A Lightweight Cloud Object Repository


The Persistent Object Depository (pod) is a lightweight web-based front-end for a cloud object store. It can run as a service within a Web server using the server's file system as repository. The pod provides a simple interface for users to create and update storage objects and share those objects with other users and services in a controlled way.

The pod is well-suited to store images and certificates for use within a GENI/ORCA federation. It has features to protect and index credentials, enabling it to serve as the backbone of a distributed authorization system based on ABAC. Users may link credentials with their identities (public keys) and/or with objects they control, such as slices or images.

Requirement for holding this service

YII framework http://yii.googlecode.com/files/yii-1.1.8.r3324.tar.gz Apache2 Web Server http://archive.apache.org/dist/httpd/ PHP Engine http://php.net/releases/ (version 5.3.0+ is required, version 5.3.0 is preferred) MYSQL Database Server http://downloads.mysql.com/archives.php


1. add PHP and MYSQL to Apache2 Web Server, modify their configurations described below:

  • Apache2 Enable ssl and client certificate authentication through ssl: open the %APACHE_HOME%/conf/extra/httpd-ssl.conf, modify the statements as presented below
    #   Certificate Authority (CA):
    #   Set the CA certificate verification path where to find CA
    #   certificates for client authentication or alternatively one
    #   huge file containing all of them (file must be PEM encoded)
    #   Note: Inside SSLCACertificatePath you need hash symlinks
    #         to point to the certificate files. Use the provided
    #         Makefile to update the hash symlinks after changes.
    SSLCACertificateFile "<the path to your CA certificate>"
    #   Client Authentication (Type):
    #   Client certificate verification type and depth.  Types are
    #   none, optional, require and optional_no_ca.  Depth is a
    #   number which specifies how deeply to verify the certificate
    #   issuer chain before deciding the certificate is not valid.
    SSLVerifyClient optional
    SSLVerifyDepth  1
    #   o ExportCertData:
    #     This exports two additional environment variables: SSL_CLIENT_CERT and
    #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
    #     server (always existing) and the client (only existing when client
    #     authentication is used). This can be used to import the certificates
    #     into CGI scripts.
    SSLOptions +ExportCertData
    append the trusted CA certificates to the file that "SSLCACertificateFile" points to, so that all the personal certificates that signed by those CA can be authenticated.
  • PHP Check phpinfo() to make sure "MYSQL" model and "zip" model are enabled. If not, enable them in php.ini file like this:
    change the maximum allowed size for uploaded files
    ; Whether to allow HTTP file uploads.
    file_uploads = On
    ; Maximum allowed size for uploaded files, change the value as you want
    upload_max_filesize = 200M
    ; Maximum size of POST data that PHP will accept. Must be larger than "upload_max_filesize"
    post_max_size = 800M

2. Deploy the orca-pod application

  • Download and decompress "yii-1.1.8.r3324.tar.gz", copy the "yii-1.1.8.r3324/framework" folder to the root directory of Apache2 server
  • Put the "orca-pod" folder to the root directory of Apache2 server, the same folder that "framework" folder lays in
  • Open "orca-pod/protected/config/main.php", find the statement like this
    			'connectionString' => 'mysql:host=<hostname>;dbname=pod',
    			'emulatePrepare' => true,
    			'username' => '<your username>',
    			'password' => '<your password>',
    			'charset' => 'utf8',
    Replace the 'host','username','password' with correct host name, user name and password
  • Authorize the "write" permission to "orca-pod/data/", "orca-pod/assets/", "orca-pod/temp/" and "orca-pod/protected/runtime/" directories.
  • Execute "orca-pod/protected/data/tbCreation.sql" in MYSQL for tables creation and data insertion. (NOTE: Please change the attributes' values in table "email_set" if you decide to use another account for sending emails.)
  • add authorized emailbox domains in "orca-pod/protected/components/emailcontroller/whitelist.txt". The format: '@'+emailbox domain. Examples are like
    NOTE: if the file "orca-pod/protected/components/emailcontroller/whitelist.txt" doesn't exist or it's empty, all the valid email addresses are authorized
  • Open "orca-pod/protected/config/main.php", find the statement like this
    		'SMTPauth'=>true,//the default value is false. if it's false, SMTPpassword variable is required to be set
    		'SMTPsecure'=>false,//indicate if using ssl
  • configure the variables related to SMTP server for sending notification email

3. Usage

Once the deployment succeeds, you could visit the object creation page at https://server_name/orca-pod. Then the instructions of how to access your created object will be sent to the email address you filled in the creation stage. NOTE: if the uploaded file is in zip format, it will be decompressed and each file in it will be considered as an object seperately.

You could revoke a certificate by accessing https://server_name/orca-pod/site/revoke.

You could add links between subjects plus scope by accesing https://server_name/orca-pod/site/addLink.