[OpenAFS] Re: Website files in AFS

David Botsch dwb7@ccmr.cornell.edu
Wed, 11 Feb 2004 22:22:17 -0500 

Here, to run apache inside a pag with tokens, we did 3 things:

1. edit the httpd init script to use pagsh as the shell (1st line) - this will
start apache inside its own pag and means you can service start/restart httpd
2. put the password for webuser in a root restricted file
3. in the init script, pass contents of file to a program called "reauth" ..

reauth gets tokens inside pag already set up, and every x seconds, will renew
those tokens.

For users to access afs files through apache, we use a system which uses
perl/php and fires off a new pag with that user's tokens. See recent
openafs-announce announcement and d/l from: 
http://cf.ccmr.cornell.edu/publicdownloads/afs/ccmr-afs-webauth.tar.gz
(if you are interested, I can provide more details privately on how the pag
thing in the webauth pkg works)

On Wed, Feb 11, 2004 at 05:14:29PM -0800, Russ Allbery wrote:
> Cees de Groot <cg@tric.nl> writes:
> > Russ Allbery  <rra@stanford.edu> said:
> 
> >> k5start still has some nice abilities to run as a daemon, though (we
> >> generally run it under djb's supervise).
> 
> > A solution I've been happy with for the last year or so is to start a
> > new supervise in a PAG. That supervise points to a directory that has
> > two service definitions: one that does kinit/sleep, and the other one
> > being apache (with the necessary hacks to keep the thing in the
> > foreground). The primary supervise keeps the secondary one running, and
> > the secondary supervise makes sure that reauthentication is kept alive
> > and that apache stays running. The overhead of an extra supervise seems
> > to be negligible.
> 
> Yeah, this would work pretty well.  I've just not felt like going down the
> path of hacking Apache to run properly under supervise, so we still mostly
> run Apache outside of a PAG as its own user.
> 
> That does have the drawback of requiring some care in starting Apache
> manually (we generally do so with "at now", which will start it outside of
> a PAG for us).
> 
> -- 
> Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 
********************************
David William Botsch
Consultant/Advisor II
CCMR Computing Facility
dwb7@ccmr.cornell.edu
********************************