[OpenAFS] Re: fileserver user CPS duration

Andrew Deason adeason@sinenomine.net
Fri, 30 Aug 2013 09:39:45 -0500

On Fri, 30 Aug 2013 09:16:02 -0400 (EDT)
stephen@physics.unc.edu wrote:

> I don't see an obvious positive answer to this, but is there any way
> to change the duration of the fileserver's CPS for users?

No. There is no frequency/duration to change, since we do not touch the
client CPS after the connection has been established.

For anyone reading that doesn't know what "CPS" means, look up "Current
Protection Subdomain". It's basically the list of group ids a user is
in, so you need to recalculate CPS to reflect a change in group

> It seems that the ability to shorten this from the token lifetime to a
> shorter, but still reasonable value -- a few hours -- would be a good
> idea, at least for fileservers and ptservers that aren't overloaded.

I'm not sure why you want to do this. I believe the design behind this
was to emulate standard unix group calculation; your groups are assigned
when you login, and if you want group changes to take effect, you logout
and login again. (or with AFS, you can just re-aklog)

You can, of course, just lower the maximum token lifetime. Or, you can
trigger it manually. You should be able to manually recalculate CPS in
1.6.6 by running a command, if you want to trigger it based on an event
(e.g. revoking someone's rights).

Andrew Deason