Am 10.10.2015 um 02:26 schrieb Måns Nilsson: > Subject: Re: [OpenAFS] Apache2 and OpenAFS Date: Thu, Oct 08, 2015 at > 04:49:16PM +0200 Quoting Andreas Ladanyi (andreas.lada...@kit.edu): >> I found the possibility in Apache 2 to work with the mod_waklog module >> which does the kinit / aklog magic: >> >> http://www.modwaklog.org/ >> >> Following the instructions on the following blog works: >> >> https://blog.inf.ed.ac.uk/toby/2009/02/04/serving-afs-space-using-apache-and-mod_waklog > Yes, that is one option, and it is really attractive for accessing > data that needs to carry an ACL that is similar regardless of access > method. I've been meaning to set it up for myself for ages. > > However, when you want the server to have more access than both the > generic AFS user _and_ the web client, the method outlined by Harald > works better. What is the generic AFS user ? Are you talking about the AFS user apache is runnig like wwwrun ?
> > The best example for this probably is the cgi-bin directory and all those > places you have to expose PHP code to the world. You want the directory > to reside in AFS, because files should be in AFS (sortakinda preaching > to the choir here) but you want to set a fairly restrictive ACL on the > data, granting only developers, sysadmins and the running web server > access. Iam not sure if i understand you correctly. I think it is possible to set different AFS user / group entries on a AFS directory (which contains webcontent) ACL ? So webserver, developers and sysadmins could access this directory. > OTOH, the product of running the code through the web server > should be accessible to anyone. Your are talking about users which are not in the AFS pts database if you say "anyone" ? > There of course might be another access > control system in play, like login in a web app. > > Thus, the admittingly much coarser method giving the web server a > ticket->token context works much better. The two methods are different > and have differing uses. > regards, Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
