Hi Afs'ers,
I have a problem related with delegating privileges to a user in a
single file-server. That user only belong to the UserList on that
file-server, and doesn't belong to system:administrator group.
That user can create and mount the volume(s) but can't access it
because the just mounted volume/directory is owned by root, and the
default acl is system:administrator all.
--
The situation is as follows: There is a ftpadmin user I am trying to
delegate authonomy to admin his fileserver. He must create, delete,
mount and umount lots of volumes, and I want him to do it without any
action from me. Also he should be able to modify the acl of the just
mounted directories, so he can give access to the appropriate persons.
I'll describe the situation with commands and lead you to an
unwanted situation which is ftpadmin can create and mount the volume
but can't access it because 1) he doesn't own the directory just
mounted and 2) the default acl doesn't provide him access. I'd like to
avoid the situation and my question is how ?
Note it is a afs 3.2 cell.
starting...
ftpadmin doesn't belong to system:administrators
[EMAIL PROTECTED][tmp]#21 pts memb ftpadmin
Groups ftpadmin (id: 20500) is a member of:
ftp:administrators
it has all rights in . directory (/afs/in/users/softman/hac/tmp)
[EMAIL PROTECTED][tmp]#19 fs la .
Access list for . is
Normal rights:
hac rlidwka
ftpadmin rlidwka
I'll add ftpadmin to UserList on trakina
[EMAIL PROTECTED][tmp]#25 bos addu trakina ftpadmin
[EMAIL PROTECTED][tmp]#26 bos listu trakina
SUsers are: admin hac [...] ftpadmin
Now I will became ftpadmin
[EMAIL PROTECTED][tmp]#27 klog ftpadmin
Password:
[EMAIL PROTECTED][tmp]#28 tokens
User's (AFS ID 20500) tokens for [EMAIL PROTECTED] [Expires Oct 25 21:00]
Now I can create a volume in trakina partition b
[EMAIL PROTECTED][tmp]#29 vos create trakina b ftpadmin.test10 -v
Volume ftpadmin.test10 536874226 created and brought online
Created the VLDB entry for the volume ftpadmin.test10 536874226
Volume 536874226 created on partition /vicepb of trakina
Now I will mount it.
[EMAIL PROTECTED][tmp]#30 fs mkm test10 ftpadmin.test10
No problem here.
But if I do an ls -l on test10 directory...
[EMAIL PROTECTED][tmp]#32 ls -l test10
test10 not found
also if I try to change the ACL...
[EMAIL PROTECTED][tmp]#33 fs sa test10 ftpadmin all
fs: You don't have the required access rights on 'test10'
because...
(now with hac tokens who belong's to system administrator group)
[EMAIL PROTECTED][tmp]#6 ls -dl test10
drwxrwxrwx 2 root 2048 Oct 24 19:36 test10
QUESTION 1 : why is test10 owned by root ? if it was owned by the one who
has created the mount-point then the implicit rights would
solve the problem.
and...
(again with hac's token)
[EMAIL PROTECTED][tmp]#13 fs la test10
Access list for test10 is
Normal rights:
system:administrators rlidwka
QUESTION 2 : why the initial acl of the volume's root-directory is
system:administratr all ? If it would be also "ftpadmin
all" the problem was also solved.
Got the picture ?
Now one more question would be if it is necessary ftpadmin to be in
UserList of the sync-site. Because here at inesc.pt my experiences
leads me to the conclusion that ftpadmin should also be in archie's
UserList (archie has the lowest IP address of the data-bases servers).
[EMAIL PROTECTED][tmp]#34 bos listu archie
SUsers are: admin hac [...] ftpadmin
If it isn't there, I can not create any volume in trakina. Even if
ftpadmin was on trakina's UserList.
Is it a cell setup problem ? Or a normal afs behavoir ?
Thanks in advance,
--
Hugo Andrade Cartaxeiro : INESC, Lisboa, Portugal. email: [EMAIL PROTECTED]
Tel: +351-1 310 02 49 Fax: +351-1 52 58 43
This .sig was made w/ 94% recycled pixels. Please help our environment!
