On Thu, 12 Nov 2009 11:47:12 -0500 Michael Meffie <[email protected]> wrote:
> Andrew Deason wrote: > > While this could be helpful, this don't solve the problem for the > > various system:authuser groups or host groups. > > Can you expand on that a bit? What is the problem with the host ip > groups? As far as I can see the host rights would still be honored > even if we had a negative rights for the anonymous user. Yes, but what if you want to prevent people assigning rlidwka rights to a very big host group, e.g. 18.0.0.0? I suppose maybe calling it a "problem" is a bit much; I just meant a missing feature. > What are the issues with system:authuser groups that I'm not > seeing? In the format I was using... "How do I prevent people from giving system:authuser write/admin access?" You don't want to give a volume-wide negative ACL for system:authuser idwa, as that prevents any authenticated user from write/admin access. We don't have an entry analogous to the 'anonymous' user for this case, because... well, the acessing users aren't anonymous. It seems to me that restricting system:authuser would be less common than anyuser/anonymous, but it still could be useful; and we have other methods that cover the use case. -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
