Okay, this went more smoothly than I thought.
Mod_waklog is installed on mire (see package libapache-mod-waklog). I
enabled it using the debian "apache-modconf" command and added these
lines to the very end of /etc/apache/httpd.conf as a test/example.
Nothing else was changed.
WaklogUseAFSCell hcoop.net
Alias /~megacz /afs/hcoop.net/user/m/me/megacz/Web/
<Location /~megacz/>
WaklogProtected On
WaklogPrincipal megacz/[EMAIL PROTECTED] /etc/keytabs/cgi/megacz
</Location>
The first line should appear only once in the file, and must come
before all AFS-related stuff but after mod_waklog is loaded. The last
five lines should be pretty self-explanatory; just duplicate them for
each user with the obvious adjustments to the path and username.
Consider the permissions on /afs/hcoop.net/user/m/me/megacz/Web/:
$ fs la /afs/hcoop.net/user/m/me/megacz/Web/
Access list for /afs/hcoop.net/user/m/me/megacz/Web/ is
Normal rights:
system:administrators rlidwka
megacz rlidwka
megacz.cgi rl
Currently the parent Apache process is running with no tokens. Note
that system:anyuser doesn't have "r" or "l" rights -- Apache is using
the megacz.cgi principal to serve up this directory. The tokens are
acquired on-demand and dropped once the HTTP request has been served.
IMPORTANT: the "WaklogPrincipal" line is scoped over the innermost
enclosing <Location> block. This is important to remember. It is NOT
scoped by <Directory> blocks. It applies uniformly to both static and
dynamic content.
If somebody sets up PHP or similar on mire, it should "just work" --
scripts will execute using the tokens assigned by the WaklogPrincipal
directive in the <Location> block from which they were served. Let me
know how this goes.
In the future, we can also have Apache use the HTTP Basic Auth
username/password to acquire tickets+tokens, and use THOSE credentials
(ie the HTTP Client's credentials) to access AFS. But that shouldn't
be necessary prior to migration; right now all we need is
<Location>-derived credentials. And this should only be enabled for
SSL-protected locations. This turns out to be a great way to give
users webdav access to their AFS space.
- a
--
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380
_______________________________________________
HCoop-SysAdmin mailing list
[email protected]
http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
