New Uniform Access Web Project

Updated October 15, 1997

The New Uniform Access Web project will provide HTTP home pages for University of Washington student, staff, faculty, departments, and courses in a secure enviroment with equitable allocation of resources.

1. Overview
2. Requirements and Design
3. Schedule and Status

Overview

The existing uniform access web system, weber, is very successful, serving 7,000 student and staff home pages and responding to more than 500,000 requests per day? However, it is not suitable for a long-term solution to our web service needs for a couple of reasons.

1. It does not separate resources used by student from those used by faculty, staff, courses, and departments. Popular pages of our unruly students can cause slow response for course and department web pages.

2. It requires a separate account on Saul in addition to the e-mail account on Homer or Dante. Since there is, for most users, no other need for the saul account this is a great and unnecessary consumption of resources -- and aggravates confusion on the part of many users.

We therefore decided to provide web service on the existing Homer and Dante clusters. This will allow separation of resources, obviate the additional saul account, and provide a generally more integrated set of services, combining e-mail, web, and PC or Mac file service on a single point of access.

In addition, the faculty and staff cluster will support several web sites: staff, faculty, courses, and departments. This is convenient because staff generally support faculty and both provide the course and department pages. We are taking advantage of a natural clustering of our user activity. Although these web sites may be housed on a single machine, or cluster of machines, they will appear to the outside world as independent systems.

Requirements and Design

The combination of requirements to provide stable e-mail and web service,

1. Separation of student resources,
2. Protection of 'pine' systems and cpu cycles from web activity,
3. Protection of web activity from compilations, and
4. Security of web communications,

• Allocation of hardware
  In order to isolate each service component (email, web, and compilation) we allocate separate machines, or clusters of machines, for each.

  People	Cluster	Web server	Development system
  Students	Dante	Boca	Virgil
  Faculty & Staff	Homer	Veron	Ovid

  Note that the http addresses for the web servers will not be the machine names themselves. Instead aliases will be used.

  students.washington.edu	->	boca
  staff.washington.edu	->	veron
  faculty.washington.edu	->	veron
  courses.washington.edu	->	veron
  depts.washington.edu	->	veron

• Web directories
  In order to isolate users' home directories (mail folders) from inadvertant web access we do not allow the web server systems access to users' home directories. This is the same paradigm as employed on weber.

  Users on the development systems will see both their regular home directories and their web pages - through the public_html link.

• Privacy
  The web servers will provide secure communications capability (SSL).

• Authentication
  Expected functions of the staff and faculty system will require positive identification of the client (e.g. the Netscape user), Not all web users are actually uniform access customers (some are external), but all can be identified and verified by our Kerberos database. Therefore Kerberos will be the basis of our user identification.

  Our Kerberos authentication method is described in Configuring an AST web server.

• Authorization
  Expected functions of the staff and faculty system will require identification of the client user with a particular group, e.g. member of a class, is a student, is faculty, etc. The server will provide this group identification via the the htaccess file in a yet unspecified manner.

Schedule and Status

September 8, 1997.

• We have systems installed for the homer cluster: ovid01 for compilations, and veron01 for web service.
  • The web service system will be know to users as staff.washington.edu, facutly.washington.edu, ...
  • The compilation system will be know to users as ovid - unless there are objections - and suggestions.
• We have a Apache server, version 1.2.3, modified to support SSL communications and Kerberos authentication. This server uses Kerberos for a client's first connection, afterward it uses an encrypted cookie - to limit hits on the Kerberos database.
• We have machines installed for the dante cluster: these will have operating system software installed on 9/9/97.

In progress

• Finish installation of the dante systems (9/9)
• Finish installation of the apache servers (aka weber): support tools, access log splitter, etc. (9/11)
• Install newweb utility to allow users to create web home pages. (9/12)
• Modify psh to allow rsh to web compilation machines. (?)
• Testing.

Future work

Web page providers will want to know not only a user's identity (userid) but also which groups he or she belongs to. For example, is this user a member of the PE256 class? We will want to add this group affiliation to the service.

The new, improved web project brought to you by	Jim Fox Tom Remmers Doug Luft Ken Lowe