Subject: Re: [OpenAFS] Apache2 and OpenAFS Date: Mon, Oct 12, 2015 at 03:07:59PM +0200 Quoting Andreas Ladanyi ([email protected]): > Am 10.10.2015 um 02:26 schrieb Måns Nilsson: > > Subject: Re: [OpenAFS] Apache2 and OpenAFS Date: Thu, Oct 08, 2015 at > > 04:49:16PM +0200 Quoting Andreas Ladanyi ([email protected]): > >> I found the possibility in Apache 2 to work with the mod_waklog module > >> which does the kinit / aklog magic: > >> > >> http://www.modwaklog.org/ > >> > >> Following the instructions on the following blog works: > >> > >> https://blog.inf.ed.ac.uk/toby/2009/02/04/serving-afs-space-using-apache-and-mod_waklog > > Yes, that is one option, and it is really attractive for accessing > > data that needs to carry an ACL that is similar regardless of access > > method. I've been meaning to set it up for myself for ages. > > > > However, when you want the server to have more access than both the > > generic AFS user _and_ the web client, the method outlined by Harald > > works better. > What is the generic AFS user ? Are you talking about the AFS user apache > is runnig like wwwrun ? system.anyuser, mostly.
> > The best example for this probably is the cgi-bin directory and all those > > places you have to expose PHP code to the world. You want the directory > > to reside in AFS, because files should be in AFS (sortakinda preaching > > to the choir here) but you want to set a fairly restrictive ACL on the > > data, granting only developers, sysadmins and the running web server > > access. > Iam not sure if i understand you correctly. I think it is possible to > set different AFS user / group entries on a AFS directory (which > contains webcontent) ACL ? So webserver, developers and sysadmins could > access this directory. Yes. The idea here is that I want the directory to be protected but still in AFS. To do this and allow the web server access, I must get credentials to the web server process -- and that means creating a principal and pt entry for the webserver, and starting the web server so that it can use the principal and get a token. > > OTOH, the product of running the code through the web server > > should be accessible to anyone. > Your are talking about users which are not in the AFS pts database if > you say "anyone" ? Yes and no, not directly actually, I mean web browsers connecting to the web server without having a Kerberos Ticket. They are unauthenticated from an AFS point of view, and they access the data over HTTP, but this might actually be what the sysadmin wants ;-) -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I'm using my X-RAY VISION to obtain a rare glimpse of the INNER WORKINGS of this POTATO!!
signature.asc
Description: Digital signature
