| 1 | INTRO |
| 2 | |
| 3 | mod_waklog is an Apache module that provides aklog-like semantics |
| 4 | for the web. mod_waklog will acquire (and store in the kernel) an |
| 5 | AFS credential when a connection is opened, use the credential for |
| 6 | the duration of the connection, and will remove the credential when |
| 7 | the connection is closed. |
| 8 | |
| 9 | mod_waklog allows you to permit directories using AFS ACLs, and access |
| 10 | them via a web browser. An ACL of "umweb:servers rl" is required for |
| 11 | each mod_waklog-protected directory. |
| 12 | |
| 13 | mod_waklog allows scripts to run as you. Programs which use AFS |
| 14 | credentials to authenticate themselves do so as you. |
| 15 | |
| 16 | mod_waklog often is used with mod_cosign, and uses the cosign-provided |
| 17 | krbtgt to acquire an AFS credential; this extends single signon to AFS |
| 18 | via the web. |
| 19 | |
| 20 | PHASES |
| 21 | |
| 22 | Apache processes a request in multiple phases. |
| 23 | |
| 24 | mod_waklog runs at phase 0 to acquire credentials via a keytab, and |
| 25 | runs at phase 2 to remove the credentials. |
| 26 | |
| 27 | mod_waklog runs at phase 7 to acquire credentials of whatever krbtgt |
| 28 | is referenced via KRB5CCNAME (e.g., set by mod_cosign). |
| 29 | |
| 30 | mod_waklog runs at connection termination to remove the credentials |
| 31 | it acquired at phase 0 or phase 7. |
| 32 | |
| 33 | Apache calls stat() between phase 1 and phase 2 to determine if it |
| 34 | has access to the directory; if it doesn't have read access at that |
| 35 | point, it won't try to read it again, even if later phases would |
| 36 | acquire credentials which would allow it to do so. mod_waklog |
| 37 | acquires an afs credential for a principal in the pts group |
| 38 | umweb:servers at phase 0, and removes this credential at phase 2; |
| 39 | directories permitted "umweb:servers rl" will allow the stat() call |
| 40 | to succeed. |