[OpenAFS] Is member of a machine group honored as system:authuser?

Wed, 24 Jan 2018 11:33:07 -0800 

Hello,

I am trying to make some effective use of machine groups in AFS to accommodate 
certain requirement of licensed software. I read about the feature, and noticed 
that in the 1998 edition of the book "Managing AFS, The Andrew File System" by 
Richard Campbell, the following text appeared in Chapter 7 p.230:

"...
There is one final quirk to the implementation: it's common for several 
top-level directories of the AFS namespace to be permitted only to 
system:authuser, that is, any user can access the rest of the namespace, but 
only if the user has been authenticated as a user, any user, of the current 
cell. Machine groups are intended to be useful for any person logged in to a 
workstation so that software licenses can be honestly followed. Therefore, when 
an unauthenticated user is using a machine that is a member of a group entry on 
an ACL, the user's implicit credential is elevated to system:authuser, but only 
if the machine entry in the group is an exact match, not a wildcard.

This rule permits any user of a given desktop to effectively have 
system:authuser credentials for a directory. As long as that directory has an 
ACL that includes the specific machine's IP address as a member of a group 
entry, any user of the desktop, and only that desktop, would have access to the 
directory. 
...
"

That is exactly what we have in the top-level directories in our cell: We have 
"system:authuser rl" on the ACL of root.cell. 

Access list for . is
Normal rights:
  system:administrators rlidwka
  system:authuser rl

Then when I create a machine-based pts entry 10.12.8.31, add it to a new group 
named machinegrp, and wait for >2 hours to let it be effective (according to 
dafileserver's man page)

$ pts member machinegrp
Members of machinegrp (id: -250) are:
  10.12.8.31

I would expect that a local user on 10.12.8.31, even without an AFS token, 
would be able to "cd" into the top directory of the cell. But in reality that 
does not happen. An unauthenticated user is denied of access. 

When I explicitly put "machinegrp rl" on the ACL of the cell's top directory 
(root.cell), an unauthenticated user is indeed able to access the AFS space. 

This is not quite convenient, because to allow the user of that specific 
machine to launch a license software installed in a certain (deep) directory 
under AFS, for example /afs/cellname/tools/vendors/abc/softwarexx/bin, we would 
have to explicitly place "machinegrp l" on the ACL of the parent directories of 
./bin from /softwarexx all the way up to /cellname. 

Then if we have another software and another machine group, we will have to do 
the same again, and the ACL of our root.cell directory will soon be populated 
with machine group entries. That does not seem to be an elegant solution. 

Did I miss anything here? 

Thanks.

Best regards,
========================================
Ximeng (Simon) Guan, Ph.D.
Associate Principal Engineer
Royole Corporation
48025 Fremont Blvd, Fremont, CA 94538
========================================




:��T���&j)b�   b�өzpJ)ߢ�^��좸!��l��b��(���~�+����Y���b�ا~�����~ȧ~

Reply via email to