[OpenAFS-devel] Re: writing AFS-aware WebDav server; questions about lib[j]afs

[Adam Megacz]

Russ Allbery <rra@stanford.edu> writes:
> A PAG is nothing more or less than a group membership, from the
> perspective of a user process.  If threads can be in different groups,
> yes; otherwise, no.

Ah, that's too bad.  On Linux you can have different threads with
different UIDs/GIDs in a single process, but this is considered a bug
and is slated to go away (apprently pthreads doesn't do this).

Worst case I guess I'll just serialize all AFS operations through a
single thread that gets/drops tokens for each request.  Performance
will be pretty bad, but it should meet our short-term needs.

I got an out-of-band email with a rumor about a
possibly-soon-to-be-open-source library that lets you specify tokens
on a per-call basis... we'll see if that pans out.

> Yeah, this is a standard problem.  Most sites work around it by creating a
> special identity for the web server and then giving that identity access
> to the directories that it needs to access explicitly.

I actually want to offer "full" access to AFS via WebDav (with a
webpage for changing/viewing ACLs, etc) -- not just files that people
specifically designate for this service.  The idea is for WebDAV to be
just another (though inferior) protocol that can be used to access a
single filestore.

The ideas is that the two popular "end-user" OSes (Windows and MacOS)
both have built-in WebDav support, so people will be able to make
their AFS files available to "casual" users who for some reason don't
want to install the client.  As those people start using it more,
they'll eventually come to understand the value of shared AFS
filespace and get over the psychological barrier of installing new
software (never underestimate this!).

I think that this is a very promising adoption path.  The
try-before-you-buy aspect will go a long way.

  - a

-- 
PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380