Administrative Control Panel
----------------------------
Authentication method: CAS.
Authorization: roles.
PHP.ini
-------
PHP used must have PCNTL support.
Below are the PHP options I know must be set (pick your own timezone obviously) in php.ini:
short_open_tag = On
date.timezone = "Europe/Stockholm";
Apache config
-------------
<Directory "/opt/apache/htdocs/kp">
Options ExecCGI
AcceptPathInfo On
# SetEnv PATH /opt/php-5.3/bin:/bin:/usr/bin
# SetEnv KPSECRETS secretkey
# SetEnv KPSTASH othersecretkey
SetEnv KPHOME /var/lib/kp
SetEnv KPSESSIONTIMEOUT 480
SetEnv KPCOOKIETIMEOUT 480
SetEnv KPCASURL "https://cas.url.example/cas"
SetEnv KPCASSERVICE "http://kp.example/kp/kp"
<Files "kp">
SetHandler cgi-script
</Files>
<Files ~ "^_(exe|auth|view|tags|log|logout|file|stash)$">
SetHandler cgi-script
</Files>
</Directory>
$KPHOME/log and $KPHOME/tmp must be writable by kp.
Authorization
-------------
Populate $KPHOME/auth with files corresponding to roles.
Each file (rolefile) should contain a newline delimited list of usernames.
Users with their username in a rolefile will have access to all jobs with this role in its 'roles' file.
Directories
-----------
Under KPHOME you should create a number of directories:
auth
etc [optional]
etc/admin -- If you want users to be able to create jobs from the webinterface, this file must contain
the roles that will be able to create jobs.
exe
log
run
secrets [optional]
tmp
Anatomy of a job
----------------
Jobs are created in a subdirectory under $KPHOME/exe. One subdir per job.
The files in this drectory are:
name [optional]
Name that may contain spaces etc, for display to user.
description
Text describing the job. Usage and purpose.
roles
Names of roles that are allowed to see and execute this job. One per line.
Newline delimited.
run [optional]
tags
Tags to allow finding the job via the URL.
param1 [optional]
Description of the first parameter that the user must supply for job execution.
param2 [optional]
Description of the second parameter that the user must supply for job execution.
param3 [optional]
Description of the third parameter that the user must supply for job execution.
adminroles [optional]
Users with this role are allowed to edit the job-configuration.
creator [optional ]
Username of the job creator. Is allowed to edit the job.
Parameter description
---------------------
<text>: text <content> <max input length> <maximum display length>
<text>: select <content> <maximum display length> <options>
content: [opt:](alpha|alnum|num|path|url)
Types: text|select
alpha: [A-Za-z]+
alnum: [A-Za-z0-9]+
path: [A-Za-z0-9/_.-]+
url: [A-Za-z0-9/_+.%:-]+
num: [0-9]+
Examples.
Select a value: select alnum A B C D
Input some text: text alpha
If prefixed with "opt:" the value is allowed to be empty.
Per job secrets
---------------
If you need to have job-specific data that must be hidden from other jobs, you can
create a directory $KPHOME/secrets/SECRETKEY.
To stop other users from figuring out the secret directory:
$ chmod o-r $KPHOME/secrets
Note that the directory $KPHOME/secrets must not be owned or writable by the user running kp.
Configure the webserver to export the secret key:
SetEnv KPSECRETS <SECRETKEY>
Also note that this will not be completely secure unless you also use the sandbox functionality.
The key for KPSECRETS and KPSTASH must not be the same.
Per role secrets
---------------
If you need to have role-specific data that must be hidden from other jobs, you can
create a directory $KPHOME/secrets/SECRETKEY.
To stop other users from figuring out the secret directory:
$ chmod o-r $KPHOME/secrets
Note that the directory $KPHOME/secrets must not be owned or writable by the user running kp.
Configure the webserver to export the secret key:
SetEnv KPSTASH <SECRETKEY>
Also note that this will not be completely secure unless you also use the sandbox functionality.
The key for KPSECRETS and KPSTASH must not be the same.
Sandbox
-------
To isolate jobs from each other.
Only way to keep secrets from other jobs.
Needs the sandbox application: http://....
SetEnv KPSANDBOX yes