AFS WebDAV

Started January 19th, 2007. The goal of the project is to develop an open-source, enterprise-class "AFS WebDAV" gateway to provide Kerberos authenticated, high-efficiency AFS sessions without the OpenAFS client via an unprivileged gateway server.

Deployed at https://webdav-test.mit.edu/.

Contents 1 Implementation 1.1 Bad ideas using other WebDAV backends 1.1.1 mod_php 1.1.2 mod_dav 2 See Also

[edit] Implementation

Use lighttpd as a WebDAV backend with an Apache-based front-end handler and authorizer. The following extra Apache modules are critical:

• mod_auth_kerb
  • with a negotiate delegation patch
• mod_proxy
• mod_rewrite

Read more details.

[edit] Bad ideas using other WebDAV backends

These other implementations still minimally consist of a Apache + mod_ssl core. Both of these ideas were abandoned after sufficient experimentation.

[edit] mod_php

• requires terrible dependence on sudo and setuid programs for securing operations

The privilege separation of this model can hardly be defended. This coupled with complicating FIFO pass-throughs made v.A an instructive learning experience but should not be explored further.

[edit] mod_dav

• mod_auth_kerb
• mod_dav
• mod_waklog
  • stateless; extremely inefficient producing noticeable client-side delays

Browsing a folder (with most GUI clients) often spawns an arsenal of subrequests on the order of the number of items in the folder to retrieve additional properties on member items. Since mod_waklog's design performs a full kinit->aklog->pag_I/O->unlog->kdestroy sequence on every request, these kinds of client operations incur significant delays and ruin the end-user experience.

[edit] See Also

• Apache::AuthKrb5Afs
• mod_waklog
• filedrawers
• www.webdav.org
• ISDA wiki page on this project

Edit this page | Discuss this page | Page history | What links here | Related changes Main Page Find: