Hi Giovanni, The cache manager doesn't know either the contents of the ACL or the PTS group memberships. The computation of a caller's access rights are performed entirely by the fileserver. The cache manager makes access decisions based upon the access rights obtained from the fileserver in the AFSFetchStatus structure.
If you have a token for the user you can obtain a good approximation of the user's access rights by issuing the "fs getcalleraccess" (aka "fs gca") command. This command will return the access rights returned from the fileserver for the requested path. However, this is an approximation because the IBM AFS/OpenAFS fileservers only report the explicit access rights in the AFSFetchStatus structure returned to the cache manager. There are also implicit rights granted to the file owner, volume owner and members of the system:administrators group. One difference in the AuriStorFS fileserver is that the AFSFetchStatus structure reports the computed access rights including the implicit rights. This is important because if a cache manager makes a decision about whether or not to issue an RPC based upon the cached access rights for the user, the cache manager might deny a request that the fileserver would in fact perform. Operations that are permitted based upon implicit rights include fetching and storing access control lists, listing the contents of directories, fetching and storing status information. Many of the implicitly permitted operations are blocked when a UNIX cache manager communicates with an OpenAFS fileserver because the permissions are not advertised in the AFSFetchStatus structure. To satisfy your request would require a new RXAFS RPC, something like RXAFS_FetchStatusAsUser( IN AFSFid *Fid, IN UserId User, OUT AFSFetchStatus *OutStatus, OUT AFSCallBack *CallBack, OUT AFSVolSync *Sync) which could be issued only by the file owner, volume owner or members of the system:administrators group and then extend the fs getcalleraccess [-path <dir/file path>+] command with a -nameorid <user or group name or id> optional parameter. I believe that the addition of this functionality is a good idea and AuriStor will consider adding it to our August release. Jeffrey Altman On 5/17/2020 9:11 AM, Giovanni Bracco wrote: > Given an AFS directory and a userid, is there a direct way to understand > what are the user capabilities, according to the directory ACL? > > Of course one can prepare a script which reads the directory ACL and the > user membership to PTS groups and make a combined analysis to discover > if the user can, let's say, read the files in the directory, if any , > but I wonder if there is some OpenAFS command that provides directly > the answer, as of course the client has to know all that.. > > Giovanni >
<<attachment: jaltman.vcf>>
smime.p7s
Description: S/MIME Cryptographic Signature
