On Sep 16, 10:59pm, Marcus Watts wrote:
> Subject: Re: AFS administration "wrapper"
> Brian writes:
> > Date: Mon, 16 Sep 1996 18:51:46 -0400 (EDT)
> > From: "Brian W. Spolarich" <[EMAIL PROTECTED]>
> > Reply-To: "Brian W. Spolarich" <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: AFS administration "wrapper"
> >
> >
> > I've heard mention of a tool that will enable cell admins to securely
> > delegate cell administration privileges to sets of users. For example, I
> > might have group volumes that have read-only replicas, and I want the
> > users who manage those volumes to be able to "vos release" them on demand
> > without having them be in system:administrators.
> >
> > I've grabbed EMT (Environment Maintenance Tool) from
> > andrew2.andrew.cmu.edu, which looks like it might be the thing, but it
> > looks pretty andrew-specific. It wants depot, the ADM server, and other
> > stuff which I don't necessarily need.
> >
> > Have I found what I'm looking for? If not, does anyone know where I
> > might find such a tool?
>
> You probably actually want ADM not EMT. So far as I recall,
> EMT uses ADM to do vos releases. ADM is essentially a secure
> scheme interpreter that you program with your policy, in scheme,
> ADM provides as scheme primitives, the various AFS RPC's, so your
> policy code can then invoke the appropriate function as needed.
> The last I recall, it didn't quite look like the ADM people had
> caught up with the latest AFS 3.x release. That was a long
> time ago however (pre AFS 3.3a), so hopefully it's no longer true.
>
> Another potential tool is "sysctl", from IBM. Michael Fagan
> <[EMAIL PROTECTED]> is probaby the person to ask about this,
> as I think he was involved with the development of this.
> I remember he was very friendly, but I understand he's since
> left IBM.
>
> Since you mention "vos release", there could be some special problems
> here. A lot depends on whether ADM tries to invoke the logic
> in libvolser, or what. I don't know what ADM does specifically today,
> but I know that I have had a lot of problems implementing a "vos release"
> mechanism in long-living server code, for the home directory server
> code ("hdserver") which we use at the University of Michigan to manage
> the creation of and changes to individual home directories.
Couldn't you create a proxy service to perform various AFS admin service? For
example a client, johndoe, issue:
% release gnu.gcc
which queries an afsadmind (proxy daemon) for "vos rel gnu.gcc". afsadmind
then lookup its database (dbm, msql, ...) to check whether johndoe has the
admin right to volume gnu.gcc and takes appropriate actions. afsadmind could
fire-up a shell script to do vos rel and such (the machine IP, where afsadmind
resided, should be in administrator group). This way you don't have to deal
with the various AFS libraries and versions. The database should be ro for
everyone and rw for cell admin. Anyway, that's the general idea.
--
_____________________________________________________________________
Phi H. Truong "some cool quote goes here!"
Sys Admin
[EMAIL PROTECTED] Norwest Mortgage Inc., TSM
_____________________________________________________________________
