Some new questions about Acl are pointed recently with the 5.2.4 patch and other questions about who is the owner of a created resource ( the one that own the pod, or the one that created the resource? )
Looking at Acl system on Posix, I saw that it is extending the filesystem authorizations where there are basically owner, group & user that set a first level of authorization. And Acl is used as a second layer (?) .
Perhaps could we clarify authorization if pod owner was set as a superuser with something like :
- pod owner is a superuser
- pod owner set basic rights to container/resource/groups/users, allow or not a user to register/revoke himself to a group
- pod owner can set quotas/number of files created by a user
- resource creator is the owner of that resource and can set authorization for that resource…
Atomic level
Those rules must also be applied at the triple/quad level : pod owner decide if a user who added a triple in a ttl resource can or not modify/delete that triple…
So:
- 3 differents levels : container/resource/triple
- 3 levels of authorization :
_ superuser
_ like a filesystem (owner /group/user)
_ resource creator/Acl
That is just some ideas, is not all really clear but it is sure that something is missing…
