Andrew Deason wrote:
On Thu, 12 Nov 2009 11:47:12 -0500
Michael Meffie <mmef...@sinenomine.net> wrote:
Andrew Deason wrote:
While this could be helpful, this don't solve the problem for the
various system:authuser groups or host groups.
Can you expand on that a bit? What is the problem with the host ip
groups? As far as I can see the host rights would still be honored
even if we had a negative rights for the anonymous user.
Yes, but what if you want to prevent people assigning rlidwka rights to
a very big host group, e.g. 18.0.0.0? I suppose maybe calling it a
"problem" is a bit much; I just meant a missing feature.
Ok, I see your point there, you mean to control of the
creating of host ip groups and the acls for those. Yes,
but that seems to be a different issue I think.
What are the issues with system:authuser groups that I'm not
seeing?
In the format I was using... "How do I prevent people from giving
system:authuser write/admin access?" You don't want to give a
volume-wide negative ACL for system:authuser idwa, as that prevents any
authenticated user from write/admin access. We don't have an entry
analogous to the 'anonymous' user for this case, because... well, the
acessing users aren't anonymous.
It seems to me that restricting system:authuser would be less common
than anyuser/anonymous, but it still could be useful; and we have other
methods that cover the use case.
I'm failing to see a use case here. Anyone on this list have a
concrete example?
Mike --
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info