Adam Megacz <[email protected]> writes: > Andrew Deason <[email protected]> writes: >> The explanation for the various methods now exists as an Internet >> Draft, and can be found here: > > AFAIK, a volume is the unit of space management, while a directory is > the unit of access management. [*] > > Solving the problem being discussed while retaining this distinction > would involve: > > 1. Allowing transitive ACLs. Semantically, a transitive positive > (negative) ACL has the same effect as if it were appended to the > list of positive (negative) ACLs of every subdirectory. > > 2. Allowing for complement principals. Semantically, an ACL > mentioning the complement of a pts group applies to all users who > are not in that group. > > Then one can: > > fs sa /afs/@cell/web/ !system:authuser a -negative -transitive > > That said, this is a huge amount of work to implement, and maybe even > impossible to implement without creating incompatibilities. > > So perhaps > a hack based on volume boundaries is the best compromise.
I don't think it would be possible to have a transitive acl across a mountpoint boundary, because a volume can be mounted in multiple locations. However I think it would be possible to create a transitive ACL *within* a volume. But of course it would require clients that understood the ACL to properly enforce it. > - a > > [*] The only two exceptions I know of are the "implicit ACL" > > http://www.dementia.org/twiki/bin/view/AFSLore/UsageFAQ#2_21_What_meaning_do_the_owner_g > and the fact that you can't revoke "l" permissions from the "parent > directory" of the root directory of a volume. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH [email protected] PGP key available _______________________________________________ AFS3-standardization mailing list [email protected] http://michigan-openafs-lists.central.org/mailman/listinfo/afs3-standardization
