How to configure keytab and waklog for user run web servers

So that a user run apache can access AFS file space, this is the "best" way to solve the problem.

The Computing Staff Bits

First reserve a PTS UID for the keytab you are about to create. Currently you do this by grabbing a slot on AFSAdminUids.

Then create the entry in the AFS PTS DB eg:

pts createuser -name labelme.salander.inf.ed.ac.uk -id 28256

To the profile for the machine that the user will be running their apache on add something like:

#include <dice/options/afsweb.h>

!kerberos.keys              mREMOVE(afsweb)
!kerberos.keys              mADD(labelme)

kerberos.keytab_labelme      /etc/labelme.keytab
kerberos.keytabgid_labelme   root
kerberos.keytabuid_labelme   neilb

!file.file_waklog           mSET(/etc/httpd/conf.d/waklog-labelme.conf)

Replacing "labelme" with something appropriate and neilb and the root with what's appropriate, probably just neilb with the UUN of the person running apache.

Once the profile propagates, run updaterpms on the host, and check the creation of the keytab and waklog.conf.

What the user needs to do

  • Alter the AFS ACLs to the file areas that apache needs to access.
  • Update apache to use the waklog module and the keytab generated above.

Updating AFS ACLs

You need to give access to the user, labelme.salander.inf.ed.ac.uk in this example, to the AFS file areas that apache needs to access. This could be the apache config and log file area if it us running out of an AFS home directory, and the document root.

Remember that the user will need at least l (elle) permissions on any parent directories. Note this might already be satisfied with "system:authuser l" or "system:anyuser l" type permssions.

For example if apache is run out of ~neilb/apache/ then:

find ~neilb/apache -noleaf -type d -exec fs sa {} labelme.salander.inf.ed.ac.uk read \;
fs sa ~neilb/apache/logs labelme.salander.inf.ed.ac.uk write

The find above gives read permission to the apache to ~neilb/apache and all sub-directories, extra 'fs sa' gives write permission to the log sub-directory.

Similarily if the the DocumentRoot is =/group/project/foo/html/, then you need to make sure the ACLs are set so that labelme.salander.inf.ed.ac.uk and read (and write if necessary) the files within it.

Update your Apache config

You need to update your apache to load the "mod_waklog.so" module. By default it will be in /usr/lib/httpd/modules/mod_waklog.so, but just adding:

LoadModule waklog_module        modules/mod_waklog.so

May be enough depending on your apache serveroot and apache setup. Also include the config fragment:

Include /etc/httpd/conf.d/waklog.conf

Before you restart apache, you should be aware that it will replace the AFS tokens in the calling shell, with the ones in the keytab. ie you'll probably find you no longer have access to your own files in that shell. So before restarting apache from the shell, execute the pagsh command to start a new shell and then start apache from that shell, eg:

cd ~neilb/apache
pagsh
./apachectl stop
./apachectl start
exit

The 'exit' brings you back to your previous shell, with your AFS tokens entact. If you get errors about apache not being able to access files, then you may have to do a renc after the pagsh.

-- NeilBrown - 11 Mar 2010

Topic revision: r2 - 30 Jun 2011 - 12:26:58 - NeilBrown
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies