AFS WebDAV

Started January 19th, 2007. The goal of the project is to develop an open-source, enterprise-class "AFS WebDAV" gateway to provide Kerberos authenticated, high-efficiency AFS sessions without the OpenAFS client via an unprivileged gateway server.

Deployed at https://webdav-test.mit.edu/.

Contents

Implementation

Use lighttpd as a WebDAV backend with an Apache-based front-end handler and authorizer. The following extra Apache modules are critical:

  • mod_auth_kerb
    • with a negotiate delegation patch
  • mod_proxy
  • mod_rewrite

Read more details.

Bad ideas using other WebDAV backends

These other implementations still minimally consist of a Apache + mod_ssl core. Both of these ideas were abandoned after sufficient experimentation.

mod_php

  • requires terrible dependence on sudo and setuid programs for securing operations

The privilege separation of this model can hardly be defended. This coupled with complicating FIFO pass-throughs made v.A an instructive learning experience but should not be explored further.

mod_dav

  • mod_auth_kerb
  • mod_dav
  • mod_waklog
    • stateless; extremely inefficient producing noticeable client-side delays

Browsing a folder (with most GUI clients) often spawns an arsenal of subrequests on the order of the number of items in the folder to retrieve additional properties on member items. Since mod_waklog's design performs a full kinit->aklog->pag_I/O->unlog->kdestroy sequence on every request, these kinds of client operations incur significant delays and ruin the end-user experience.

See Also


Deprecated: (presbrey) mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in /afs/athena.mit.edu/user/p/r/presbrey/web_scripts/stat/index.php on line 63

Retrieved from "http://presbrey.mit.edu/AFS_WebDAV"

This page has been accessed 15,570 times. This page was last modified on 31 October 2007, at 18:23.