README

   1 INTRO
   2
   3 mod_waklog is an Apache module that provides aklog-like semantics
   4 for the web.  mod_waklog will acquire (and store in the kernel) an
   5 AFS credential when a connection is opened, use the credential for
   6 the duration of the connection, and will remove the credential when
   7 the connection is closed.
   8
   9 mod_waklog allows you to permit directories using AFS ACLs, and access
  10 them via a web browser.  An ACL of "umweb:servers rl" is required for
  11 each mod_waklog-protected directory.
  12
  13 mod_waklog allows scripts to run as you.  Programs which use AFS
  14 credentials to authenticate themselves do so as you.
  15
  16 mod_waklog often is used with mod_cosign, and uses the cosign-provided
  17 krbtgt to acquire an AFS credential; this extends single signon to AFS
  18 via the web.
  19
  20 PHASES
  21
  22 Apache processes a request in multiple phases.
  23
  24 mod_waklog runs at phase 0 to acquire credentials via a keytab, and
  25 runs at phase 2 to remove the credentials.
  26
  27 mod_waklog runs at phase 7 to acquire credentials of whatever krbtgt
  28 is referenced via KRB5CCNAME (e.g., set by mod_cosign).
  29
  30 mod_waklog runs at connection termination to remove the credentials
  31 it acquired at phase 0 or phase 7.
  32
  33 Apache calls stat() between phase 1 and phase 2 to determine if it
  34 has access to the directory; if it doesn't have read access at that
  35 point, it won't try to read it again, even if later phases would
  36 acquire credentials which would allow it to do so.  mod_waklog
  37 acquires an afs credential for a principal in the pts group
  38 umweb:servers at phase 0, and removes this credential at phase 2;
  39 directories permitted "umweb:servers rl" will allow the stat() call
  40 to succeed.