Subject: Re: [OpenAFS] Apache2 and OpenAFS Date: Thu, Oct 08, 2015 at 04:49:16PM +0200 Quoting Andreas Ladanyi ([email protected]): > I found the possibility in Apache 2 to work with the mod_waklog module > which does the kinit / aklog magic: > > http://www.modwaklog.org/ > > Following the instructions on the following blog works: > > https://blog.inf.ed.ac.uk/toby/2009/02/04/serving-afs-space-using-apache-and-mod_waklog
Yes, that is one option, and it is really attractive for accessing data that needs to carry an ACL that is similar regardless of access method. I've been meaning to set it up for myself for ages. However, when you want the server to have more access than both the generic AFS user _and_ the web client, the method outlined by Harald works better. The best example for this probably is the cgi-bin directory and all those places you have to expose PHP code to the world. You want the directory to reside in AFS, because files should be in AFS (sortakinda preaching to the choir here) but you want to set a fairly restrictive ACL on the data, granting only developers, sysadmins and the running web server access. OTOH, the product of running the code through the web server should be accessible to anyone. There of course might be another access control system in play, like login in a web app. Thus, the admittingly much coarser method giving the web server a ticket->token context works much better. The two methods are different and have differing uses. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I'm thinking about DIGITAL READ-OUT systems and computer-generated IMAGE FORMATIONS ...
signature.asc
Description: Digital signature
