On 6/4/2019 8:05 AM, Thossaporn (Pommm) Phetruphant wrote: > Hi Everyone, > > I'm looking to implement IP based ACL and User Based ACL in my openAFS > setup. The scenario I like to have is : > > Joe have right to access volumeĀ work1. > Joe sit on a workstation IP address 192.168.0.25 > Joe also have 2nd workstation IP address 192.168.0.125 > Management want Joe to be able to access volume work1 only from > workstation IP address 192.168.0.25. > > I currently know and have these setup on my openAFS : > Joe is member of work1 > > $ pts membership work1 > Members of work1 (id: xxx) are: > Joe > Jane > Jenny > work1-ip-whitelist > > $ pts membership work1-ip-whitelist > Members of work1-ip-whitelist (id: yyy) are: > 192.168.0.25 > > Danny who don't assign in work1 can use his account on workstation > 192.168.0.25 to access work1 volume. <- I don't want this. > > Is it possible to have ACL that only allow user Joe from workstation IP > address 192.168.0.25 to access but not allow Danny? > Basically, User based ACL "and" IP based ACL. Both need to be TRUE to > authorize access.
The answer to your question is "no", it is not possible to perform multi-factor authorization in OpenAFS. OpenAFS neither implements a method of performing multi-factor (aka combined identity) authentication nor does it support an access control language that can be used to implement multi-factor rules. It should be noted that IP ACLs do not provide any security at the network layer and are therefore vulnerable to spoofing. The AuriStor File System preserves the /afs file namespace and is designed to support exactly the use case which you describe. Please read https://www.auristor.com/documentation/man/linux/7/auristorfs_acls.html Migration to AuriStorFS from OpenAFS can be performed with zero-flag days with a well tested incremental process. https://www.auristor.com/documentation/man/linux/7/auristor_migration.html Please contact me with any questions you might have. Jeffrey Altman
<<attachment: jaltman.vcf>>
smime.p7s
Description: S/MIME Cryptographic Signature
