Andrew Deason <adea...@sinenomine.net> writes: > That is, say you set some MAC or 'transitive ACL' or something on path > ./foo/dir in a volume. Anyone with the necessary rights can then just > move foo/dir out of the way, create a new foo/dir, and copy the data > from the old foo/dir.
If you are talking about my transitive ACLs proposal, then the new foo/dir is still subject to the transitive acl on foo/. > For a directory N levels deep in a volume, this either makes access > checks take O(N) time (checking all of the parents for transitive ACLs), > or makes mkdir operations take O(N) time and transitive setacl > operations take O(N^2) time (if we mark the transitive ACL on all > subdirectories). No, they can all be done in O(log N) by propagating the data up and down the tree on demand. If you want the gory details ask and I will explain how. >> fs sa /afs/@cell/web/ !system:authuser a -negative -transitive > This does not _quite_ do what we were aiming for, as this also prevents > 'a' access for foreign-cell users (but that may be good enough). Then create a supergroup containing system:authu...@realm for all realms known to this one. > '!(system:authuser || system:authu...@other.cell)' That's just a (complemented) supergroup. You get those for free. - a _______________________________________________ OpenAFS-devel mailing list OpenAFS-devel@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-devel
