[OpenAFS] suEXEC/FastCGI/OpenAFS question

Aaron Knister aaronk@umbc.edu
Wed, 23 Nov 2011 15:16:41 -0500


--20cf307f310651ee8f04b26c9ac9
Content-Type: text/plain; charset=ISO-8859-1

Hi All,

I'm working on a hosting environment for our campus, the foundation of
which is OpenAFS. I had previously configured the environment using waklog
and mpm-itk for isolating each virtual host's processes by launching them
with their assigned AFS identity and UNIX uid. This worked well, but I was
asked to add PHP APC support (for those unfamiliar with it PHP APC does
byte code and key/value caching). With mod_php the APC cache is shared all
virtual hosts which is just ripe for disaster as any virtual host can view
and modify the cached entries of another.

I've devised another approach, dropping the mpm-itk patches and using
suEXEC and fastcgi for php instead. I need to use fastcgi so that the php
interpreter stays alive and the APC cache has some persistence between
requests. The one piece to the puzzle that I'm missing is having fastcgi
obtain AFS tokens. Because the fastcgi processes aren't spawned by the
httpd worker handling the request waklog isn't able to pass along any
credentials. This is a problem. Has anybody encountered this situation and
come up with a working solution?

My current approach involves patching suexec and fastcgi to pass extra
arguments that indicate which kerb principal to use for obtaining tokens,
but I'm really not thrilled about it as its something I highly doubt would
be accepted upstream.

Thanks!

-Aaron

-- 
Aaron Knister
Systems Administrator
Division of Information Technology
University of Maryland, Baltimore County
aaronk@umbc.edu

--20cf307f310651ee8f04b26c9ac9
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi All,<div><br></div><div>I&#39;m working on a hosting environment for our=
 campus, the foundation of which is OpenAFS. I had previously configured th=
e environment using waklog and mpm-itk for isolating each virtual host&#39;=
s processes by launching them with their assigned AFS identity and UNIX uid=
. This worked well, but I was asked to add PHP APC support (for those unfam=
iliar with it PHP APC does byte code and key/value caching). With mod_php t=
he APC cache is shared all virtual hosts which is just ripe for disaster as=
 any virtual host can view and modify the cached entries of another.=A0</di=
v>

<div><br></div><div>I&#39;ve devised another approach, dropping the mpm-itk=
 patches and using suEXEC and fastcgi for php instead. I need to use fastcg=
i so that the php interpreter stays alive and the APC cache has some persis=
tence between requests. The one piece to the puzzle that I&#39;m missing is=
 having fastcgi obtain AFS tokens. Because the fastcgi processes aren&#39;t=
 spawned by the httpd worker handling the request waklog isn&#39;t able to =
pass along any credentials. This is a problem. Has anybody encountered this=
 situation and come up with a working solution?=A0</div>

<div><br></div><div>My current approach involves patching suexec and fastcg=
i to pass extra arguments that indicate which kerb principal to use for obt=
aining tokens, but I&#39;m really not thrilled about it as its something I =
highly doubt would be accepted upstream.</div>

<div><br></div><div>Thanks!</div><div><br></div><div>-Aaron<br clear=3D"all=
"><div><br></div>-- <br>
Aaron Knister<br>Systems Administrator<br>Division of Information Technolog=
y<br>University of Maryland, Baltimore County<br><a href=3D"mailto:aaronk@u=
mbc.edu" target=3D"_blank">aaronk@umbc.edu</a><br>
</div>

--20cf307f310651ee8f04b26c9ac9--