Advice on deploying wsgi app using jsonfas
Robin Norwood
rnorwood at redhat.com
Mon Jun 30 21:54:29 UTC 2008
On Mon, 30 Jun 2008 16:34:27 -0500 (CDT)
Mike McGrath <mmcgrath at redhat.com> wrote:
> On Mon, 30 Jun 2008, Robin Norwood wrote:
>
> > Hi,
> >
> > So I'm working to get amber packaged and deployable as a wsgi app
> > so I can run a demo on publictest10. I've made pretty fair
> > progress getting things up and running (on my local system first to
> > make sure it works), but I've run into an issue.
> >
> > For the setup, I'm basically ripping off the way Ricky Zhou set up
> > fas wholesale. I have an amber.conf file in /etc/httpd/conf.d,
> > which refers to an amber.wsgi file. All of that seems to work
> > fine. The problem happens when I try to connect. I get a 500
> > error with the following in httpd's error log:
> >
> > Unable to write to session file /var/www/.fedora_session: [Errno 13]
> > Permission denied: '/var/www/.fedora_session'
> >
> > Well, it turns out that this is because my app is using jsonfas,
> > which uses fedora.client.BaseClient. In fedora/client/__init__.py,
> > I find:
> >
> > SESSION_FILE = path.join(path.expanduser('~'), '.fedora_session')
> >
> > Which explains the error - my app is running under apache, and
> > while /var/www is apache's homedir, apache can't write to that
> > directory.
> >
> > So, as anyone else worked around this with another turbogears app
> > running under wsgi and using jsonfas? Since turbogears and fas are
> > both pretty common, it seems likely that someone here has already
> > dealt with this.
>
> Does your application prompt users for their username and password or
> does it have one listed in the configs somewhere to access fas? I'm
> not familiar with the .fedora_session format, does it store everyone's
> sessions?
I believe it does. The way it seems to work is that I specify a user
to connect to FAS in the config - this gets me a fas session. Then,
the user enters a username/password from the web form, and jsonfas
'does magic' to authenticate the user.
> I'm asuming that if someone had access to it they'd be able to become
> whoever was logged in at that time. Probably to other applications as
> well. I'd like to hear Toshio's advice on this, I believe he's the
> primary architect of how .fedora_session should behave
Yeah, Toshio is the one who set this up to begin with. I don't know if
he's ever used this sort of setup under wsgi/httpd, though.
-RN
--
Robin Norwood
Red Hat, Inc.
"The Sage does nothing, yet nothing remains undone."
-Lao Tzu, Te Tao Ching
More information about the Fedora-infrastructure-list
mailing list