Ditto - our deprovisioning scripts use pts membership output, and I expect this
is common. Filtering out system:anyuser etc. would be easy, but a flag to omit
those and revert to 'old behaviour' would be even better. I do like the
improved transparency of listing them though.
I hope that doesn't lead people to expect 'pts membership system:authuser' to
show all users.
Richard
On 7/13/22, 10:08 AM, "openafs-info-ad...@openafs.org on behalf of Dave
Botsch" <openafs-info-ad...@openafs.org on behalf of bot...@cnf.cornell.edu>
wrote:
I suspect our user deprovisioning scripts would break by trying to
explicitly remove users from those groups. Though would be easy enough
to fix. And I'm in favor of having this extra output.
Two questions/thoughts would be:
1) If this is a "backwards-incompatible" change (is it?) should it be
reserved for the next major version upgrade (2.0) ?
2) Use of a flag to pts membership to include (or not include) explicit
and implicit membership, as I might very well want to filter the
output... the question then becomes which way should be the "default"?
thanks.
On Wed, Jul 13, 2022 at 09:49:29AM -0400, Jeffrey E Altman wrote:
> The Protection Service groups fall into two categories. Those with
> explicit membership lists and those with implicit membership lists. For
> example, the "system:anyuser" and "system:authuser" groups are implicit
> whereas "system:administrators", "system:ptsviewers", and
> "system:authuser@foreign-realm" groups are explicit.
>
> The output of "pts membership" only includes memberships in explicit
> membership groups. This has a negative impact inexperienced end users
that
> might be unaware that they are members of the "system:anyuser" and
> "system:authuser" groups. This behavior also leads to an inconsistency
> between the behavior for foreign and local users because foreign users are
> not members of "system:authuser" and are members of
> "system:authuser@foreign" which is included in the membership list because
> that group has an explicit membership list.
>
> The AuriStorFS Protection service also makes a distinction between "user"
> and "machine" or "network" entities where "machine" and "network" entities
> are not members of the "system:authuser" or "system:authuser@foreign"
> groups. This distinction is not apparent from the output of "pts
> membership" because of the exclusion of implicit groups.
>
> AuriStor is considering a change to "pts membership" output to include
> implicit memberships in the output of "pts membership". With this change
the
> output of these commands
>
> $ pts membership anonymous
> Groups anonymous (id: 32766) is a member of:
>
> $ pts membership testuser
> Groups anonymous (id: 112) is a member of:
>
> $ pts membership testuser@foreign
> Groups anonymous (id: 43282) is a member of:
> system:authuser@foreign
>
> becomes
>
> $ pts membership anonymous
> Groups anonymous (id: 32766) is a member of:
> system:anyuser
>
> $ pts membership testuser
> Groups anonymous (id: 112) is a member of:
> system:anyuser
> system:authuser
>
> $ pts membership testuser@foreign
> Groups anonymous (id: 43282) is a member of:
> system:authuser@foreign
> system:anyuser
>
> The question for cell admins is whether anyone is aware of any internal
> scripts which process the output of "pts membership" which will break as a
> result of the inclusion of the implicit groups "system:anyuser" and
> "system:authuser" in output.
>
> Your assistance is appreciated.
>
> Jeffrey Altman
> AuriStor, Inc.
>
--
********************************
David William Botsch
Programmer/Analyst
@CornellCNF
bot...@cnf.cornell.edu
********************************
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
