thank you for your very detailed explanation and for pointing out the
existence of fs getcalleraccess command!
Giovanni
On 17/05/20 18:53, Jeffrey E Altman wrote:
Hi Giovanni,
The cache manager doesn't know either the contents of the ACL or the PTS
group memberships. The computation of a caller's access rights are
performed entirely by the fileserver. The cache manager makes access
decisions based upon the access rights obtained from the fileserver in
the AFSFetchStatus structure.
If you have a token for the user you can obtain a good approximation of
the user's access rights by issuing the "fs getcalleraccess" (aka "fs
gca") command. This command will return the access rights returned from
the fileserver for the requested path. However, this is an
approximation because the IBM AFS/OpenAFS fileservers only report the
explicit access rights in the AFSFetchStatus structure returned to the
cache manager. There are also implicit rights granted to the file
owner, volume owner and members of the system:administrators group.
One difference in the AuriStorFS fileserver is that the AFSFetchStatus
structure reports the computed access rights including the implicit
rights. This is important because if a cache manager makes a decision
about whether or not to issue an RPC based upon the cached access rights
for the user, the cache manager might deny a request that the fileserver
would in fact perform.
Operations that are permitted based upon implicit rights include
fetching and storing access control lists, listing the contents of
directories, fetching and storing status information. Many of the
implicitly permitted operations are blocked when a UNIX cache manager
communicates with an OpenAFS fileserver because the permissions are not
advertised in the AFSFetchStatus structure.
To satisfy your request would require a new RXAFS RPC, something like
RXAFS_FetchStatusAsUser(
IN AFSFid *Fid,
IN UserId User,
OUT AFSFetchStatus *OutStatus,
OUT AFSCallBack *CallBack,
OUT AFSVolSync *Sync)
which could be issued only by the file owner, volume owner or members of
the system:administrators group and then extend the
fs getcalleraccess [-path <dir/file path>+]
command with a
-nameorid <user or group name or id>
optional parameter.
I believe that the addition of this functionality is a good idea and
AuriStor will consider adding it to our August release.
Jeffrey Altman
On 5/17/2020 9:11 AM, Giovanni Bracco wrote:
Given an AFS directory and a userid, is there a direct way to understand
what are the user capabilities, according to the directory ACL?
Of course one can prepare a script which reads the directory ACL and the
user membership to PTS groups and make a combined analysis to discover
if the user can, let's say, read the files in the directory, if any ,
but I wonder if there is some OpenAFS command that provides directly
the answer, as of course the client has to know all that..
Giovanni
--
Giovanni Bracco
phone +39 351 8804788
E-mail giovanni.bra...@enea.it
WWW http://www.afs.enea.it/bracco
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
