[OpenAFS] Apache2 and OpenAFS

Måns Nilsson mansaxel@besserwisser.org
Mon, 12 Oct 2015 20:38:38 +0200

Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Subject: Re: [OpenAFS] Apache2 and OpenAFS Date: Mon, Oct 12, 2015 at 03:07=
:59PM +0200 Quoting Andreas Ladanyi (andreas.ladanyi@kit.edu):
> Am 10.10.2015 um 02:26 schrieb M=C3=A5ns Nilsson:
> > Subject: Re: [OpenAFS] Apache2 and OpenAFS Date: Thu, Oct 08, 2015 at 0=
4:49:16PM +0200 Quoting Andreas Ladanyi (andreas.ladanyi@kit.edu):
> >> I found the possibility in Apache 2 to work with the mod_waklog module
> >> which does the kinit / aklog magic:
> >>
> >> http://www.modwaklog.org/
> >>
> >> Following the instructions on the following blog works:
> >>
> >> https://blog.inf.ed.ac.uk/toby/2009/02/04/serving-afs-space-using-apac=
> > Yes, that is one option, and it is really attractive for accessing
> > data that needs to carry an ACL that is similar regardless of access
> > method. I've been meaning to set it up for myself for ages.
> >
> > However, when you want the server to have more access than both the
> > generic AFS user _and_ the web client, the method outlined by Harald
> > works better.
> What is the generic AFS user ? Are you talking about the AFS user apache
> is runnig like wwwrun ?
system.anyuser, mostly.=20

> > The best example for this probably is the cgi-bin directory and all tho=
> > places you have to expose PHP code to the world. You want the directory
> > to reside in AFS, because files should be in AFS (sortakinda preaching
> > to the choir here) but you want to set a fairly restrictive ACL on the
> > data, granting only developers, sysadmins and the running web server
> > access.=20
> Iam not sure if i understand you correctly. I think it is possible to
> set different AFS user / group entries on a AFS directory (which
> contains webcontent) ACL  ? So webserver, developers and sysadmins could
> access this directory.

Yes. The idea here is that I want the directory to be protected but still
in AFS. To do this and allow the web server access, I must get credentials
to the web server process -- and that means creating a principal and pt
entry for the webserver, and starting the web server so that it can use
the principal and get a token.

> > OTOH, the product of running the code through the web server
> > should be accessible to anyone. =20
> Your are talking about users which are not in the AFS pts database if
> you say "anyone" ?

Yes and no, not directly actually, I mean web browsers connecting to the
web server without having a Kerberos Ticket. They are unauthenticated
=66rom an AFS point of view, and they access the data over HTTP, but this
might actually be what the sysadmin wants ;-)

M=C3=A5ns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
I'm using my X-RAY VISION to obtain a rare glimpse of the INNER

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

Version: GnuPG v1