[OpenAFS] AFS Module for Apache

Tue, 14 Dec 2004 16:00:26 +0100

--=-9uisN0xsy/lgx5hEBnsj
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi Sergio and Others

Im running Apache 2.0.51 on Fedora Core 2.

My plan is to have many VirtualHosts each running as different users, so
my config would look like

<VirtualHost *>
    ...
    User wwwuser1
    Group wwwuser1
    AFSEngine on
    AFSCache /tmp/krbcc_(wwwuser1's id)
    AFSKeytab wwwuser1.keytab
    ...
</VirtualHots>

<VirtualHost *>
    ...
    User wwwuser2
    Group wwwuser2
    AFSEngine on
    AFSCache /tmp/krbcc_(wwwuser2's id)
    AFSKeytab wwwuser2.keytab
    ...
</VirtualHots>

So each fork should run as different users and have it's own cache file,
which if not present or expired will be created from the keytab file.
Each VirtualHost is also setting it's own PAG, which I understand should
make it possible for one user to hold many tokens by have many PAG's.

Is this possible or am I way out there ?

/Mikkel

PS: I could really need some pointers on a mod_afs module for apache 2
and afs 1.3.

On Fri, 2004-12-10 at 18:44 +0100, Sergio Gelato wrote:

> * Mikkel Kruse Johnsen [2004-12-10 16:39:55 +0100]:
> > Im trying to make apache able to read AFS. I have found some examples on 
> > the net but they are all fro apache 1.3, AFS 1.2 and Kerberos 4
> > 
> > I need apache 2, AFS 1.3.74 and Kerberos IV.
> 
> Which MPM for Apache?
> 
> The reason I'm asking is that a process cannot simultaneously hold tokens
> for more than one user per cell (unless this restriction has been removed
> in 1.3.x, but I doubt it since that would require a mechanism for choosing
> which of the several available identities should be used on any given file
> access). If you're multithreading this could be a serious problem. Even
> with the prefork MPM (still the default in 2.0, but maybe not in 2.1)
> you'll have to give each server process its own PAG.
> 
> > Using the attached module I get in /var/log/message "Dec 10 15:54:08 
> > frodo kernel: afs: Tokens for user of AFS id 48 for cell linet.dk are 
> > discarded (rxkad error=19270407)", which I think means bad ticket.
> > 
> > I don't really know what Im doing, since I havent hacked in AFS or 
> > Kerberos's API before, so this is a learning process. But my question is:
> > 
> > In the examples they all copy the "v4creds.session" into 
> > "ClearToken.HandShakeKey" but in v5creds there is no session key, I 
> > think it is called keyblock. What is the sessionKey in Kerberos IV ?
> > 
> > If anyone would like to help me out coding the module I would appreciate it.
> 
> How about using Heimdal's libkafs to cut down on the work involved?
> There is also a counterpart, krbafs, for MIT Kerberos but it may require
> some work to port to your platform.

--=-9uisN0xsy/lgx5hEBnsj
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
 <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
 <META NAME="GENERATOR" CONTENT="GtkHTML/3.3.2">
</HEAD>
<BODY>
Hi Sergio and Others 
 
Im running Apache 2.0.51 on Fedora Core 2. 
 
My plan is to have many VirtualHosts each running as different users, so my config would look like 
 
&lt;VirtualHost *&gt; 
&nbsp;&nbsp;&nbsp; ... 
&nbsp;&nbsp;&nbsp; User wwwuser1 
&nbsp;&nbsp;&nbsp; Group wwwuser1 
&nbsp;&nbsp;&nbsp; AFSEngine on 
&nbsp;&nbsp;&nbsp; AFSCache /tmp/krbcc_(wwwuser1's id) 
&nbsp;&nbsp;&nbsp; AFSKeytab wwwuser1.keytab 
&nbsp;&nbsp;&nbsp; ... 
&lt;/VirtualHots&gt; 
 
&lt;VirtualHost *&gt; 
&nbsp;&nbsp;&nbsp; ... 
&nbsp;&nbsp;&nbsp; User wwwuser2 
&nbsp;&nbsp;&nbsp; Group wwwuser2 
&nbsp;&nbsp;&nbsp; AFSEngine on 
&nbsp;&nbsp;&nbsp; AFSCache /tmp/krbcc_(wwwuser2's id) 
&nbsp;&nbsp;&nbsp; AFSKeytab wwwuser2.keytab 
&nbsp;&nbsp;&nbsp; ... 
&lt;/VirtualHots&gt; 
 
So each fork should run as different users and have it's own cache file, which if not present or expired will be created from the keytab file. Each VirtualHost is also setting it's own PAG, which I understand should make it possible for one user to hold many tokens by have many PAG's. 
 
Is this possible or am I way out there ? 
 
/Mikkel 
 
PS: I could really need some pointers on a mod_afs module for apache 2 and afs 1.3. 
 
 
On Fri, 2004-12-10 at 18:44 +0100, Sergio Gelato wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
* Mikkel Kruse Johnsen [2004-12-10 16:39:55 +0100]:
&gt; Im trying to make apache able to read AFS. I have found some examples on 
&gt; the net but they are all fro apache 1.3, AFS 1.2 and Kerberos 4
&gt; 
&gt; I need apache 2, AFS 1.3.74 and Kerberos IV.

<FONT COLOR="#000000">Which MPM for Apache?</FONT>

The reason I'm asking is that a process cannot simultaneously hold tokens
for more than one user per cell (unless this restriction has been removed
in 1.3.x, but I doubt it since that would require a mechanism for choosing
which of the several available identities should be used on any given file
access). If you're multithreading this could be a serious problem. Even
with the prefork MPM (still the default in 2.0, but maybe not in 2.1)
you'll have to give each server process its own PAG.

&gt; Using the attached module I get in /var/log/message &quot;Dec 10 15:54:08 
&gt; frodo kernel: afs: Tokens for user of AFS id 48 for cell linet.dk are 
&gt; discarded (rxkad error=19270407)&quot;, which I think means bad ticket.
&gt; 
&gt; I don't really know what Im doing, since I havent hacked in AFS or 
&gt; Kerberos's API before, so this is a learning process. But my question is:
&gt; 
&gt; In the examples they all copy the &quot;v4creds.session&quot; into 
&gt; &quot;ClearToken.HandShakeKey&quot; but in v5creds there is no session key, I 
&gt; think it is called keyblock. What is the sessionKey in Kerberos IV ?
&gt; 
&gt; If anyone would like to help me out coding the module I would appreciate it.

<FONT COLOR="#000000">How about using Heimdal's libkafs to cut down on the work involved?</FONT>
<FONT COLOR="#000000">There is also a counterpart, krbafs, for MIT Kerberos but it may require</FONT>
<FONT COLOR="#000000">some work to port to your platform.</FONT>
</PRE>
</BLOCKQUOTE>
</BODY>
</HTML>

--=-9uisN0xsy/lgx5hEBnsj--