AFS WebDAV v.A

Contents 1 Project Log 2 System Implementation v1 2.1 Components 2.1.1 Linux 2.1.2 Apache 2.1.3 PHP 2.1.4 Memcached 2.2 Design Descisions 2.2.1 Pros and Cons

[edit] Project Log

I made design decisions for this implementation mostly under the assumption that this would be a test implementation used for proof-of-concept with priorities in the following order:

1. Reasonable security
2. High performance (read: scales well)
3. Fast implementation

It took about 2 days to get a prototype running supporting "ls". Read/write protocol operations are expected to be implemented with a day or two more work.

[edit] System Implementation v1

[edit] Components

[edit] Linux

kerberos principal holders are actual unix users

[edit] Apache

WebDAV protocol parsing code is run from memory by PHP SAPI, user privileged operations are setuid and forked to Python user-backends to perform users' token-enabled privileged operations

• mod_ssl
  • many mainstream WebDAV clients support only Basic Auth, we allow it but must encrypt
• mod_rewrite
  • direct all request methods to PHP via SAPI
• mod_php
  • php-memcache
    • fast C interface to memcached server from PECL
  • php-eaccelerator
    • pre-compiles PHP scripts and stores in shared memory

[edit] PHP

refactored HTTP_WebDAV_Server package to the system constraints

• removed:
  • file operation code (Apache is not privileged)
  • locking
  • script self-awareness (for friendly paths like https://dav.mit.edu/afs/athena.mit.edu/user/p/r/presbrey/ and https://dav.mit.edu/~presbrey/)
• added:
  • hesiod support (follow filsys pointers)
  • kerberos support (use kerberos principals and aklog)
  • sudo commands (fork kerberos and file operations to user backends)

[edit] Memcached

maps daemon allocated shared memory space to a local socket

• cache authentication hashes
• cache AFS class function calls
  • hesiod filsys and PTS lookups

[edit] Design Descisions

[edit] Pros and Cons

	advantages	disadvantages
Kerberos principals are real unix users	simple implementation fast lookups simplifies PAG operation	only 1 realm/cell can login
PHP SAPI (mod_php)	high performance up-to-date WebDAV protocol parsing code exists inherits scalability of Apache	requires user privilege separation emulation
setuid	secure separation of users principals and tokens are "safe" from Apache and each other	we're forking
Memcached	high performance follow-up operations can skip session setup steps (kinit, aklog, etc)	64M of RAM
vs. mod_waklog	performing all operations during the last phase of the Apache request sequence provides all crucial environ at once some of their missing features: ~locker paths	PHP isn't C; an Apache module would cooler

There is more research to be done into another implementation possibly based on a mod_waklog variant.

Edit this page | Discuss this page | Page history | What links here | Related changes Main Page Find: