.146])
by mx1.transarc.com (8.8.7/8.8.7) with ESMTP id AAA11384
for <[EMAIL PROTECTED]>; Fri, 6 Nov 1998 00:54:05 -0500 (EST)
(envelope-from [EMAIL PROTECTED])
Received: from minbar.fac.cs.cmu.edu (MINBAR.FAC.CS.CMU.EDU [128.2.185.161])
by beryllium.club.cc.cmu.edu (8.8.5/8.8.5) with SMTP id AAA06517;
Fri, 6 Nov 1998 00:56:33 -0500 (EST)
Date: Fri, 6 Nov 1998 00:56:31 -0500 (EST)
From: Jeffrey Hutzelman <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]
Reply-To: Jeffrey Hutzelman <[EMAIL PROTECTED]>
Subject: Re: AFS administration utility?
To: [EMAIL PROTECTED]
cc: [EMAIL PROTECTED]
cc: [EMAIL PROTECTED]
In-Reply-To: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
>
> Hello, info-afs members,
>
> The College of Literature, Science and the Arts at the University of
> Michigan would like to find out if anyone using AFS is aware of software
> that will permit "distributed administration" of AFS. AFS, out-of-the-box,
> allows all-or-nothing delegation of authority: either someone has the
> authority to administer some aspect of AFS for the entire AFS cell or they
> do not have the ability to do it for any of the AFS cell.
>
> We are looking for a solution that will let us delegate authority on a
> department-by-department basis so that we can, for example, give an
> administrator in the Department of Physics full rights to manipluate
> user accounts and AFS volumes, BUT only if they belong to Physics. We
> would like to ensure that the AFS administrator in Physics cannot
> accidently damage resources belonging to other departments, such as
> Economics or Mathematics.
>
> We are aware of a package called ADM written at Carnegie Mellon University
> that will permit this. The problem is that it does not appear to b
> developed or maintained anymore -- the version we have is 0.36 from August
> 1995. Can anyone suggest alternatives? We are prepared to write our own
> solution, but want to be sure that we are not re-inventing the wheel before
> we begin.
>
> Thanks for any help you can provide. If anyone is interested in a summary
> of what I find out, let me know and I will send you one or post one to
> the info-afs mailing list.
The kind of package your looking for is often referred to as a
"privilege delegation" service - it allows you to delegate privileges
in a controlled manner, by requiring people to perform administrative
tasks by contacting a central service, and then giving all the real
power to that central service. This topic comes up here from time
to time, and there are several such packages available. The info-afs
FAQ probably contains a list of such tools (if not, it should...).
It probably doesn't get modified or updated much, but adm is still in
use here at CMU. I can't really tell you much more than that, because
I work for the School of Computer Science, which has its own computing
facilities. There are some people on this list from Computing Services,
however, and they can probably provide more details.
Several years ago, we decided that there were no good solutions, so we
started work on our own package, Jeeves, which handles a variety of
administrative tasks. It's rather large and complicated, but it does
the job. In particular, it handles delegating the ability to manipulate
AFS volumes to different individuals depending on what group "owns" a
volume, and do this even if multiple groups share a server or partition,
or if several kinds of volumes are allocated from a pool of partitions
without regard to who owns them.
Jeeves is likely not the right answer for most people - it's large and
complicated, requires someone with some knowledge of SML/NJ, and knows
things about the way we do things here that may not be appropriate for
you. It knows how to administer Kerberos V5, but not V4 or kaservers
(though that would not be difficult to fix for someone with some knowledge
of C and the workings of the authentication service in question).
However, it looks like it might address some of the problems you've
described, so I felt I should mention it. If you or anyone else is
interested in more information, contact me via private email and I'll
put you in contact with one of the Jeeves developer/maintainers.
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]>
Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
