[OpenAFS] Apache2 and OpenAFS

Neil Brown neilb+afs@inf.ed.ac.uk
Wed, 14 Oct 2015 16:11:38 +0100 (BST) 

>>>> I found the possibility in Apache 2 to work with the mod_waklog module
>>>> which does the kinit / aklog magic:
>>>>
>>>> http://www.modwaklog.org/
>>>>
>>>> Following the instructions on the following blog works:
>>>>
>>>> https://blog.inf.ed.ac.uk/toby/2009/02/04/serving-afs-space-using-apache-and-mod_waklog

>>> Yes, that is one option, and it is really attractive for accessing
>>> data that needs to carry an ACL that is similar regardless of access
>>> method. I've been meaning to set it up for myself for ages.

>>> However, when you want the server to have more access than both the
>>> generic AFS user _and_ the web client, the method outlined by Harald
>>> works better.

I'm not sure I understand what you are saying there. AIUI Haralds method 
means that apache runs as the single PTS ID that you've configured. We get 
that behaviour with the WaklogDefaultPrincipal directive.

As you've discovered from that old blog post, we use ModWakLog with our 
Apache (2.2) and AFS. The post pretty much covers what we do, but recently 
we've been using the

   WaklogLocationPrincipal

directive, so we can have things like:

WaklogDefaultPrincipal  afsweb/toaster-srv.inf.ed.ac.uk /etc/https/keytabs/afsweb.keytab
<Location /roger>
   WaklogLocationPrincipal  roger/sweb /etc/httpd/keytabs/roger-sweb.keytab
</Location>
<Location /neilb>
   WaklogLocationPrincipal  neilb/sweb /etc/httpd/keytabs/neilb-sweb.keytab
</Location>

So generally the web server has access to any AFS space that the PTS entry 
"afsweb/toaster-srv.inf.ed.ac.uk" has ACL access to, but for /roger or 
/neilb, then it gets the corresponding "roger.sweb" or "neilb.sweb" PTS 
entry. So the ACL for the directory the maps to /neilb can look like 
this:

Access list for . is
Normal rights:
   system:administrators rlidwka
   neilb rlidwk
   neilb.sweb rl

Meaning regular me has the usual full access, but accessed via the web, 
"neilb.sweb" only has read access. No one else with file level access 
can see my lovingly crafted HTML/CGI!

Neil
-- 
  Neil Brown - Computing Officer - Inf Forum 2.43 | Neil.Brown @ ed. ac. uk
  School of Informatics, University of Edinburgh  | Tel: +44 131 6504422

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.