So I've been working on migrating freeIPA from mod_python to mod_wsgi.
This isn't a big change as the IPA server is already all WSGI
internally, but I've run into 2 unexpected problems.

mod_wsgi daemon mode

First, the easy problem.  The mod_wsgi documentation clearly states that
the daemon mode is the preferred way to deploy.  See the "Defining
Process Groups" section in:

In daemon mode, Apache starts mod_wsgi in a separate process and
communicates with it via a Unix socket.  Unfortunately, Fedora12 doesn't
support daemon mode nicely out of the box and tries create the socket
in /etc/httpd/run, which of course make selinux mad (as it should).  I
believe Apache is being run with the Apache home set to /etc/httpd
(which itself seems weird to me, not sure if this is a bug).

Anyway, we can fix this with the WSGISocketPrefix directive.  But this
directive is server-scope (can't be virtual-host-scope), so we really
need to fix this in the mod_wsgi package.  We just need to add this
to /etc/httpd/conf.d/wsgi.conf:

    WSGISocketPrefix /var/run/httpd/wsgi

This config file is owned by mod_wsgi, not IPA, so I don't think IPA
should be writing stuff to this during it's install.  Again, needs to be
fixed in the mod_wsgi package.  I haven't tried this under Fedora11 yet,
so I don't know if the same problem is present there.

Simplify Kerberos protected URLs

Currently in our URL space we have:

    /ipa/xml   -  Kerberos protected
    /ipa/json  -  Kerberos protected
    /ipa/ui    -  Kerberos protected
    /ipa/errors - Not protected
    /ipa/config - Not protected
    /ipa/crl    - Not protected

Under mod_python, we have separate handlers for the xml, json, and ui
URLs.  My upcoming patch has a new WSGI middleware component this is a
single entry point at /ipa.  I did this so that the LDAP auth and
session stuff is handled in exactly the same way regardless of which app
is the final target.

Anyway, right now we have to handle stuff in a pretty funky way
(including under mod_python).  We turn on Kerb auth for /ipa, then turn
it off for /ipa/errors and friends.  I would really like us to have two
base URLs, something like this:

    /ipa/*        - Kerberos projected
    /ipa-static/* - Not projected

Doesn't have to be called ipa-static, just throwing a name out there.
We can work around this (as we already do), but there 2 reasons I think
we should do this:

    1. Security - our current approach is confusing and opens us up to
       mistakes (our mistakes or a sysadmin's).

    2. Extensibility - in the V2 cycle we have added several new things
       in /ipa/*, some Kerberos protected, some not.  I'm sure this will
       happen again in the future, so we might as well clean this up

What do people think?  I'm not sure I explained this well, but look in
install/conf/ipa.conf and you'll see what I mean.

Freeipa-devel mailing list

Reply via email to