB7D88E7B538
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 3/16/2012 6:27 PM, Oguzhan Eris wrote:
> Hi,
>=20
> I've been trying to figure out if this is documented/expected behavior
> with openafs (1.4.11).
>=20
> UserA has valid tokens and does not have access to directory /foo
> /foo has an acl giving group:bar all access (UserA is not part of thi=
s group)
> UserB adds UserA to group:bar
> UserA still can't access /foo until he does a ak5log (I think
> understand why this is the case)
> With the renewed tokens he is able to access /foo
> UserB removes UserA from group:bar
> UserA can still read from /foo and still write to it as well, and will
> continue to do so on each machine he has a session until his tokens
> expire (length of kerberos ticket, so upto 7 days) or does an
> ak5log/kinit himself.
Authentication and Group Memberships are computed each time a new
RPC connection is established from a client to a file server. New
connections are created as one of the side effects of acquiring new
tokens, token expiration, token destruction (unlog), or PAG creation.
In AFS, there is no mechanism for the Protection Service to notify a
file server when an issued CPS response would need to change. Polling
the Protection service on each incoming RPC has significant performance
limitations.
The cacheout command (src/venus/cacheout.c) can be used to force
ACL invalidation across file servers for specific userids and client
IP addresses.
Jeffrey Altman
--------------enig9399A4DD14FFFB7D88E7B538
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQEcBAEBAgAGBQJPZBBFAAoJENxm1CNJffh4d9cIAJlyyo82S9xzWyBn2YB3Nsba
wiAqLa7r/TzqRYi8cOssBXEihs8Tb+D1CPrAGCKDpJ3BAzhhy7bqxTmyMIi4fNbR
PoIP8QSg4rFfIs1g7wTFlv2EWG0DBHtjzgThY9gO0AodoTw3v8CavI48W2l//J+e
UFjDzHcms06yJg81ApR+MxUkwq7wwnSFrOMexC/9HLK75+OlUl4grPnJ7XNlHg2H
rhBHLbbVMtkyZX6suCSSpBISRJlI6xBCjKAZ9IbV58nhSwdbx9AnDmXKV4dg9N4s
J859lUXgRjqZY8kUWypEvIvXgqzfQraAVIa3uV79mZgA7JkIjxo8y6wNyVWpVy0=
=OPMh
-----END PGP SIGNATURE-----
--------------enig9399A4DD14FFFB7D88E7B538--