Integrating OpenAFS
In the following discussion, I will assume that you have already installed OpenAFS on your system and would like to integrate AFS access with your portal. Our current installation uses Linux but I assume other Unix flavors will work the same.
Follow these basic steps:
- Create an AFS username that the portal will use to access users' AFS files. For purposes of this discuss I will assume the username is 'portal'.
- Login to your portal under the username that you normally use to start the portal (e.g. root).
- Issue the command:
% klog portal Password:
This will create a Kerberos token for the username. This token is used to access the AFS files.
Making AFS Directories accessible
You could choose to make all directories in AFS accessible to the portal by giving "portal" read/write privileges to all directories. I have chosen a more conservative approach by creating a subdirectory(.Portal) in any filesystem that needs access. This directory is hidden to reduce the chance that the user might change some data that would cause the channel to fail for this user. We do the same thing for email.
I am currently using HyperContent 1.3 to access the files since it provides a nice filesystem abstraction layer, however, access would work just as well with Java Files. When the user logs in and accesses a channel that uses AFS, I attempt a HyperContent "mount". This is not Unix "mount" but just an initialization process for HyperContent. If this fails, HyperContent will report a FileSystemException and I prompt the user for their file system name and AFS password. System.exec is then called to execute the following shell script (see attached AFSFileSystem.java):
#!/bin/csh set fsname = "$argv[1]" set uname = "$argv[2]" set pwd = "$argv[3]" set dir = `hesinfo "$fsname" 'filsys'` if ($status != 0) then exit 1 endif set afs = `echo "$dir" | awk '{ print $2 }'` pagsh -c /bin/csh <<EOT klog "$uname" -password "$pwd" /usr/bin/fs sa -dir "$afs" -acl portal rl if (!(-e "$afs/.Portal")) then mkdir "$afs/.Portal" /usr/bin/fs sa -dir "$afs/.Portal" -acl portal rwlidwka endif unlog exit EOT
This will create the .Portal directory and give the "portal" user full access to this directory. Subsequent access will work like an other file access.
Security Issues
The password for "portal" should be guarded carefully since theft could open up a large number of user directories to hacking. Careful security procedures should also be applied to server access for the same reason.
AFS tokens usually have a lifetime (monthly for us) so you should periodically issue a klog command to refresh the token. If you don't you will hear from the users when your channels stop working!