[06:38:49] --- Roman Mitz has become available [07:19:12] --- deason has become available [07:31:17] --- cudave has left: Disconnected [07:31:37] --- cudave has become available [07:38:03] --- jaltman/FrogsLeap has left [08:25:39] --- jaltman/FrogsLeap has become available [08:26:34] phalenor: for your afs-control (remctl), which entities are permitted to "release" and "backup" a volume? [08:27:29] is the authz group a 1-to-1 mapping with those that have admin rights on the volume? or perhaps 'owner' and system:administrators? [08:31:49] --- Derrick Brashear has left [08:49:23] --- phalenor2 has become available [08:50:00] Weird, I can't join as "phalenor" [08:51:34] jaltman/FrogsLeap: I hacked afs-backend to do an ldap lookup based on the operation being performed and the name of the volume being acted on. remctld allows anyone authenticated to run those sub-commands for afs-backend, so afs-backend itself is doing all the authZ [08:53:23] And then we have a line like this in the afs-backend ACL file: [08:53:48] ALL .+ cn=afs-backend/$volume/$operation,ou=group,dc=bx,dc=psu,dc=edu [08:54:41] what I am asking is who are the class of users that you want to have access to those functions? [08:55:41] I personally believe that there should exist an "fs backup" command to permit the owner of the volume to create a .backup. "fs release" could be the same for .readonly snapshots. [08:56:15] well, for backup, just the principal that are tsm backup script runs as. For release, usually either maintainers of software we have stored in afs (one volume per software package), or for editors of certain websites [08:56:48] are those individuals members of a group that own the volume? [08:57:17] They are members of an LDAP group (and therefor a pts group as well) [08:57:41] do they map to the owners of the volume? [08:58:41] Not sure that I understand what you mean by owners of a volume. [08:58:45] I'm trying to understand if the authorization decisions you made could be implemented based upon the volume root directory ACLs [08:58:53] ohhhh [08:59:16] if the 'chown' of the volume root has 'admin' [09:00:16] Hmm, I suppose that's probably the case in some circumstances, but for the case of web volumes, we usually have a web/ group that has rlidwk on the entire volume, but no 'a' so they can't break acls. [09:13:38] --- phalenor2 has left [09:26:18] --- phalenor2 has become available [09:34:31] --- phalenor2 has left [09:44:26] --- dev-zero@jabber.org has left [10:36:20] --- Derrick Brashear has become available [12:07:26] --- Derrick Brashear has left [12:22:11] --- Derrick Brashear has become available [12:31:48] --- dev-zero@jabber.org has become available [12:32:28] --- dev-zero@jabber.org has left [12:32:28] --- dev-zero@jabber.org has become available [12:39:33] --- jaltman has become available [12:51:26] --- jaltman/FrogsLeap has left: Replaced by new connection [12:51:28] --- jaltman/FrogsLeap has become available [12:53:53] --- jaltman/FrogsLeap has left: Disconnected [12:58:31] --- jaltman/FrogsLeap has become available [13:31:59] --- dev-zero@jabber.org has left [13:32:51] --- Roman Mitz has left [14:40:29] --- jaltman has left: Disconnected [15:08:42] --- deason has left [22:00:09] --- dev-zero@jabber.org has become available [22:01:10] --- CUDaveB has become available [22:01:22] --- CUDaveB has left: Disconnected [22:09:35] --- dev-zero@jabber.org has left [23:55:37] --- dev-zero@jabber.org has become available [23:56:36] --- dev-zero@jabber.org has left [23:56:38] --- dev-zero@jabber.org has become available