[Freeipa-devel] mod_wsgi troubles
Simo Sorce
ssorce at redhat.com
Tue Feb 23 20:38:55 UTC 2010
On Tue, 23 Feb 2010 09:22:05 -0700
Jason Gerard DeRose <jderose at redhat.com> wrote:
> So I've been working on migrating freeIPA from mod_python to mod_wsgi.
> This isn't a big change as the IPA server is already all WSGI
> internally, but I've run into 2 unexpected problems.
>
>
> mod_wsgi daemon mode
> ====================
>
> First, the easy problem. The mod_wsgi documentation clearly states
> that the daemon mode is the preferred way to deploy. See the
> "Defining Process Groups" section in:
>
> http://code.google.com/p/modwsgi/wiki/ConfigurationGuidelines
>
> In daemon mode, Apache starts mod_wsgi in a separate process and
> communicates with it via a Unix socket. Unfortunately, Fedora12
> doesn't support daemon mode nicely out of the box and tries create
> the socket in /etc/httpd/run, which of course make selinux mad (as it
> should). I believe Apache is being run with the Apache home set
> to /etc/httpd (which itself seems weird to me, not sure if this is a
> bug).
>
> Anyway, we can fix this with the WSGISocketPrefix directive. But this
> directive is server-scope (can't be virtual-host-scope), so we really
> need to fix this in the mod_wsgi package. We just need to add this
> to /etc/httpd/conf.d/wsgi.conf:
>
> WSGISocketPrefix /var/run/httpd/wsgi
>
> This config file is owned by mod_wsgi, not IPA, so I don't think IPA
> should be writing stuff to this during it's install. Again, needs to
> be fixed in the mod_wsgi package. I haven't tried this under
> Fedora11 yet, so I don't know if the same problem is present there.
Shouldn't you open a bug against mod_wsgi in fedora and have it fixed
there ?
> Simplify Kerberos protected URLs
> ================================
>
> Currently in our URL space we have:
>
> /ipa/xml - Kerberos protected
> /ipa/json - Kerberos protected
> /ipa/ui - Kerberos protected
> /ipa/errors - Not protected
> /ipa/config - Not protected
> /ipa/crl - Not protected
>
> Under mod_python, we have separate handlers for the xml, json, and ui
> URLs. My upcoming patch has a new WSGI middleware component this is a
> single entry point at /ipa. I did this so that the LDAP auth and
> session stuff is handled in exactly the same way regardless of which
> app is the final target.
>
> Anyway, right now we have to handle stuff in a pretty funky way
> (including under mod_python). We turn on Kerb auth for /ipa, then
> turn it off for /ipa/errors and friends. I would really like us to
> have two base URLs, something like this:
>
> /ipa/* - Kerberos projected
> /ipa-static/* - Not projected
When you say "kerberos protected" do you mean it uses mod_auth_kerb for
each access, or does it include also pages you can access only if you
previously authenticated but are just using a session to validate it ?
I would say
/ipa/auth/* - only authenticated access
/ipa/* - anything else
> Doesn't have to be called ipa-static, just throwing a name out there.
> We can work around this (as we already do), but there 2 reasons I
> think we should do this:
>
> 1. Security - our current approach is confusing and opens us up to
> mistakes (our mistakes or a sysadmin's).
>
> 2. Extensibility - in the V2 cycle we have added several new
> things in /ipa/*, some Kerberos protected, some not. I'm sure this
> will happen again in the future, so we might as well clean this up
> now.
>
> What do people think? I'm not sure I explained this well, but look in
> install/conf/ipa.conf and you'll see what I mean.
your proposal looks sane I think we already tried to do that once,
better discipline should be used, but also a better, clear naming will
help. Perhaps adding a README in the directory that server /ipa/ that
explains what should go where, might help ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list