From 21a7788b0100cb157e0123325b320fec4aef6f43 Mon Sep 17 00:00:00 2001 From: megacz Date: Sun, 17 Jun 2007 07:03:39 +0000 Subject: [PATCH] document, rework directives git-svn-id: https://modwaklog.svn.sourceforge.net/svnroot/modwaklog/trunk/modwaklog@54 0d961d1b-a432-0410-8fea-cc29f225fe07 --- README | 41 ++++++++++++++++++++++++++++ mod_waklog.c | 76 +++++++++++++++++++++++++++++++--------------------- 2 files changed, 87 insertions(+), 30 deletions(-) diff --git a/README b/README index 28f4c3c..dd33453 100644 --- a/README +++ b/README @@ -1,3 +1,4 @@ +______________________________________________________________________________ INTRO mod_waklog is an Apache module that provides aklog-like semantics @@ -17,6 +18,44 @@ mod_waklog often is used with mod_cosign, and uses the cosign-provided krbtgt to acquire an AFS credential; this extends single signon to AFS via the web. +______________________________________________________________________________ +CONFIGURATION + +Mod_waklog understands these directives. Of these, only WaklogAFSCell +is mandatory: + +WaklogAFSCell + + Use the supplied AFS cell (required) + +WaklogEnabled + + Enable waklog on a server, location, or directory basis + +WaklogDefaultPrincipal + + Set the default principal that the server runs as; this principal + must have "l" access to every path that is served, regardless of + user credentials or WaklogLocationPrincipal directives. + +WaklogLocationPrincipal + + Set the principal on a -specific basis + +WaklogDisableTokenCache (NOT YET IMPLEMENTED) + + Ignore the token cache (-specific). This is useful for + scripts that need kerberos tickets; for example, a perl script that + uses kerberos authentication to contact a database. By supplying a + WaklogLocationPrincipal directive, mod_waklog can obtain the tickets + and tokens for the principal, but by not using the token cache the + script is assured that it will have tickets when it runs. + +WaklogUseUserTokens + + Use the requesting user tokens (from webauth) + +______________________________________________________________________________ PHASES Apache processes a request in multiple phases. @@ -39,6 +78,7 @@ umweb:servers at phase 0, and removes this credential at phase 2; directories permitted "umweb:servers rl" will allow the stat() call to succeed. +______________________________________________________________________________ BUILD make @@ -53,6 +93,7 @@ in mod_waklog.c. If you run make and receive many errors about apr_off_t being undefined, you may need to add or comment out the above line. +______________________________________________________________________________ INSTALL Copy the mod_waklog.so to somewhere Apache can read and execute it. diff --git a/mod_waklog.c b/mod_waklog.c index ef4e705..70b202f 100644 --- a/mod_waklog.c +++ b/mod_waklog.c @@ -42,18 +42,15 @@ { name, func, \ NULL , \ RSRC_CONF | ACCESS_CONF , type, usage } +module waklog_module; /********************* APACHE2 ******************************************************************************/ #else #include #include -//#include #define ap_pcalloc apr_pcalloc #define ap_pdupstr apr_pdupstr #define ap_pstrdup apr_pstrdup - -module AP_MODULE_DECLARE_DATA waklog_module; - #define MK_POOL apr_pool_t #define MK_TABLE_GET apr_table_get #define MK_TABLE_SET apr_table_set @@ -66,13 +63,10 @@ extern unixd_config_rec unixd_config; AP_INIT_ ## type (name, (void*) func, \ NULL, \ RSRC_CONF | ACCESS_CONF, usage) -typedef struct -{ - int dummy; -} -child_info; - +module AP_MODULE_DECLARE_DATA waklog_module; +typedef struct { int dummy; } child_info; const char *userdata_key = "waklog_init"; + #endif /* APACHE2 */ /**************************************************************************************************/ @@ -106,6 +100,7 @@ typedef struct int protect; int usertokens; int cell_in_principal; + int disable_token_cache; char *keytab; char *principal; char *default_principal; @@ -163,7 +158,6 @@ struct renew_ent renewtable[SHARED_TABLE_SIZE]; int renewcount = 0; -module waklog_module; #define getModConfig(P, X) P = (waklog_config *) ap_get_module_config( (X)->module_config, &waklog_module ); @@ -180,9 +174,6 @@ module waklog_module; #include #include -/* If there's an error, retry more aggressively */ -#define ERR_SLEEP_TIME 5*60 - static void log_error (const char *file, int line, int level, int status, @@ -718,6 +709,7 @@ waklog_create_server_config (MK_POOL * p, server_rec * s) cfg->path = "(server)"; cfg->protect = WAKLOG_UNSET; cfg->usertokens = WAKLOG_UNSET; + cfg->disable_token_cache = WAKLOG_UNSET; cfg->keytab = WAKLOG_UNSET; cfg->principal = WAKLOG_UNSET; cfg->default_principal = WAKLOG_UNSET; @@ -745,6 +737,7 @@ waklog_create_dir_config (MK_POOL * p, char *dir) cfg->path = ap_pstrdup(p, dir ); cfg->protect = WAKLOG_UNSET; cfg->usertokens = WAKLOG_UNSET; + cfg->disable_token_cache = WAKLOG_UNSET; cfg->keytab = WAKLOG_UNSET; cfg->principal = WAKLOG_UNSET; cfg->default_principal = WAKLOG_UNSET; @@ -767,6 +760,8 @@ static void *waklog_merge_dir_config(MK_POOL *p, void *parent_conf, void *newloc merged->path = child->path != WAKLOG_UNSET ? child->path : parent->path; merged->usertokens = child->usertokens != WAKLOG_UNSET ? child->usertokens : parent->usertokens; + + merged->disable_token_cache = child->disable_token_cache != WAKLOG_UNSET ? child->disable_token_cache : parent->disable_token_cache; merged->principal = child->principal != WAKLOG_UNSET ? child->principal : parent->principal; @@ -792,6 +787,8 @@ static void *waklog_merge_server_config(MK_POOL *p, void *parent_conf, void *new merged->usertokens = nconf->usertokens == WAKLOG_UNSET ? pconf->usertokens : nconf->usertokens; + merged->disable_token_cache = nconf->disable_token_cache == WAKLOG_UNSET ? pconf->udisable_token_cache : nconf->disable_token_cache; + merged->keytab = nconf->keytab == WAKLOG_UNSET ? ap_pstrdup(p, pconf->keytab) : ( nconf->keytab == WAKLOG_UNSET ? WAKLOG_UNSET : ap_pstrdup(p, pconf->keytab) ); @@ -813,7 +810,7 @@ static void *waklog_merge_server_config(MK_POOL *p, void *parent_conf, void *new } static const char * -set_waklog_protect (cmd_parms * params, void *mconfig, int flag) +set_waklog_enabled (cmd_parms * params, void *mconfig, int flag) { waklog_config *cfg = mconfig ? ( waklog_config * ) mconfig : ( waklog_config * ) ap_get_module_config(params->server->module_config, &waklog_module ); @@ -821,7 +818,7 @@ set_waklog_protect (cmd_parms * params, void *mconfig, int flag) cfg->protect = flag; cfg->configured = 1; log_error (APLOG_MARK, APLOG_DEBUG, 0, params->server, - "mod_waklog: waklog_protect set on %s", cfg->path ? cfg->path : "NULL"); + "mod_waklog: waklog_enabled set on %s", cfg->path ? cfg->path : "NULL"); return (NULL); } @@ -855,7 +852,7 @@ void add_to_renewtable(MK_POOL *p, char *keytab, char *principal) { } static const char * -set_waklog_principal (cmd_parms *params, void *mconfig, char *principal, char *keytab) +set_waklog_location_principal (cmd_parms *params, void *mconfig, char *principal, char *keytab) { waklog_config *cfg = mconfig ? ( waklog_config * ) mconfig : ( waklog_config * ) ap_get_module_config(params->server->module_config, &waklog_module ); @@ -874,7 +871,7 @@ set_waklog_principal (cmd_parms *params, void *mconfig, char *principal, char *k } static const char * -set_waklog_use_afs_cell (cmd_parms * params, void *mconfig, char *file) +set_waklog_afs_cell (cmd_parms * params, void *mconfig, char *file) { waklog_config *waklog_mconfig = ( waklog_config * ) mconfig; waklog_config *waklog_srvconfig = @@ -941,6 +938,22 @@ set_waklog_use_usertokens (cmd_parms * params, void *mconfig, int flag) } +static const char * +set_waklog_disable_token_cache (cmd_parms * params, void *mconfig, int flag) +{ + waklog_config *cfg = mconfig ? ( waklog_config * ) mconfig : + ( waklog_config * ) ap_get_module_config(params->server->module_config, &waklog_module ); + + cfg->disable_token_cache = flag; + + cfg->configured = 1; + + log_error (APLOG_MARK, APLOG_DEBUG, 0, params->server, + "mod_waklog: waklog_disable_token_cache set"); + return (NULL); +} + + #ifndef APACHE2 static void waklog_child_exit( server_rec *s, MK_POOL *p ) { #else @@ -1028,21 +1041,24 @@ waklog_child_init (server_rec * s, MK_POOL * p) command_rec waklog_cmds[] = { - command ("WaklogProtected", set_waklog_protect, 0, FLAG, - "enable waklog on a location or directory basis"), + command ("WaklogAFSCell", set_waklog_afs_cell, 0, TAKE1, + "Use the supplied AFS cell (required)"), - command ("WaklogPrincipal", set_waklog_principal, 0, TAKE2, - "Use the supplied keytab rather than the default"), + command ("WaklogEnabled", set_waklog_enabled, 0, FLAG, + "enable waklog on a server, location, or directory basis"), - command ("WaklogUseAFSCell", set_waklog_use_afs_cell, 0, TAKE1, - "Use the supplied AFS cell rather than the default"), + command ("WaklogDefaultPrincipal", set_waklog_default_principal, 0, TAKE2, + "Set the default principal that the server runs as"), - command ("WaklogUseUserTokens", set_waklog_use_usertokens, 0, FLAG, - "Use the requesting user tokens (from webauth)"), + command ("WaklogLocationPrincipal", set_waklog_location_principal, 0, TAKE2, + "Set the principal on a -specific basis"), - command ("WaklogDefaultPrincipal", set_waklog_default_principal, 0, TAKE2, - "Set the default principal that the server runs as"), - + command ("WaklogDisableTokenCache", set_waklog_disable_token_cache, 0, FLAG, + "Ignore the token cache (location-specific); useful for scripts that need kerberos tickets."), + + command ("WaklogUseUserTokens", set_waklog_use_usertokens, 0, FLAG, + "Use the requesting user tokens (from webauth)"), + {NULL} }; @@ -1164,7 +1180,7 @@ waklog_init_handler (apr_pool_t * p, apr_pool_t * plog, if (cfg->afs_cell==NULL) { log_error (APLOG_MARK, APLOG_ERR, 0, s, - "mod_waklog: afs_cell==NULL; please provide the WaklogUseAFSCell directive"); + "mod_waklog: afs_cell==NULL; please provide the WaklogAFSCell directive"); /** clobber apache */ exit(-1); } -- 2.20.1