[hcoop/zz_old/modwaklog.git] / README

INTRO

mod_waklog is an Apache module that provides aklog-like semantics
for the web.  mod_waklog will acquire (and store in the kernel) an
AFS credential when a connection is opened, use the credential for
the duration of the connection, and will remove the credential when
the connection is closed.

mod_waklog allows you to permit directories using AFS ACLs, and access
them via a web browser.  An ACL of "umweb:servers rl" is required for
each mod_waklog-protected directory.

mod_waklog allows scripts to run as you.  Programs which use AFS
credentials to authenticate themselves do so as you.

mod_waklog often is used with mod_cosign, and uses the cosign-provided
krbtgt to acquire an AFS credential; this extends single signon to AFS
via the web.

PHASES

Apache processes a request in multiple phases.

mod_waklog runs at phase 0 to acquire credentials via a keytab, and
runs at phase 2 to remove the credentials.

mod_waklog runs at phase 7 to acquire credentials of whatever krbtgt
is referenced via KRB5CCNAME (e.g., set by mod_cosign).

mod_waklog runs at connection termination to remove the credentials
it acquired at phase 0 or phase 7.

Apache calls stat() between phase 1 and phase 2 to determine if it
has access to the directory; if it doesn't have read access at that
point, it won't try to read it again, even if later phases would
acquire credentials which would allow it to do so.  mod_waklog
acquires an afs credential for a principal in the pts group
umweb:servers at phase 0, and removes this credential at phase 2;
directories permitted "umweb:servers rl" will allow the stat() call
to succeed.

BUILD 

make

Be sure the paths to apxs, include files, and libraries are correct.

If you compiled Apache 2 with large file support, be sure to have:

   #define _LARGEFILE64_SOURCE

in mod_waklog.c.  If you run make and receive many errors about apr_off_t
being undefined, you may need to add or comment out the above line.


INSTALL

Copy the mod_waklog.so to somewhere Apache can read and execute it.

Add the following lines to your httpd.conf file:

    LoadModule waklog_module        /path/to/mod_waklog.so

    <IfModule mod_waklog.c>
        WaklogProtected                 On
    </IfModule>
Commit	Line	Data
cc810c13	1	INTRO
	2
	3	mod_waklog is an Apache module that provides aklog-like semantics
	4	for the web. mod_waklog will acquire (and store in the kernel) an
	5	AFS credential when a connection is opened, use the credential for
	6	the duration of the connection, and will remove the credential when
	7	the connection is closed.
	8
	9	mod_waklog allows you to permit directories using AFS ACLs, and access
	10	them via a web browser. An ACL of "umweb:servers rl" is required for
	11	each mod_waklog-protected directory.
	12
	13	mod_waklog allows scripts to run as you. Programs which use AFS
	14	credentials to authenticate themselves do so as you.
	15
	16	mod_waklog often is used with mod_cosign, and uses the cosign-provided
	17	krbtgt to acquire an AFS credential; this extends single signon to AFS
	18	via the web.
	19
	20	PHASES
	21
	22	Apache processes a request in multiple phases.
	23
	24	mod_waklog runs at phase 0 to acquire credentials via a keytab, and
	25	runs at phase 2 to remove the credentials.
	26
	27	mod_waklog runs at phase 7 to acquire credentials of whatever krbtgt
	28	is referenced via KRB5CCNAME (e.g., set by mod_cosign).
	29
	30	mod_waklog runs at connection termination to remove the credentials
	31	it acquired at phase 0 or phase 7.
	32
	33	Apache calls stat() between phase 1 and phase 2 to determine if it
	34	has access to the directory; if it doesn't have read access at that
	35	point, it won't try to read it again, even if later phases would
	36	acquire credentials which would allow it to do so. mod_waklog
	37	acquires an afs credential for a principal in the pts group
	38	umweb:servers at phase 0, and removes this credential at phase 2;
	39	directories permitted "umweb:servers rl" will allow the stat() call
	40	to succeed.
87822447	41
	42	BUILD
	43
	44	make
	45
	46	Be sure the paths to apxs, include files, and libraries are correct.
	47
	48	If you compiled Apache 2 with large file support, be sure to have:
	49
	50	#define _LARGEFILE64_SOURCE
	51
	52	in mod_waklog.c. If you run make and receive many errors about apr_off_t
	53	being undefined, you may need to add or comment out the above line.
	54
	55
	56	INSTALL
	57
	58	Copy the mod_waklog.so to somewhere Apache can read and execute it.
	59
	60	Add the following lines to your httpd.conf file:
	61
	62	LoadModule waklog_module /path/to/mod_waklog.so
	63
	64	<IfModule mod_waklog.c>
	65	WaklogProtected On
	66	</IfModule>
	67