AFS WebDAV v.B
[edit] References
[edit] Overview
Here I complete the most mechanically logical solution. Kerberos authentication is done early in the Apache hook processing sequence by mod_auth_kerb. I modified mod_waklog to work with Apache2 and happen during the correct stage after mod_auth_kerb (and before mod_dav).
[edit] Results
This solution is mostly disappointing:
- Apache's mod_dav only overloads DAV-specific REQUEST_METHODs, i.e, PROPFIND, MKCOL: GETs end up falling back to the default Apache handler and happen without the presence of the authenticated PAG. Access to paths without system:anyuser is broken.
- UMich's solution: inclusion of a "default principal" for the web server to use that users have to ACL to their paths
- My solution: override and emulate GETs with CGI
- undesirably decreases the modularity and security of the implementation (and breaks a few abstraction barriers)
- mod_auth_kerb performs fresh authentication for each DAV request
- especially from Windows, DAV spawns multiple requests to resolve the state of a folder and detail its contents; this is a huge performance hit
Simply including authentication caching in this implementation would probably be a substantial improvement. Alternatively, having Apache spawn a child to process requests per-user that has a cross-request persisting PAG would probably work as well. I'll try this approach next.
Compared to A, its definitely worth the performance boost hashing successfully authenticated tokens for at least a few requests, especially if the request is just a reused keep-alive. Coupled with the appropriate unlog'ing after each request, this issue is a real drag on response when using the AFS gateway as a mounted file system.