Accessing AFS through the Web with Waklog

Jarod Malestein and Willie Northway

ITCS/UMCE

University of Michigan

2006 AFS & Kerberos Best Practices Workshop

mod_waklog: What it is

  • Web AFS Kerberos Login
  • Apache 1 module
  • Written in C

mod_waklog: What it does

  • Similar to aklog
  • Makes an AFS token from Kerberos credentials
  • Apache runs with the user's AFS token
  • Allows access to AFS with a web browser

mod_waklog: How it works

  • Standard Apache module
  • Relies on an authentication module
    • KRB5CCNAME
  • Acts at key points in Apache request-response cycle
    • URI translation
    • use keytab
      • stat()
    • unlog
    • Access control
    • Authentication
    • Authorization
    • MIME type checking
    • use user's Kerberos credential
    • Response phase
    • Logging phase
    • Cleanup phase
    • unlog as user
  • User sees web page!

mod_waklog: demo

Alternatives?

  • authkrb5afs.pm
    • Integrated solution
  • Mod_waklog is modular, it will work with other authN solutions
    • As long as they provide KRB5CCNAME

mod_waklog: Caveats

  • configure
  • Apache 2
  • "Private" web sites need a keytab for the web server
    • fs sa . itdwww rl

mod_waklog: requirements

  • Your favorite Unix variant
    • We use Linux 2.4.31
  • AFS
  • Kerberos V
  • Apache 1.x
    • We run 1.3.34
  • AuthN module
    • mod_cosign, mod_auth_krb
  • Proper configuration

WebDAV

  • It works with waklog, and we have it currently running on a test server
    • Berkeley also has webDAV running with mod_waklog
  • Implementation:
    • Directive dav-enable: specifies the directory it should be turned on for: /afs/umich.edu/
    • Setup aliases for groups, class, and user
  • Currently running on apache 1.3.36, with mod_dav 1.0.3
  • Haven't tried mod_dav with apache 2 yet
    • it probably works with pre-forking
  • For authentication, we use mod_auth_kerb

WebDAV issues:

We may move to a pilot phase after resolving some issues:

  • files with sizes above 400MB don't work
    • This seems to be a timeout issue, but it's still unresolved
  • versioning uses a local lock file
    • lock file is on the webserver's local disk
    • webDAV's locking isn't compatible with AFS locks
    • perhaps it's fixed with mod_davfs (or SQL version)

more WebDAV issues:

  • mod_userdir doesn't work
    • this means we can't use ~username
    • must specify path with servername: https://webdav-test.www.umich.edu/user/u/s/username
  • webDAV doesn't work with cosign
    • a webDAV client isn't a browser. It doesn't understand html, or redirects
    • clients only authenticate with something that acts like BasicAuth, or SSL mutual authentication. UM doesn't have a PKI
  • we don't yet know who our audience will be, or how they'll use it

web-based file manager

  • We initially deployed horde's gollem as a file-manager...
    • wasn't designed with AFS in mind
    • needs the Horde framework
    • doesn't support ~user

Filedrawers

So we wrote filedrawers...

    • feel free to try it out right now
    • username: cartelza password: simplepw
  • used OO php, smarty, and javascript for DOM-scripting, and a touch of C
  • user testing for UI refinements
    • interviewed volunteers in the usability lab with task-oriented tests
    • analyzed common difficulties or misconceptions
    • discussed feedback, and most requested features
    • altered the interface
  • rolled out the mfile service: mfile.umich.edu

Filedrawers is a file manager

new folder

manages files and directories

  • list
  • download
  • rename
  • delete
  • new folder
  • move (files and folders)

File Manager (part 2)

file upload

upload files

  • supports multiple files at once
  • animated progress bar

Filedrawers: view files

view image

view files with supported mime types

  • plain text, html, source code (c, php, js, css, etc.)
  • images: gif, jpg, png
  • audio files such as mp3 and aiff
  • video: mpeg, or quicktime
  • shockwave / flash
  • we have plans to add a text editor

Filedrawers: manage permissions

manage permissions

powerful permissions manager for AFS ACLs

  • reduces the need for training, since users don't need to memorize syntax and parameters
  • we'd like to add a collection of simpler utilities...

Filedrawers: make webspace

make webspace
  • creates necessary directories
  • sets (or fixes) permissions
  • copies over XHTML compliant file as an example for users to get started

Filedrawers: allow support

allow support

allows users to give administrative access of their personal space to departmental support staff

Both packages are open source

  • received many requests for the source, so we moved both of the waklog and filedrawers packages to sourceforge
  • we've heard that 3-4 other institutions have successfully brought up filedrawers
  • unfortunately, there's an extensive amount of umich branding and local configurations hard-coded
    • we hope to remove these so that broader adoption can occur more easily
  • We have big plans for the future! ;)
  • If anyone would like to help out, please let us know.

Project websites

AltStyle によって変換されたページ (->オリジナル) /