[OpenAFS] Is member of a machine group honored as
system:authuser?
Garance A Drosehn
drosih@rpi.edu
Wed, 24 Jan 2018 22:11:37 -0500
On 24 Jan 2018, at 14:31, Ximeng Guan wrote:
> I would expect that a local user on 10.12.8.31, even without an AFS
> token, would be able to "cd" into the top directory of the cell. But
> in reality that does not happen. An unauthenticated user is denied of
> access.
>
> When I explicitly put "machinegrp rl" on the ACL of the cell's top
> directory (root.cell), an unauthenticated user is indeed able to
> access the AFS space.
>
> This is not quite convenient, because to allow the user of that
> specific machine to launch a license software installed in a certain
> (deep) directory under AFS, for example
> /afs/cellname/tools/vendors/abc/softwarexx/bin, we would have to
> explicitly place "machinegrp l" on the ACL of the parent directories
> of ./bin from /softwarexx all the way up to /cellname.
>
> Then if we have another software and another machine group, we will
> have to do the same again, and the ACL of our root.cell directory will
> soon be populated with machine group entries. That does not seem to be
> an elegant solution.
Well, one thing you could do is create one PTS group, add the individual
machine-groups to that common PTS group, and then use the the common PTS
group for permitting directories. And then when you get to a directory
which has to be permitted to just one of those machines (and not to any
other machine groups), you'd use the individual machine-group instead of
the common one.
I use IP-based permissions for a few things. In at least one case, it
looks like I created a single group, and then kept adding the IP
addresses as new entries in that one PTS group.
You might also have to logout and log back in again. I have a vague
memory that PTS groups are only evaluated at login time. I'm not sure
that works with machine-groups.
--
Garance Alistair Drosehn = drosih@rpi.edu
Senior Systems Programmer or gad@FreeBSD.org
Rensselaer Polytechnic Institute; Troy, NY; USA