Only that the output of system:authuser would be confusingly long, and what
would system:anyuser generate anyway ?. We also have scripts for 'show me
everyone who has access to this entity', which gets complicated with nested
groups, and I couldn't figure out what to display for 'everyone'. It would be
valid to ignore named users in the ACL and just say 'everyone' in that case.
Tangentially related, we use a wrapper to list AFS groups, which looks up a few
bits of useful information about each member besides their AFS username. This
is very user-friendly, but means lots of LDAP lookups and would take forever on
the full output of system:authuser.
I didn't know about pts delete automatically removing from groups - that does
remove my only real use case for relying on the output of pts membership in
decommissioning.
Richard
On 2022-07-15, 09:04, "Jeffrey E Altman" <jalt...@auristor.com> wrote:
On 7/13/2022 6:07 PM, Richard Brittain (richard.britt...@dartmouth.edu)
wrote:
> I hope that doesn't lead people to expect 'pts membership
system:authuser' to show all users.
>
> Richard
I'm curious. Why would it be wrong for users to expect 'pts membership
system:authuser' and 'pts membership system:anyuser' to list their
membership assuming the caller had the necessary access rights? My
primary objection to the existing behavior is that these groups are
special and end users / administrators must understand that they are
special. If an authorized user can obtain the membership list from
'pts membership system:authuser@foreign' why shouldn't the same be true
for 'system:authuser'? If the concern is the cost of generating the
result set, its no more expensive then executing 'pts listentries'.
In a private response to my original message someone wrote that their
cell uses the output of 'pts membership' to generate the list of
entities that have access to a file object given the assigned ACL. This
is a perfectly reasonable action to expect to work. However, the
generated list will be incomplete when 'pts membership system:anyuser'
and 'pts membership system:authuser' succeed while at the same time
generate empty output.
Jeffrey Altman
