[OpenAFS] Apache2 and OpenAFS

Måns Nilsson mansaxel@besserwisser.org
Sat, 10 Oct 2015 02:26:06 +0200

Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Subject: Re: [OpenAFS] Apache2 and OpenAFS Date: Thu, Oct 08, 2015 at 04:49=
:16PM +0200 Quoting Andreas Ladanyi (andreas.ladanyi@kit.edu):
> I found the possibility in Apache 2 to work with the mod_waklog module
> which does the kinit / aklog magic:
> http://www.modwaklog.org/
> Following the instructions on the following blog works:
> https://blog.inf.ed.ac.uk/toby/2009/02/04/serving-afs-space-using-apache-=

Yes, that is one option, and it is really attractive for accessing
data that needs to carry an ACL that is similar regardless of access
method. I've been meaning to set it up for myself for ages.

However, when you want the server to have more access than both the
generic AFS user _and_ the web client, the method outlined by Harald
works better.

The best example for this probably is the cgi-bin directory and all those
places you have to expose PHP code to the world. You want the directory
to reside in AFS, because files should be in AFS (sortakinda preaching
to the choir here) but you want to set a fairly restrictive ACL on the
data, granting only developers, sysadmins and the running web server
access. OTOH, the product of running the code through the web server
should be accessible to anyone.  There of course might be another access
control system in play, like login in a web app.

Thus, the admittingly much coarser method giving the web server a
ticket->token context works much better.  The two methods are different
and have differing uses.

M=C3=A5ns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
I'm thinking about DIGITAL READ-OUT systems and computer-generated

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

Version: GnuPG v1