[OpenAFS-devel] writing AFS-aware WebDav server; questions about lib[j]afs

[Russ Allbery]

Adam Megacz <megacz@cs.berkeley.edu> writes:

> I'm implementing an AFS-aware WebDAV server.  I'm doing it in Java at
> the moment simply because that's the shortest path to completion
> (libjafs and existing Java webdav server code make it pretty easy).

> Three questions:

> 1. Is there any way to create a "Process Authentication Thread"
>    similar to a PAG? (I strongly suspect not)

A PAG is nothing more or less than a group membership, from the
perspective of a user process.  If threads can be in different groups,
yes; otherwise, no.

I don't know on your other questions.

> I feel uncomfortable about requiring that the server run as a member of
> system:anyuser.  The best solution IMHO is to have the server use the
> user's tokens (how those are obtained is another story).

> The second-best solution is to have the server run with
> system:administrator powers, but I'm reluctant to do that unless I know
> that those tokens will only be used for file accesses I specifically
> instruct them to be used for (I don't want normal calls to java.io.* to
> get the benefit of these tokens -- too much other code in the JVM calls
> this stuff).

Yeah, this is a standard problem.  Most sites work around it by creating a
special identity for the web server and then giving that identity access
to the directories that it needs to access explicitly.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>