[OpenAFS] AFS vs DAV

Noel Burton-Krahn noel@bkbox.com
Fri, 16 Jan 2004 13:02:35 -0800 

Hi John,

You're welcome to try my own GPL'ed my own solution for OpenAFS + WebDAV
with cookies and single sign-on in Apache.  It's in the form or two perl
modules available here:

http://bkbox.com/~noel/open/Apache-AuthKrb5Afs-1.01.tar.gz
http://bkbox.com/~noel/open/Auth-Krb5Afs-1.0.tar.gz

I wouldn't throw away OpenAFS and replace it with WebDAV, but running WebDAV
on top of OpenAFS gives users easy access to OpenAFS without installing the
client.  And you can cluster your WebDAV servers.

I've tested with Windows "Web Folders".  It's a slightly sketchy
implementation, but it does the job.  It basically lets you do something
like FTP (file upload and download only) through HTTPS (encrypted passwords
are a good thing).

WebDAV just doesn't do most jobs I want to to, like using my CVS repository
on my OpenAFS home, or having a single home directory from anywhere.

Some problems with WebDAV implementations are:
1. they can't tell the difference between running a script and opening the
script file itself (because they use HTTP GET)
2. If you type a URL in a "Web Folder" bar, you revert to HTTP browsing, not
DAV.  Try it, you'll see.

But, it's still nice if you don't want to install the AFS client.

--Noel



--Noel


----- Original Message -----
From: "John Rudd" <jrudd@ucsc.edu>
To: "Noel Burton-Krahn" <noel@bkbox.com>
Cc: "Rick Cochran" <rcc2@cornell.edu>; <openafs-info@openafs.org>
Sent: Friday, January 16, 2004 12:33 PM
Subject: Re: [OpenAFS] AFS vs DAV


>
> Noel Burton-Krahn wrote:
> >
> > Hi Dan,
> >
> > I'm not a university, but I use both DAV and AFS.  DAV is useful which
you
> > don't want to install an AFS client, but it only allows file
upload/download
> > like FTP.  You can't edit files directly with my DAV client (Windows
> > Explorer) or server (Apache's mod_dav).  DAV has no support cfor
changing
> > AFS permissions either.  AFS requires client software, but it provides a
> > real shared network drive.
> >
>
> Whether or not you can edit files with WebDAV sort of depends upon the
> view of things and the DAV client.
>
> WebDAV supports file locking (IIRC), so the WebDAV client can, for
> example, lock the file, download it, modify it, upload a new copy, and
> then unlock the file.  It's not direct editing of the file within the
> WebDAV protocol, but it is editing of the file through a WebDAV service.
>
> There are also WebDAV based filesystems out there, including on Mac OS X
> (through Finder's "Connect" feature), and with Windows, I think you use
> the "web folders" feature (so I'm not sure what Xythos is trying to
> accomplish with their client software -- it's only targeted at Windows,
> yet Windows has support for that built in).  Linux has a DavFS based
> project, and I believe there was such a project at Stanford for Solaris
> as well.
>
>
> For WebDAV vs AFS:
>
> If it can work, and I don't know how well WebDAV clients support for
> this might be, you might be able to use some form of reverse web cache
> or redirection system to have multiple web servers on the back end
> serving your WebDAV file system.  Some of these might be sharing the
> same data for redundancy and load balancing, and some of them might be
> only sharing parts of the data (so that you can make independent file
> stores look like one service).  This would compare to a couple of AFS's
> more compelling features.
>
> What WebDAV, as a file service in comparison to AFS, doesn't directly
> have is:
>
> 1) on the client side, I don't know of anything that has been done to
> make sessions have any sort of PAG like attributes (where different URLs
> would get mounted in a way that doesn't give every client side user the
> same set of authorizations (the authorizations of the person who
> performed the mount).  For single user systems, this isn't a big deal,
> but it is a HUGE deal for multi- user systems.
>
>
>
> I wouldn't want to replace AFS with WebDAV until these two are resolved
> ... plus, I would want to see vendor* support (including the above
> features) for WebDAV as a file system service for a few more platforms
> (Solaris, FreeBSD, and AIX ... plus having those features work into the
> client side of Windows and Mac OS X).  Until then, I only really think
> of WebDAV file service as an alternative to distributing AFS clients to
> single user workstations.
>
>
> (* vendor support from Solaris and AIX ... for FreeBSD, actual support
> from the FreeBSD project)
>
>
> For example, with WebDAV over AFS, I can tell people what URL to use in
> Finder Connect or Windows Web Folders that would let them access their
> home directory.  I don't have to distribute binaries, I don't have to
> develop a "support AFS users on their own machines" arm of our helpdesk,
> etc.
>
> With direct AFS I have to give them AFS, Kerberos, and aklog binaries, I
> have to come up with a support infrastructure for any problems that
> might come up in their use or installation of those binaries, etc.  This
> approach has a lot more support overhead.
>
>
> 2) I don't think, but I don't recall, if the apache kerberos
> authentication module allows you to authenticate via tickets, it just
> gives you success or failure on your supplied password.  If something
> like a khttps protocol could be crafted, that would be great ... but
> until then, it seems like WebDAV pretty much requires you to use
> password authentication.  Though, I think someone here mentioned
> something about using cookies as a means of some sort of single-sign-on,
> but I don't recall exactly (our email server had a huge problem this
> week, and I lost our entire WebDAV on AFS discussion ... and haven't had
> time to fish it out of hte list archives).