[OpenAFS] pts removeuser not resulting in loss of access

Jeffrey Altman jaltman@secure-endpoints.com
Sat, 17 Mar 2012 00:17:05 -0400

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 3/16/2012 6:27 PM, Oguzhan Eris wrote:
> Hi,
> I've been trying to figure out if this is documented/expected behavior
>  with openafs (1.4.11).
> UserA has valid tokens  and does not have access to directory /foo
> /foo  has an acl giving group:bar all access  (UserA is not part of thi=
s group)
> UserB adds UserA to group:bar
> UserA still can't access /foo  until he does a ak5log (I think
> understand why this is the case)
> With the renewed tokens he is able to access /foo
> UserB removes UserA from group:bar
> UserA can still read from /foo and still write to it as well, and will
> continue to do so on each machine he has a session until his tokens
> expire (length of kerberos ticket, so upto 7 days)  or does an
> ak5log/kinit himself.

Authentication and Group Memberships are computed each time a new
RPC connection is established from a client to a file server.  New
connections are created as one of the side effects of acquiring new
tokens, token expiration, token destruction (unlog), or PAG creation.

In AFS, there is no mechanism for the Protection Service to notify a
file server when an issued CPS response would need to change.  Polling
the Protection service on each incoming RPC has significant performance

The cacheout command (src/venus/cacheout.c) can be used to force
ACL invalidation across file servers for specific userids and client
IP addresses.

Jeffrey Altman

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)