AFS WebDAV v.A

Contents

Project Log

I made design decisions for this implementation mostly under the assumption that this would be a test implementation used for proof-of-concept with priorities in the following order:

  1. Reasonable security
  2. High performance (read: scales well)
  3. Fast implementation

It took about 2 days to get a prototype running supporting "ls". Read/write protocol operations are expected to be implemented with a day or two more work.

System Implementation v1

Components

Linux

kerberos principal holders are actual unix users

Apache

WebDAV protocol parsing code is run from memory by PHP SAPI, user privileged operations are setuid and forked to Python user-backends to perform users' token-enabled privileged operations

  • mod_ssl
    • many mainstream WebDAV clients support only Basic Auth, we allow it but must encrypt
  • mod_rewrite
    • direct all request methods to PHP via SAPI
  • mod_php
    • php-memcache
      • fast C interface to memcached server from PECL
    • php-eaccelerator
      • pre-compiles PHP scripts and stores in shared memory

PHP

refactored HTTP_WebDAV_Server package to the system constraints

Memcached

maps daemon allocated shared memory space to a local socket

  • cache authentication hashes
  • cache AFS class function calls
    • hesiod filsys and PTS lookups

Design Descisions

Pros and Cons

advantages disadvantages
Kerberos principals are real unix users
  • simple implementation
  • fast lookups
  • simplifies PAG operation
  • only 1 realm/cell can login
PHP SAPI (mod_php)
  • high performance
  • up-to-date WebDAV protocol parsing code exists
  • inherits scalability of Apache
  • requires user privilege separation emulation
setuid
  • secure separation of users
  • principals and tokens are "safe" from Apache and each other
  • we're forking
Memcached
  • high performance
  • follow-up operations can skip session setup steps (kinit, aklog, etc)
  • 64M of RAM
vs. mod_waklog
  • performing all operations during the last phase of the Apache request sequence provides all crucial environ at once
  • some of their missing features: ~locker paths
  • PHP isn't C; an Apache module would cooler

There is more research to be done into another implementation possibly based on a mod_waklog variant.


Deprecated: (presbrey) mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in /afs/athena.mit.edu/user/p/r/presbrey/web_scripts/stat/index.php on line 63

Retrieved from "http://presbrey.mit.edu/AFS_WebDAV_v.A"

This page has been accessed 4,277 times. This page was last modified on 13 August 2007, at 17:29.