| < afs-admin-tools | Russ Allbery > Software > Orphaned Software | afs-monitor > |
These scripts are orphaned. Although I believe they are still useful, I no longer use AFS and am no longer maintaining these scripts. If you would like to pick up maintenance of them, please feel free. Contact me if you would like this page to redirect to its new home.
One of the facilities that we needed from AFS at Stanford and that AFS doesn't support directly is delegated volume management. Creating, releasing, and deleting volumes and changing volume quota are things that we wanted to delegate in some cases to people who would not have general AFS administrative access. This script runs under remctl (for authenticated remote execution) and permits users to perform those operations only on particular volumes, under the control of an ACL file.
Currently, only volume creation, deletion, releases, and quota setting are supported, but any other action on volumes could be easily added. The ACL file can allow actions by either volume or a regular expression matching volume names. PTS groups may be used in the ACL file rather than listing individual principals. Volume creation is integrated with volcreate to automate placement of volumes on appropriate servers. Volume deletion is integrated with volnuke to record deletions and allow volumes to be deleted by path.
Also provided is a script, afs-backend-acl, that constructs the remctl ACL file from the afs-backend ACL, expanding PTS groups and adding all users who are able to do anything to the ACL.
Unfortunately, a fair number of customizations may be required to use this script for your cell, but I've tried to document all of the ones that are needed.
This script assumes it's running under remctl (or IBM's sysctl, a K4-only way of running commands with Kerberos authentication that is at this point thankfully obsolete). The AFS fs, pts, and vos commands are required, and by default volcreate and volnuke are used for volume creation and deletion. The paths to those programs need to be set at the beginning of the script.
By default, afs-backend calls a program called volrelease to release volumes, which at our site is just a simple wrapper around vos release that tries multiple times. You can either write a similar wrapper or modify the script to just call vos release directly.
afs-backend uses an existing Kerberos ticket cache, the path of which is set at the top of the script, and runs aklog to obtain AFS tokens. The path to aklog must be configured. The script is written this way since, at Stanford, we used k5start to maintain a single ticket cache on systems doing trusted operations and then just reused that ticket cache in each individual script rather than teaching each script how to obtain its own credentials.
Also be sure to update the reporting address, domain, realm, and volume type mapping at the top of afs-backend and afs-backend-acl for your cell. The default principal name mapping converts principal names into Kerberos v4 equivalents before checking them against the ACL file to match normal AFS PTS conventions.
The programs:
| afs-backend 1.21 | 2005-12-22 | Download |
| afs-backend-acl 1.6 | 2005-06-19 | Download |
Documentation:
Copyright 2002, 2003, 2005 The Board of Trustees of the Leland Stanford Junior University
These programs are free software; you may redistribute them and/or modify them under the same terms as Perl itself. This means that you may choose between the two licenses that Perl is released under: the GNU GPL and the Artistic License. Please see your Perl distribution for the details and copies of the licenses.
| < afs-admin-tools | Russ Allbery > Software > Orphaned Software | afs-monitor > |