Accessing AFS through the Web with Waklog

Jarod Malestein and Willie Northway

ITCS/UMCE

University of Michigan

2006 AFS & Kerberos Best Practices Workshop

mod_waklog: What it is

• Web AFS Kerberos Login
• Apache 1 module
• Written in C

mod_waklog: What it does

• Similar to aklog
• Makes an AFS token from Kerberos credentials
• Apache runs with the user's AFS token
• Allows access to AFS with a web browser

mod_waklog: How it works

• Standard Apache module
• Relies on an authentication module
• KRB5CCNAME
• Acts at key points in Apache request-response cycle
• URI translation
• use keytab
• stat()
• unlog
• Access control
• Authentication
• Authorization
• MIME type checking
• use user's Kerberos credential
• Response phase
• Logging phase
• Cleanup phase
• unlog as user
• User sees web page!

mod_waklog: demo

• waktest.php
• Someone else's AFS space
• Almost...
• itdwww rl

Alternatives?

• authkrb5afs.pm
• Integrated solution
• Mod_waklog is modular, it will work with other authN solutions
• As long as they provide KRB5CCNAME

mod_waklog: Caveats

• configure
• Apache 2
• "Private" web sites need a keytab for the web server
• fs sa . itdwww rl

mod_waklog: requirements

• Your favorite Unix variant
  • We use Linux 2.4.31
• AFS
• Kerberos V
• Apache 1.x
  • We run 1.3.34
• AuthN module
  • mod_cosign, mod_auth_krb
• Proper configuration

WebDAV

• It works with waklog, and we have it currently running on a test server
• Berkeley also has webDAV running with mod_waklog
• Implementation:
• Directive dav-enable: specifies the directory it should be turned on for: /afs/umich.edu/
• Setup aliases for groups, class, and user
• Currently running on apache 1.3.36, with mod_dav 1.0.3
• Haven't tried mod_dav with apache 2 yet
• it probably works with pre-forking
• For authentication, we use mod_auth_kerb

WebDAV issues:

We may move to a pilot phase after resolving some issues:

• files with sizes above 400MB don't work
• This seems to be a timeout issue, but it's still unresolved
• versioning uses a local lock file
• lock file is on the webserver's local disk
• webDAV's locking isn't compatible with AFS locks
• perhaps it's fixed with mod_davfs (or SQL version)

more WebDAV issues:

• mod_userdir doesn't work
• this means we can't use ~username
• must specify path with servername: https://webdav-test.www.umich.edu/user/u/s/username
• webDAV doesn't work with cosign
• a webDAV client isn't a browser. It doesn't understand html, or redirects
• clients only authenticate with something that acts like BasicAuth, or SSL mutual authentication. UM doesn't have a PKI
• we don't yet know who our audience will be, or how they'll use it

web-based file manager

• We initially deployed horde's gollem as a file-manager...
• wasn't designed with AFS in mind
• needs the Horde framework
• doesn't support ~user

Filedrawers

So we wrote filedrawers...

• feel free to try it out right now
• username: cartelza password: simplepw
• used OO php, smarty, and javascript for DOM-scripting, and a touch of C
• user testing for UI refinements
• interviewed volunteers in the usability lab with task-oriented tests
• analyzed common difficulties or misconceptions
• discussed feedback, and most requested features
• altered the interface
• rolled out the mfile service: mfile.umich.edu

Filedrawers is a file manager

manages files and directories

• list
• download
• rename
• delete
• new folder
• move (files and folders)

File Manager (part 2)

upload files

• supports multiple files at once
• animated progress bar

Filedrawers: view files

view files with supported mime types

• plain text, html, source code (c, php, js, css, etc.)
• images: gif, jpg, png
• audio files such as mp3 and aiff
• video: mpeg, or quicktime
• shockwave / flash
• we have plans to add a text editor

Filedrawers: manage permissions

powerful permissions manager for AFS ACLs

• reduces the need for training, since users don't need to memorize syntax and parameters
• we'd like to add a collection of simpler utilities...

Filedrawers: make webspace

• creates necessary directories
• sets (or fixes) permissions
• copies over XHTML compliant file as an example for users to get started

Filedrawers: allow support

allows users to give administrative access of their personal space to departmental support staff

Both packages are open source

• received many requests for the source, so we moved both of the waklog and filedrawers packages to sourceforge
• we've heard that 3-4 other institutions have successfully brought up filedrawers
• unfortunately, there's an extensive amount of umich branding and local configurations hard-coded
• we hope to remove these so that broader adoption can occur more easily
• We have big plans for the future!   ;)
• If anyone would like to help out, please let us know.

Project websites

• modwaklog.org
• filedrawers.org