Booker Bense <[email protected]> writes: > On Wed, Dec 12, 2012 at 6:44 AM, Michal Švamberg <[email protected]> wrote:
>> Is there some reasonable advice, how to separate virtual web servers on >> AFS from each others? > The only way to accomplish this is to have each subprocess that requires > write access run with it's own afs token and only allow write access by > that token. > This problem has been solved, but it's not simple. I think at a minimum > you'll need a "cgi" server in addition to your main server. You can mingle the servers. You do have to make every virtual web server run as a separate user, which means you're going to have to use suexec so far as I know, although you may be able to do something more elaborate with mod_waklog. We came up with our solution before mod_waklog existed, so it's worth taking a long look at it before going down the suexec path. > You'll also need to manage keytabs for each of the cms servers. You need a keytab for every separate identity that should be independent from an AFS perspective. > Stanford has done this, but it's been so long I've forgotten the exact > details. We do two things: * We use a hacked suexec binary that creates a PAG and uses a keytab to obtain Kerberos credentials and AFS tokens. * We work around a limitation in the Apache suexec support by using a tiny Apache module that sets the suexec user to the value of an environment variable (set with mod_rewrite). Without this glue, you have to have an Apache configuration that explicitly configures the user, which for our particular use case wasn't possible. The code isn't published publicly so far as I know, but I can send it to people who are interested. It's not something into which we've ever put the effort to make it general software, so you'll probably need to fiddle with it to get it to work elsewhere. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
