[OpenAFS] Question for admins regarding pts membership output

[Dave Botsch]

I suspect our user deprovisioning scripts would break by trying to
explicitly remove users from those groups. Though would be easy enough
to fix. And I'm in favor of having this extra output.

Two questions/thoughts would be:

1) If this is a "backwards-incompatible" change (is it?) should it be
reserved for the next major version upgrade (2.0) ?

2) Use of a flag to pts membership to include (or not include) explicit
and implicit membership, as I might very well want to filter the
output... the question then becomes which way should be the "default"?=20

thanks.

On Wed, Jul 13, 2022 at 09:49:29AM -0400, Jeffrey E Altman wrote:
> The Protection Service groups fall into two categories.=A0=A0 Those wit=
h
> explicit membership lists and those with implicit membership lists.=A0=A0=
 For
> example, the "system:anyuser" and "system:authuser" groups are implicit
> whereas "system:administrators", "system:ptsviewers", and
> "system:authuser@foreign-realm" groups are explicit.
>=20
> The output of "pts membership" only includes memberships in explicit
> membership groups.=A0=A0 This has a negative impact inexperienced end u=
sers that
> might be unaware that they are members of the "system:anyuser" and
> "system:authuser" groups. This behavior also leads to an inconsistency
> between the behavior for foreign and local users because foreign users =
are
> not members of "system:authuser" and are members of
> "system:authuser@foreign" which is included in the membership list beca=
use
> that group has an explicit membership list.
>=20
> The AuriStorFS=A0 Protection service also makes a distinction between "=
user"
> and "machine" or "network" entities where "machine" and "network" entit=
ies
> are not members of the "system:authuser" or "system:authuser@foreign"
> groups.=A0=A0 This distinction is not apparent from the output of "pts
> membership" because of the exclusion of implicit groups.
>=20
> AuriStor is considering a change to "pts membership" output to include
> implicit memberships in the output of "pts membership". With this chang=
e the
> output of these commands
>=20
> =A0 $ pts membership anonymous
> =A0 Groups anonymous (id: 32766) is a member of:
>=20
> =A0 $ pts membership testuser
> =A0 Groups anonymous (id: 112) is a member of:
>=20
> =A0 $ pts membership testuser@foreign
> =A0 Groups anonymous (id: 43282) is a member of:
> =A0=A0=A0 system:authuser@foreign
>=20
> becomes
>=20
> =A0 $ pts membership anonymous
> =A0 Groups anonymous (id: 32766) is a member of:
> =A0=A0=A0 system:anyuser
>=20
> =A0 $ pts membership testuser
> =A0 Groups anonymous (id: 112) is a member of:
> =A0=A0=A0 system:anyuser
> =A0=A0=A0 system:authuser
>=20
> =A0 $ pts membership testuser@foreign
> =A0 Groups anonymous (id: 43282) is a member of:
> =A0=A0=A0 system:authuser@foreign
> =A0=A0=A0 system:anyuser
>=20
> The question for cell admins is whether anyone is aware of any internal
> scripts which process the output of "pts membership" which will break a=
s a
> result of the inclusion of the implicit groups "system:anyuser" and
> "system:authuser" in output.
>=20
> Your assistance is appreciated.
>=20
> Jeffrey Altman
> AuriStor, Inc.
>=20



--=20
********************************
David William Botsch
Programmer/Analyst
@CornellCNF
botsch@cnf.cornell.edu
********************************