Notes, thoughts, musings, and progess made on the "provision of secure web service for user data" project.

We've agreed that we'll have a single container for a user's data and scripts, and need to decide on the filestructure that supports this - will the model be along the lines of home directories (where users are divided into initial-letter directories), or a single-location space where all volume mounts are side-by-side?

11 Aug 2014

Set up VM as web server for secure pages - need to configure this to use new filestructure (similar to homepages). Already tested this on dorling. Need to decide on name space.

It may be possible to use regex to generate <Location>, rather than manual/automatic generation of explicit instances (although not until Apache 2.4). It might also be a good idea to restrict the ID/principal to the host as well as the user, so that any keytabs or certificates would be useless elsewhere (this reducing risk of abuse). However, revocation may be an issue.

Make sure that testing is done as a.n.other user, so that clear examples of user ID are shown.

October 2014

The essential mechanisms seem to be in place, although the processes need to be documented. Things we need to cover are:

  • how to create filespace
  • allocate sweb ID (see https://wiki.inf.ed.ac.uk/DICE/AFSAdminUids)
  • create user ID:
    pts createuser -name .sweb -id <sweb-id>
  • generate keytab in new shell/window:
    kadmin
    ktadd -k /tmp/-sweb.keytab /sweb
  • copy keytab to /etc/httpd/conf/-sweb.keytab on server
  • add keytab to WaklogLocationPrincipal in /etc/httpd/conf.d/sweb.conf:
    <Location /username>
    WaklogLocationPrincipal roger/sweb /etc/httpd/conf/roger-sweb.keytab\n\
    </Location>
  • creating volume
  • mounting volume
  • configuring ACLs

December 2014

First draft of documentation complete, and passed to Support for testing. Ross did a run-through to create his own sweb area, which seemed to work satisfactorily (even though the RO volume didn't get automatically released).

January 2015

Final approval of documentation still required, no additional progress this month.

February 2015

The documentation review is still outstanding, but hopefully can be sorted out soon.

March 2015

A couple of items have crept out of the woodwork, and have spent some time configuring CGI script execution in local disk space (AFS behaviour is fine, via Waklog scripts execute as user.sweb with minimal permissions). In order to get user-executed scripts in UFS space, we need to trigger Apache's mod_userdir and suexec. It also appears necessary to specify a CGI sub-directory. Scripts require URLs with ~user (otherwise suexec isn't triggered), but we also need the non-tilde form for static pages. Can we mix the two by setting a null CGI sub-directory suffix?

There's a slight wrinkle inasmuch as Apache uses the value of UserDir to locate the script/executable (so that https://sweb.inf.ed.ac.uk/~user/script.cgi finds sweb:/home/user/cgi-bin/script.cgi), but that if the URL contains a tilde and suexec is triggered, then it uses its own expansion mechanism based on the suexec_userdir_subdir and --with-suexec-userdir compile-time settings. So, to avoid confusion, it's probably best if these match.

Setting UserDir to an empty string, or to "./" doesn't seem to trigger suexec, which makes mixing scripts and pages in the same location (so that https://sweb.inf.ed.ac.uk/~user works for scripts and pages) awkward.

Decided to create "web" and "data" subdirectories (partly to overcome ~user funnies), and updated documentation appropriately. Have nobbled a Real User to beta test, and will take things from there. Hopefully light at the end of the tunnel.

April 2015

Put in support ticket for secure-volume creation on behalf of Real User beta tester, and volume has been created. Awaiting feedback.

May 2015

Still awaiting feedback.

June 2015

Re-installed arachne (sweb.inf), as had noticed that AFS cache partition was too small (this was because small-server.h header was used, which overrides explicit AFS cache size settings). Increased VM disk size to 20Gb, and AFS cache to 8Gb.

July 2015

Still awaiting beta-test feedback. Checked through documentation. Investigated Apache/suexec RPM structure - not sure if we can separate out per-host/service suexec tweaks.

August 2015

Rebuilt Apache/suexec RPM to conform to revised naming scheme, and removed host-specific homepages.patch

September 2015

Checked over documentation and other sign-off requirements.

October 2015

Investigated issues raised at sign-off proposal: firewall holes added, scaleability issues noted in report, URL redirects implemented, but use of proxy still to be investigated.

November 2015

Experimented with proxying (so that users would be able to continue to use a groups.inf). Added ProxyPass and ProxyPassReverse directives to /disk/data/httpd/conf/main.conf on toaster for /sweb test page, so that https://groups.inf.ed.ac.uk/sweb/ quietly redirects to https://sweb.inf.ed.ac.uk/ (retaining groups.inf URL).

December 2015

Updated home-page to match homepages.inf, and added RewriteConds to allow exclusions for tilde addition.

January 2016

At the Development Meeting of 20/Jan/2016, it was agreed that a few more pieces of work probably deserved some attention:

  1. a mechanism was needed for the automation of sweb.ID keytab generation (for disaster recovery and multiple account creation).
    Note that it was thought better to regenerate new keytabs for users, rather than having a backup & retrieval mechanism.
  2. a mechanism for deletion of old keytabs was also needed
  3. clarification of user docs required (as mentioned by George)
  4. a peer-review of web configuration (primarily to double-check any potential security issues)

Subsequent discussion with Toby indicated that 1 & 2 above might be covered by a Prometheus project.

February 2016

  • created Disaster Recovery document to recreate service in the event of damage or loss (added to Support documentation).

Final Report

See FinalProjectReport301

-- RogerBurroughes - 02 Mar 2016

Topic revision: r22 - 02 Mar 2016 - 08:48:32 - RogerBurroughes
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies