[OpenAFS] Apache2 and OpenAFS
Wed, 14 Oct 2015 16:11:38 +0100 (BST)
>>>> I found the possibility in Apache 2 to work with the mod_waklog module
>>>> which does the kinit / aklog magic:
>>>> Following the instructions on the following blog works:
>>> Yes, that is one option, and it is really attractive for accessing
>>> data that needs to carry an ACL that is similar regardless of access
>>> method. I've been meaning to set it up for myself for ages.
>>> However, when you want the server to have more access than both the
>>> generic AFS user _and_ the web client, the method outlined by Harald
>>> works better.
I'm not sure I understand what you are saying there. AIUI Haralds method
means that apache runs as the single PTS ID that you've configured. We get
that behaviour with the WaklogDefaultPrincipal directive.
As you've discovered from that old blog post, we use ModWakLog with our
Apache (2.2) and AFS. The post pretty much covers what we do, but recently
we've been using the
directive, so we can have things like:
WaklogDefaultPrincipal afsweb/toaster-srv.inf.ed.ac.uk /etc/https/keytabs/afsweb.keytab
WaklogLocationPrincipal roger/sweb /etc/httpd/keytabs/roger-sweb.keytab
WaklogLocationPrincipal neilb/sweb /etc/httpd/keytabs/neilb-sweb.keytab
So generally the web server has access to any AFS space that the PTS entry
"afsweb/toaster-srv.inf.ed.ac.uk" has ACL access to, but for /roger or
/neilb, then it gets the corresponding "roger.sweb" or "neilb.sweb" PTS
entry. So the ACL for the directory the maps to /neilb can look like
Access list for . is
Meaning regular me has the usual full access, but accessed via the web,
"neilb.sweb" only has read access. No one else with file level access
can see my lovingly crafted HTML/CGI!
Neil Brown - Computing Officer - Inf Forum 2.43 | Neil.Brown @ ed. ac. uk
School of Informatics, University of Edinburgh | Tel: +44 131 6504422
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.