OpenAFS

Owned by Pete Boysen
Last updated: Jun 06, 2005 by Brad JohnsonVersion comment
2 min read

Integrating OpenAFS

In the following discussion, I will assume that you have already installed OpenAFS on your system and would like to integrate AFS access with your portal. Our current installation uses Linux but I assume other Unix flavors will work the same.

Follow these basic steps:

  1. Create an AFS username that the portal will use to access users' AFS files. For purposes of this discuss I will assume the username is 'portal'.
  2. Login to your portal under the username that you normally use to start the portal (e.g. root).
  3. Issue the command:
% klog portal
Password:

This will create a Kerberos token for the username. This token is used to access the AFS files.

Making AFS Directories accessible

You could choose to make all directories in AFS accessible to the portal by giving "portal" read/write privileges to all directories. I have chosen a more conservative approach by creating a subdirectory(.Portal) in any filesystem that needs access. This directory is hidden to reduce the chance that the user might change some data that would cause the channel to fail for this user. We do the same thing for email.

I am currently using HyperContent 1.3 to access the files since it provides a nice filesystem abstraction layer, however, access would work just as well with Java Files. When the user logs in and accesses a channel that uses AFS, I attempt a HyperContent "mount". This is not Unix "mount" but just an initialization process for HyperContent. If this fails, HyperContent will report a FileSystemException and I prompt the user for their file system name and AFS password. System.exec is then called to execute the following shell script (see attached AFSFileSystem.java):

Shell Script to Initialize AFS Directory
#!/bin/csh
set fsname = "$argv[1]"
set uname = "$argv[2]"
set pwd = "$argv[3]"
set dir = `hesinfo "$fsname" 'filsys'`
if ($status != 0) then
  exit 1
endif
set afs = `echo "$dir" | awk '{ print $2 }'`
pagsh -c /bin/csh <<EOT
klog "$uname" -password "$pwd"
/usr/bin/fs sa -dir "$afs" -acl portal rl
if (!(-e "$afs/.Portal")) then
  mkdir "$afs/.Portal"
  /usr/bin/fs sa -dir "$afs/.Portal" -acl portal rwlidwka
endif
unlog
exit
EOT

This will create the .Portal directory and give the "portal" user full access to this directory. Subsequent file access will occur normally.

Security Issues

The password for "portal" should be guarded carefully since theft could open up a large number of user directories to hacking. Careful security procedures should also be applied to server access for the same reason.

AFS tokens usually have a lifetime (monthly for us) so you should periodically issue a klog command to refresh the token. If you don't you will hear from the users when your channels stop working!