On Wed, 12 Dec 2012, Andrew Deason wrote:
On Wed, 12 Dec 2012 15:44:29 +0100
Michal Švamberg <[email protected]> wrote:
Is there some reasonable advice, how to separate virtual web
servers on AFS from each others?
In addition to what Stanford does, MIT does (or used to do) something
somewhat similar with their 'scripts' site. It's not simple, and I don't
really remember how it works, but they have a page describing it here:
<http://scripts.mit.edu/wiki/Technical_overview_of_scripts.mit.edu>
Scripts is interesting because it is done with little/no coordination with
central IT. I believe the setup that Russ describes is done with the
coordination of central IT, so it can be a little more elegant. For
Scripts, there is a single PTS identity for the entire service, which has
read/write permissions on a subdirectory in user volumes (granted when the
user signs up for the service. A kernel module patch on the web servers
enforces privilege separation between sites. I suppose an IP acl could
perform the same role as the 'daemon.scripts' identity does at MIT, though
IP acls have the occasional subtlety that is not present for normal
principals.
Mail to [email protected] will open a ticket for tracking more conversation
about the technical details, if you are interested. Do note that
scripts.mit.edu is a student-run service, and final examinations are next
week, so the response time may not be great right away.
-Ben Kaduk
