NAME
AFS::PAG - Perl bindings for AFS PAG manipulation
SYNOPSIS
use AFS::PAG qw(hasafs setpag unlog);
if (hasafs()) {
setpag();
system('aklog') == 0
or die "cannot get tokens\n";
do_afs_things();
unlog();
}
DESCRIPTION
AFS is a distributed file system allowing cross-platform sharing of files among multiple computers. It associates client credentials (called AFS tokens) with a Process Authentication Group, or PAG. AFS::PAG makes available in Perl the PAG manipulation functions provided by the libkafs or libkopenafs libraries.
With the functions provided by this module, a Perl program can detect whether AFS is available on the local system (hasafs()) and whether it is currently running inside a PAG (haspag()). It can also create a new PAG and put the current process in it (setpag()) and remove any AFS tokens in the current PAG (unlog()).
Note that this module doesn't provide a direct way to obtain new AFS tokens. Programs that need AFS tokens should normally obtain Kerberos tickets (via whatever means) and then run the program aklog, which comes with most AFS distributions. This program will create AFS tokens from the current Kerberos ticket cache and store them in the current PAG. To isolate those credentials from the rest of the system, call setpag() before running aklog.
FUNCTIONS
This module provides the following functions, none of which are exported by default:
- hasafs()
-
Returns true if the local host is running an AFS client and false otherwise.
- haspag()
-
Returns true if the current process is running inside a PAG and false otherwise. AFS tokens obtained outside of a PAG are visible to any process on the system outside of a PAG running as the same UID. AFS tokens obtained inside a PAG are visible to any process in the same PAG, regardless of UID.
- setpag()
-
Creates a new, empty PAG and put the current process in it. This should normally be called before obtaining new AFS tokens to isolate those tokens from other processes on the system. Returns true on success and throws an exception on failure.
- unlog()
-
Deletes all AFS tokens in the current PAG, similar to the action of kdestroy on a Kerberos ticket cache. Returns true on success and throws an exception on failure.
DIAGNOSTICS
- PAG creation failed: %s
-
setpag() failed. The end of the error message will be a translation of the system call error number.
- Token deletion failed: %s
-
unlog() failed. The end of the error message will be a translation of the system call error number.
RESTRICTIONS
This module currently doesn't provide the k_pioctl() or pioctl() function to make lower-level AFS system calls. It also doesn't provide the libkafs functions to obtain AFS tokens from Kerberos tickets directly without using an external ticket cache. This prevents use of internal Kerberos ticket caches (such as memory caches), since the Kerberos tickets used to generate AFS tokens have to be visible to an external aklog program.
AUTHOR
Russ Allbery <rra@cpan.org>
SEE ALSO
aklog(1)
The current version of this module is always available from its web site at http://www.eyrie.org/~eagle/software/afs-pag/.