[OpenAFS-devel] writing AFS-aware WebDav server; questions about lib[j]afs

Adam Megacz megacz@cs.berkeley.edu
Thu, 09 Feb 2006 21:50:23 -0800


I'm implementing an AFS-aware WebDAV server.  I'm doing it in Java at
the moment simply because that's the shortest path to completion
(libjafs and existing Java webdav server code make it pretty easy).

Three questions:

1. Is there any way to create a "Process Authentication Thread"
   similar to a PAG? (I strongly suspect not)

2. Is there any way to ask libafs to perform a file operation (open,
   read, write, etc) using a specific token which is passed as an
   argument to the call rather than (or perhaps in addition to)
   whatever tokens are associated with the current PAG?  If so, is
   this functionality exposed in libjafs?

3. Given access to the server's KeyFile, I know it is
   cryptographically possible to fabricate any user's tokens (gssklogd
   does this).  Is this functionality included in libafs, or does it
   have to be written from scratch (since its use is, I assume,
   discouraged)?

I feel uncomfortable about requiring that the server run as a member
of system:anyuser.  The best solution IMHO is to have the server use
the user's tokens (how those are obtained is another story).

The second-best solution is to have the server run with
system:administrator powers, but I'm reluctant to do that unless I
know that those tokens will only be used for file accesses I
specifically instruct them to be used for (I don't want normal calls
to java.io.* to get the benefit of these tokens -- too much other code
in the JVM calls this stuff).

  - a

-- 
PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380