[OpenAFS] Re: fileserver user CPS duration
Tue, 3 Sep 2013 10:20:24 -0400 (EDT)
Thanks for the explanation.
The use case I was thinking of is exactly what you mention: revoking
someone's rights by removing them from a group. Right or wrong, users'
expectations seem to be "I removed a user from a group, s/he is immediately
denied access to the affected directories."
Being able to tell the user "changes to groups may take 1 (or 2 or
whatever) hours to take effect" is a reasonable compromise, but I'm not
sure 24 (or more) hours for tokens to expire is.
What's the 1.6.6 command to recalculate user CPSes, just for my
On Fri, 30 Aug 2013, Andrew Deason wrote:
> On Fri, 30 Aug 2013 09:16:02 -0400 (EDT)
> firstname.lastname@example.org wrote:
>> I don't see an obvious positive answer to this, but is there any way
>> to change the duration of the fileserver's CPS for users?
> No. There is no frequency/duration to change, since we do not touch the
> client CPS after the connection has been established.
> For anyone reading that doesn't know what "CPS" means, look up "Current
> Protection Subdomain". It's basically the list of group ids a user is
> in, so you need to recalculate CPS to reflect a change in group
>> It seems that the ability to shorten this from the token lifetime to a
>> shorter, but still reasonable value -- a few hours -- would be a good
>> idea, at least for fileservers and ptservers that aren't overloaded.
> I'm not sure why you want to do this. I believe the design behind this
> was to emulate standard unix group calculation; your groups are assigned
> when you login, and if you want group changes to take effect, you logout
> and login again. (or with AFS, you can just re-aklog)
> You can, of course, just lower the maximum token lifetime. Or, you can
> trigger it manually. You should be able to manually recalculate CPS in
> 1.6.6 by running a command, if you want to trigger it based on an event
> (e.g. revoking someone's rights).
> Andrew Deason
> OpenAFS-info mailing list