Andrew,
Thanks for the explanation.
The use case I was thinking of is exactly what you mention: revoking
someone's rights by removing them from a group. Right or wrong, users'
expectations seem to be "I removed a user from a group, s/he is immediately
denied access to the affected directories."
Being able to tell the user "changes to groups may take 1 (or 2 or
whatever) hours to take effect" is a reasonable compromise, but I'm not
sure 24 (or more) hours for tokens to expire is.
What's the 1.6.6 command to recalculate user CPSes, just for my
edification?
Cheers,
Stephen
On Fri, 30 Aug 2013, Andrew Deason wrote:
On Fri, 30 Aug 2013 09:16:02 -0400 (EDT)
[email protected] wrote:
I don't see an obvious positive answer to this, but is there any way
to change the duration of the fileserver's CPS for users?
No. There is no frequency/duration to change, since we do not touch the
client CPS after the connection has been established.
For anyone reading that doesn't know what "CPS" means, look up "Current
Protection Subdomain". It's basically the list of group ids a user is
in, so you need to recalculate CPS to reflect a change in group
membership.
It seems that the ability to shorten this from the token lifetime to a
shorter, but still reasonable value -- a few hours -- would be a good
idea, at least for fileservers and ptservers that aren't overloaded.
I'm not sure why you want to do this. I believe the design behind this
was to emulate standard unix group calculation; your groups are assigned
when you login, and if you want group changes to take effect, you logout
and login again. (or with AFS, you can just re-aklog)
You can, of course, just lower the maximum token lifetime. Or, you can
trigger it manually. You should be able to manually recalculate CPS in
1.6.6 by running a command, if you want to trigger it based on an event
(e.g. revoking someone's rights).
--
Andrew Deason
[email protected]
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
