I second the inclusion of an explicit way of requesting one behavior or the other. As long as I have a way to explicitly specify both behaviors working around the change in anything that wraps the pts command should be simple enough.
I think I prefer the new behavior you are suggesting as the default. Thank you, Ed On Wed, Jul 13, 2022 at 10:08 Dave Botsch <bot...@cnf.cornell.edu> wrote: > I suspect our user deprovisioning scripts would break by trying to > explicitly remove users from those groups. Though would be easy enough > to fix. And I'm in favor of having this extra output. > > Two questions/thoughts would be: > > 1) If this is a "backwards-incompatible" change (is it?) should it be > reserved for the next major version upgrade (2.0) ? > > 2) Use of a flag to pts membership to include (or not include) explicit > and implicit membership, as I might very well want to filter the > output... the question then becomes which way should be the "default"? > > thanks. > > On Wed, Jul 13, 2022 at 09:49:29AM -0400, Jeffrey E Altman wrote: > > The Protection Service groups fall into two categories. Those with > > explicit membership lists and those with implicit membership lists. For > > example, the "system:anyuser" and "system:authuser" groups are implicit > > whereas "system:administrators", "system:ptsviewers", and > > "system:authuser@foreign-realm" groups are explicit. > > > > The output of "pts membership" only includes memberships in explicit > > membership groups. This has a negative impact inexperienced end users > that > > might be unaware that they are members of the "system:anyuser" and > > "system:authuser" groups. This behavior also leads to an inconsistency > > between the behavior for foreign and local users because foreign users > are > > not members of "system:authuser" and are members of > > "system:authuser@foreign" which is included in the membership list > because > > that group has an explicit membership list. > > > > The AuriStorFS Protection service also makes a distinction between > "user" > > and "machine" or "network" entities where "machine" and "network" > entities > > are not members of the "system:authuser" or "system:authuser@foreign" > > groups. This distinction is not apparent from the output of "pts > > membership" because of the exclusion of implicit groups. > > > > AuriStor is considering a change to "pts membership" output to include > > implicit memberships in the output of "pts membership". With this change > the > > output of these commands > > > > $ pts membership anonymous > > Groups anonymous (id: 32766) is a member of: > > > > $ pts membership testuser > > Groups anonymous (id: 112) is a member of: > > > > $ pts membership testuser@foreign > > Groups anonymous (id: 43282) is a member of: > > system:authuser@foreign > > > > becomes > > > > $ pts membership anonymous > > Groups anonymous (id: 32766) is a member of: > > system:anyuser > > > > $ pts membership testuser > > Groups anonymous (id: 112) is a member of: > > system:anyuser > > system:authuser > > > > $ pts membership testuser@foreign > > Groups anonymous (id: 43282) is a member of: > > system:authuser@foreign > > system:anyuser > > > > The question for cell admins is whether anyone is aware of any internal > > scripts which process the output of "pts membership" which will break as > a > > result of the inclusion of the implicit groups "system:anyuser" and > > "system:authuser" in output. > > > > Your assistance is appreciated. > > > > Jeffrey Altman > > AuriStor, Inc. > > > > > > -- > ******************************** > David William Botsch > Programmer/Analyst > @CornellCNF > bot...@cnf.cornell.edu > ******************************** > _______________________________________________ > OpenAFS-info mailing list > OpenAFS-info@openafs.org > https://lists.openafs.org/mailman/listinfo/openafs-info > -- Edward A. Rude Systems Administrator - Unix Systems Division of Information Technology
