[OpenAFS] Using OpenAFS filesystems from daemons?

DJ Byrne djbyrne@eisws6.jpl.nasa.gov
Tue, 15 May 2001 17:03:12 -0700

Ed Cashin writes:
> Derrick J Brashear <shadow@dementia.org> writes:
> > On Mon, 14 May 2001, Eric Knudstrup wrote:
> > > I want to be able to use my afs filesystem from my web server (ie, nobody
> > > present to klog), and I was wondering where it might be documented?
> > 
> > If you have kerberos tools, just use either ksrvtgt or kauth, then call
> > aklog, in your script. you'll need to set up an appropriately owned srvtab
> > or keytab, obviously
> If you aren't using Kerberos can't you set up a machine-based group,
> if there are no users on the web server except admins?  I might have
> gotten the term wrong, since I'm reading the IBM docs now and may have
> forgotten -- you were supposed to be able to grant rights based on
> IP. 

There are security implications, but you seem be aware of them.
Here are some sample commands to do that (with Transarc AFS;
haven't double-checked with OpenAFS), making some assumptions
about your web server's IP and where you store documents.
	% pts createuser  -name
	% pts creategroup -name web_server
	% pts adduser -user -group web_server
	% fs setacl  -dir /afs/uga/home/e/ecashin/www  -acl web_server rl
ACLs on the rest of the directory path /afs/uga/home/e/ecashin
would have to be 'l' for web_server, or of course system:anyuser
would also work.

The only weird thing is that an ACL cannot use an IP PTS
entry directly, that's why a group is created and used.

DJ Byrne       dj.byrne@jpl.nasa.gov
818-354-8262   #include <std/disclaimer.h>

If at first you don't succeed, skydiving is not for you.