[OpenAFS] Using OpenAFS filesystems from daemons?
DJ Byrne
djbyrne@eisws6.jpl.nasa.gov
Tue, 15 May 2001 17:03:12 -0700
Ed Cashin writes:
> Derrick J Brashear <shadow@dementia.org> writes:
> > On Mon, 14 May 2001, Eric Knudstrup wrote:
> > > I want to be able to use my afs filesystem from my web server (ie, nobody
> > > present to klog), and I was wondering where it might be documented?
> >
> > If you have kerberos tools, just use either ksrvtgt or kauth, then call
> > aklog, in your script. you'll need to set up an appropriately owned srvtab
> > or keytab, obviously
>
> If you aren't using Kerberos can't you set up a machine-based group,
> if there are no users on the web server except admins? I might have
> gotten the term wrong, since I'm reading the IBM docs now and may have
> forgotten -- you were supposed to be able to grant rights based on
> IP.
There are security implications, but you seem be aware of them.
Here are some sample commands to do that (with Transarc AFS;
haven't double-checked with OpenAFS), making some assumptions
about your web server's IP and where you store documents.
% pts createuser -name 128.192.28.2
% pts creategroup -name web_server
% pts adduser -user 128.192.28.2 -group web_server
% fs setacl -dir /afs/uga/home/e/ecashin/www -acl web_server rl
ACLs on the rest of the directory path /afs/uga/home/e/ecashin
would have to be 'l' for web_server, or of course system:anyuser
would also work.
The only weird thing is that an ACL cannot use an IP PTS
entry directly, that's why a group is created and used.
--
DJ Byrne dj.byrne@jpl.nasa.gov
818-354-8262 #include <std/disclaimer.h>
If at first you don't succeed, skydiving is not for you.