On Tue, 23 Feb 2010 09:22:05 -0700 Jason Gerard DeRose <jder...@redhat.com> wrote:
> So I've been working on migrating freeIPA from mod_python to mod_wsgi. > This isn't a big change as the IPA server is already all WSGI > internally, but I've run into 2 unexpected problems. > > > mod_wsgi daemon mode > ==================== > > First, the easy problem. The mod_wsgi documentation clearly states > that the daemon mode is the preferred way to deploy. See the > "Defining Process Groups" section in: > > http://code.google.com/p/modwsgi/wiki/ConfigurationGuidelines > > In daemon mode, Apache starts mod_wsgi in a separate process and > communicates with it via a Unix socket. Unfortunately, Fedora12 > doesn't support daemon mode nicely out of the box and tries create > the socket in /etc/httpd/run, which of course make selinux mad (as it > should). I believe Apache is being run with the Apache home set > to /etc/httpd (which itself seems weird to me, not sure if this is a > bug). > > Anyway, we can fix this with the WSGISocketPrefix directive. But this > directive is server-scope (can't be virtual-host-scope), so we really > need to fix this in the mod_wsgi package. We just need to add this > to /etc/httpd/conf.d/wsgi.conf: > > WSGISocketPrefix /var/run/httpd/wsgi > > This config file is owned by mod_wsgi, not IPA, so I don't think IPA > should be writing stuff to this during it's install. Again, needs to > be fixed in the mod_wsgi package. I haven't tried this under > Fedora11 yet, so I don't know if the same problem is present there. Shouldn't you open a bug against mod_wsgi in fedora and have it fixed there ? > Simplify Kerberos protected URLs > ================================ > > Currently in our URL space we have: > > /ipa/xml - Kerberos protected > /ipa/json - Kerberos protected > /ipa/ui - Kerberos protected > /ipa/errors - Not protected > /ipa/config - Not protected > /ipa/crl - Not protected > > Under mod_python, we have separate handlers for the xml, json, and ui > URLs. My upcoming patch has a new WSGI middleware component this is a > single entry point at /ipa. I did this so that the LDAP auth and > session stuff is handled in exactly the same way regardless of which > app is the final target. > > Anyway, right now we have to handle stuff in a pretty funky way > (including under mod_python). We turn on Kerb auth for /ipa, then > turn it off for /ipa/errors and friends. I would really like us to > have two base URLs, something like this: > > /ipa/* - Kerberos projected > /ipa-static/* - Not projected When you say "kerberos protected" do you mean it uses mod_auth_kerb for each access, or does it include also pages you can access only if you previously authenticated but are just using a session to validate it ? I would say /ipa/auth/* - only authenticated access /ipa/* - anything else > Doesn't have to be called ipa-static, just throwing a name out there. > We can work around this (as we already do), but there 2 reasons I > think we should do this: > > 1. Security - our current approach is confusing and opens us up to > mistakes (our mistakes or a sysadmin's). > > 2. Extensibility - in the V2 cycle we have added several new > things in /ipa/*, some Kerberos protected, some not. I'm sure this > will happen again in the future, so we might as well clean this up > now. > > What do people think? I'm not sure I explained this well, but look in > install/conf/ipa.conf and you'll see what I mean. your proposal looks sane I think we already tried to do that once, better discipline should be used, but also a better, clear naming will help. Perhaps adding a README in the directory that server /ipa/ that explains what should go where, might help ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel