I found the possibility in Apache 2 to work with the mod_waklog module
which does the kinit / aklog magic:
http://www.modwaklog.org/
Following the instructions on the following blog works:
https://blog.inf.ed.ac.uk/toby/2009/02/04/serving-afs-space-using-apache-and-mod_waklog
Yes, that is one option, and it is really attractive for accessing
data that needs to carry an ACL that is similar regardless of access
method. I've been meaning to set it up for myself for ages.
However, when you want the server to have more access than both the
generic AFS user _and_ the web client, the method outlined by Harald
works better.
I'm not sure I understand what you are saying there. AIUI Haralds method
means that apache runs as the single PTS ID that you've configured. We get
that behaviour with the WaklogDefaultPrincipal directive.
As you've discovered from that old blog post, we use ModWakLog with our
Apache (2.2) and AFS. The post pretty much covers what we do, but recently
we've been using the
WaklogLocationPrincipal
directive, so we can have things like:
WaklogDefaultPrincipal afsweb/toaster-srv.inf.ed.ac.uk
/etc/https/keytabs/afsweb.keytab
<Location /roger>
WaklogLocationPrincipal roger/sweb /etc/httpd/keytabs/roger-sweb.keytab
</Location>
<Location /neilb>
WaklogLocationPrincipal neilb/sweb /etc/httpd/keytabs/neilb-sweb.keytab
</Location>
So generally the web server has access to any AFS space that the PTS entry
"afsweb/toaster-srv.inf.ed.ac.uk" has ACL access to, but for /roger or
/neilb, then it gets the corresponding "roger.sweb" or "neilb.sweb" PTS
entry. So the ACL for the directory the maps to /neilb can look like
this:
Access list for . is
Normal rights:
system:administrators rlidwka
neilb rlidwk
neilb.sweb rl
Meaning regular me has the usual full access, but accessed via the web,
"neilb.sweb" only has read access. No one else with file level access
can see my lovingly crafted HTML/CGI!
Neil
--
Neil Brown - Computing Officer - Inf Forum 2.43 | Neil.Brown @ ed. ac. uk
School of Informatics, University of Edinburgh | Tel: +44 131 6504422
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
