[hcoop/debian/openafs.git] / src / afsweb / WebSecure_Design.txt

Copyright 2000, International Business Machines Corporation and others.
All Rights Reserved.

This software has been released under the terms of the IBM Public
License.  For details, see the LICENSE file in the top-level source
directory or online at http://www.openafs.org/dl/license10.html

			AFS WEB SECURE DESIGN DOCUMENT


Functionality (common to both Servers)

Any URL beginning with /afs is handled by the plug-in. If a username and 
password accompanies the request then the plug-in attempts to authenticate 
the user with AFS and uses that token for serving the request. 
However in the absense of any Authentication header it attempts to serve 
the request as it normally would (without the plug-in). If the request 
returns an OK status, the document is served as is. If it returns HTTP 
status FORBIDDEN, then the plug-in responds with an AUTHENTICATION_REQUIRED 
response with a part of the URL giving the /afs/<cell_name> as the part of
the WWW-Authenticate header.


Netscape Enterprise Server Plug-in

The Netscape Server is multithreaded (each incoming HTTP request is 
handled by a thread). This design led to the requirement of per thread 
authentication credentials for AFS, (without which there would be one common 
token for all the threads handling requests for possibly different users).
Since the AFS kernel cache manager only provides per process authentication 
credentials (using Process Authentication Groups or PAG's), the plug-in 
required a user-space cache manager. Within this user space cache manager 
a data structure stores the authentication credentials in a manner similar 
to PAG's (first two bits used). The user space cache manager provides the 
capability of per thread authentication required for the Netscape Server. 


The Netscape Server API provides an initialization routine using which the
user space cache manager is started up. Unlike the Apache Server plug-in, the
Netscape AFS Web Secure Server does not have to be on an AFS client machine.
Configuration files permit the administrator to specify disk cache directories
other than that used by any other cache managers. Therefore it is possible
to have more than one user space cache manager running on the same machine 
along with a kernel cache manager.

The configuration allows the administrator to specify what URL it should
look for files in AFS. Tokens for user credentials are obtained and cached
in the user-space cache manager, which essentially is a port of the kernel 
cache manager into user-space.


Apache Server Module

The Apache Server software provides an API for adding modules to the web server
and for creating handlers for requests. AFS Web Secure for Apache is built as
a standard Apache module (mod_afs.c) along with a library (libapacheafs.a) and
two binaries (weblog_starter and weblog).

The web server is not multithreaded but each request is served by child 
processes (the number of which is configurable). AFS Authentication requires
each child process to communicate with the weblog process over a UNIX pipe
(file locking is used to provide exclusive access to the pipe). The child
processes send authentication credentials (username, password and cellname)
to the weblog process which authenticates the user with AFS using the 
ka_AuthenticateUserGeneral system call (as in klog). Once an AFS token is 
obtained it gets the token fro the cache manager using the lpioctl system
call and sends the token back to the child process that requested it.
Note that since AFS permits one token per cell per PAG, it is essential for
each of the child processes to be in a unique PAG. The lsetpag system call
is used on startup to ensure each child process and the weblog process  
belong to a unique PAG. Once the child process obtains the token from the 
weblog process it sets it using the lpioctl system call to set a token. It
can then access files in AFS with the appropriate ACL's.

Caching of tokens is done at two levels - the weblog process caches all tokens
for all user credentials that it recieves from all Apache child processes. 
Each child process in turn caches the credentials it recieves. Token times
are configurable using the SetAFSCacheExpiration directive. The kernel cache
manager may cache tokens for the time specified using the SetAFSTokenExpiration
directive. This is similar to using klog -lifetime <time>. 

The sequence of events for AFS authentication is :

On startup the web-server creates two pipes and spawns the weblog_starter 
process (nanny process to watch over the weblog process and restart it or log
an error in case it dies), which in turn starts up the weblog process with
the pipes' file descriptors (inherited) as command line parameters.

Apache Server Process recieves request and hands it to a child process

Child process checks to see if request should be handled by Web Secure
(using a configurable parameter set using the SetAFSLocation directive)

If Authentication credentials accompany the request, the child process checks
its local cache for a matching (username, password, cellname, checksum) token.
If one is found it sets the token using lpioctl and attempts to serve the 
request normally. If no token is found in the local cache, it sends a request
to the weblog process over the pipe (again inherited) consisting of a username
password and cellname after locking the pipe for exclusive access. The weblog
process checks it's own cache or obtains a token after authentication if 
the cache lookup fails, and sends the token back to the child process which 
caches it and sets it (lpioctl).

The child process then serves the document normally.

All the web server-side communication and system calls are in the 
libapacheafs.a library, except for the "hook" to plug-in to the apache source 
which is in mod_afs.c for which the source code must be provided. The library
libapacheafs.a consists of the following object files:

apache_afs_plugin.o - Initialization routines - interface to calls in 
		      apache_afs_client.o. Lies in between mod_afs.o and
		      apache_afs_client.o. 
		  
apache_afs_client.o - Apache child process functionality for obtaining
		      the user credentials from the HTTP request, getting
		      and caching AFS tokens, communicating with the weblog
		      process.

apache_afs_utils.o  - wrapper around pioctl and setpag system calls and 
		      debugging utilities common to both weblog and apache plug
		      in.

apache_afs_cache.o  - token caching routines common to weblog and apache 
		      plug-in

In order to use the pioctl and setpag system calls the web server binary must
link to libsys.a which is usually in /usr/afsws/lib/afs/ on AFS client machines
Commit	Line	Data
805e021f CE	1	Copyright 2000, International Business Machines Corporation and others.
	2	All Rights Reserved.
	3
	4	This software has been released under the terms of the IBM Public
	5	License. For details, see the LICENSE file in the top-level source
	6	directory or online at http://www.openafs.org/dl/license10.html
	7
	8	AFS WEB SECURE DESIGN DOCUMENT
	9
	10
	11	Functionality (common to both Servers)
	12
	13	Any URL beginning with /afs is handled by the plug-in. If a username and
	14	password accompanies the request then the plug-in attempts to authenticate
	15	the user with AFS and uses that token for serving the request.
	16	However in the absense of any Authentication header it attempts to serve
	17	the request as it normally would (without the plug-in). If the request
	18	returns an OK status, the document is served as is. If it returns HTTP
	19	status FORBIDDEN, then the plug-in responds with an AUTHENTICATION_REQUIRED
	20	response with a part of the URL giving the /afs/<cell_name> as the part of
	21	the WWW-Authenticate header.
	22
	23
	24	Netscape Enterprise Server Plug-in
	25
	26	The Netscape Server is multithreaded (each incoming HTTP request is
	27	handled by a thread). This design led to the requirement of per thread
	28	authentication credentials for AFS, (without which there would be one common
	29	token for all the threads handling requests for possibly different users).
	30	Since the AFS kernel cache manager only provides per process authentication
	31	credentials (using Process Authentication Groups or PAG's), the plug-in
	32	required a user-space cache manager. Within this user space cache manager
	33	a data structure stores the authentication credentials in a manner similar
	34	to PAG's (first two bits used). The user space cache manager provides the
	35	capability of per thread authentication required for the Netscape Server.
	36
	37
	38	The Netscape Server API provides an initialization routine using which the
	39	user space cache manager is started up. Unlike the Apache Server plug-in, the
	40	Netscape AFS Web Secure Server does not have to be on an AFS client machine.
	41	Configuration files permit the administrator to specify disk cache directories
	42	other than that used by any other cache managers. Therefore it is possible
	43	to have more than one user space cache manager running on the same machine
	44	along with a kernel cache manager.
	45
	46	The configuration allows the administrator to specify what URL it should
	47	look for files in AFS. Tokens for user credentials are obtained and cached
	48	in the user-space cache manager, which essentially is a port of the kernel
	49	cache manager into user-space.
	50
	51
	52
	53	Apache Server Module
	54
	55	The Apache Server software provides an API for adding modules to the web server
	56	and for creating handlers for requests. AFS Web Secure for Apache is built as
	57	a standard Apache module (mod_afs.c) along with a library (libapacheafs.a) and
	58	two binaries (weblog_starter and weblog).
	59
	60	The web server is not multithreaded but each request is served by child
	61	processes (the number of which is configurable). AFS Authentication requires
	62	each child process to communicate with the weblog process over a UNIX pipe
	63	(file locking is used to provide exclusive access to the pipe). The child
	64	processes send authentication credentials (username, password and cellname)
65	to the weblog process which authenticates the user with AFS using the
66	ka_AuthenticateUserGeneral system call (as in klog). Once an AFS token is
67	obtained it gets the token fro the cache manager using the lpioctl system
68	call and sends the token back to the child process that requested it.
69	Note that since AFS permits one token per cell per PAG, it is essential for
70	each of the child processes to be in a unique PAG. The lsetpag system call
71	is used on startup to ensure each child process and the weblog process
72	belong to a unique PAG. Once the child process obtains the token from the
73	weblog process it sets it using the lpioctl system call to set a token. It
74	can then access files in AFS with the appropriate ACL's.
75
76	Caching of tokens is done at two levels - the weblog process caches all tokens
77	for all user credentials that it recieves from all Apache child processes.
78	Each child process in turn caches the credentials it recieves. Token times
79	are configurable using the SetAFSCacheExpiration directive. The kernel cache
80	manager may cache tokens for the time specified using the SetAFSTokenExpiration
81	directive. This is similar to using klog -lifetime <time>.
82
83	The sequence of events for AFS authentication is :
84
85	On startup the web-server creates two pipes and spawns the weblog_starter
86	process (nanny process to watch over the weblog process and restart it or log
87	an error in case it dies), which in turn starts up the weblog process with
88	the pipes' file descriptors (inherited) as command line parameters.
89
90	Apache Server Process recieves request and hands it to a child process
91
92	Child process checks to see if request should be handled by Web Secure
93	(using a configurable parameter set using the SetAFSLocation directive)
94
95	If Authentication credentials accompany the request, the child process checks
96	its local cache for a matching (username, password, cellname, checksum) token.
97	If one is found it sets the token using lpioctl and attempts to serve the
98	request normally. If no token is found in the local cache, it sends a request
99	to the weblog process over the pipe (again inherited) consisting of a username
100	password and cellname after locking the pipe for exclusive access. The weblog
101	process checks it's own cache or obtains a token after authentication if
102	the cache lookup fails, and sends the token back to the child process which
103	caches it and sets it (lpioctl).
104
105	The child process then serves the document normally.
106
107	All the web server-side communication and system calls are in the
108	libapacheafs.a library, except for the "hook" to plug-in to the apache source
109	which is in mod_afs.c for which the source code must be provided. The library
110	libapacheafs.a consists of the following object files:
111
112	apache_afs_plugin.o - Initialization routines - interface to calls in
113	apache_afs_client.o. Lies in between mod_afs.o and
114	apache_afs_client.o.
115
116	apache_afs_client.o - Apache child process functionality for obtaining
117	the user credentials from the HTTP request, getting
118	and caching AFS tokens, communicating with the weblog
119	process.
120
121	apache_afs_utils.o - wrapper around pioctl and setpag system calls and
122	debugging utilities common to both weblog and apache plug
123	in.
124
125	apache_afs_cache.o - token caching routines common to weblog and apache
126	plug-in
127
128	In order to use the pioctl and setpag system calls the web server binary must
129	link to libsys.a which is usually in /usr/afsws/lib/afs/ on AFS client machines
130
131
132
133
134
135
136
137
138