On 19 May 2010 22:15, Jan Koprowski <[email protected]> wrote: > I need this to use ClearCase (cleartool binary). ACL in ClearCase > based on Unix system groups but it get only first 16 groups. So If > user belongs to 50 groups You must before using cleartool eject 34 > groups and leave only 16. And I need to choose "few" groups in WSGI > which will be inherit by WSGI child process. Then my application may > read ClearCase repositories.
Okay. Ignoring mod_wsgi for the moment, how would you even achieve that from shell command line or in standalone Python script? If understood how you would do it in that simpler situation, then may have an idea of what needs to be done. Right now I would have thought that what groups you are in would be fixed by what is in /etc/groups and that it couldn't be limited dynamically at run time by a process. BTW, presuming the limitation you are hitting is probably something similar to what is described in: http://blogs.sun.com/peteh/date/20050614 In other word, some basic interface which has fixed limitation on number of groups. One question I would have is why you have 50 groups to even start with. Read something like: http://www.softpanorama.org/Access_control/groups_administration.shtml and it mentions the drawbacks of being a member of many groups. One part of the solution for that is to use ACLs instead for access as then you dont pollute the set of groups with too fine a grained group membership sets. Even so, the problem seems to crop up in various places. One non standard way I found where people try to address it is: http://www.cs.washington.edu/lab/GrpAdmin/grpframe.html That they have to go to those lengths suggests that UNIX itself doesn't supply any mechanism to do what you want. BTW, why can't you just run the WSGI application as user who isn't in so many groups and so under the 16 limit? Graham > Greetings from Poland! > -- > Jan Koprowski > > On May 19, 2:02 pm, Graham Dumpleton <[email protected]> > wrote: >> On 19 May 2010 21:49, Jan Koprowski <[email protected]> wrote: >> >> > (I will try write better in English) >> > Hmm... This is not I'm talking about. >> > WSGIDaemonProcess project1 group=users >> >> > I know "group=name" set main group. Question is I can set few groups. >> > Something like >> >> > WSGIDaemonProcess project1 groups=users,admin,chem >> >> > and WSGI process will be run inheriting these three groups when the >> > main group will be users (first on the list). >> >> Doing tricky things with ACLs and group membership is not something I >> really know about. >> >> All I really understand is that a process executing as a user can only >> have one effective group at a time. >> >> Although this is comes into play in relationship to group ownership of >> files/directories created by that user at that time, except to extent >> dictated by g+s bit on directories, it should be noted that as far as >> accessing files/directories, it is the user which is more important. >> That is, if user is a member of groups users, admin and chem, then it >> should be able to access files/directories where group ownership is >> any one of them, irrespective of what the current effective group is. >> At least that is how I understand it. >> >> Use of ACLs in modern UNIX systems complicates all this and frankly I >> have never sat down and learnt properly how they work, but understand >> that they allow more fine grained control over access by a user to >> files/directories without needing to resort to group membership for >> the user. >> >> That is probably all I can say. >> >> It may help if you can explain the underlying driver for why you think >> you need what you want rather than asking how to implement your >> perceived solution. There may be easier/better ways of addressing your >> underlying problem. >> >> Graham >> >> >> >> >> >> > On May 19, 1:35 pm, Graham Dumpleton <[email protected]> >> > wrote: >> >> On 19 May 2010 21:29, Jan Koprowski <[email protected]> wrote: >> >> >> > One more thing :) >> >> > I know I can set one main groups for Process but question is I can run >> >> > WSGI from apache which smaller subset of groups (two, and more) >> >> > Now I have few apache servers and I try to switch to one apache server >> >> > and I hope WSGI serve this :) but if not I still stay with few apache >> >> > servers :) >> >> >> I appreciate English may not be your first language, but it is a bit >> >> hard to follow what you are after. All I can do is offer the following >> >> example and you will need to read documentation and experiment with >> >> it. This assumes you are using mod_wsgi 3.X. >> >> >> WSGIDaemonProcess group1 >> >> WSGIDaemonProcess group2 >> >> WSGIDaemonProcess group3 >> >> >> WSGIScriptAlias / /some/path/application1.wsgi process-group=group1 >> >> application-group=%{GLOBAL} >> >> WSGIScriptAlias /suburl1 /some/path/application2.wsgi >> >> process-group=group2 application-group=%{GLOBAL} >> >> WSGIScriptAlias /suburl2 /some/path/application3.wsgi >> >> process-group=group3 application-group=%{GLOBAL} >> >> >> This creates three seperate mod_wsgi daemon process and delegates each >> >> WSGI application to a different one of those three. >> >> >> The same concept applies whether or not you are using virtual hosts >> >> and applications may be within different virtual hosts and not with >> >> same but at different sub URLs. >> >> >> Graham >> >> >> > On May 19, 1:16 pm, Graham Dumpleton <[email protected]> >> >> > wrote: >> >> >> On 19 May 2010 21:13, Jan Koprowski <[email protected]> wrote: >> >> >> >> > Hi! >> >> >> >> > How set few groups for particular WSGI process? My Python >> >> >> > application communicate with clearcase which get only first 16 groups >> >> >> > and I must run Python App only to 16 groups but different for each >> >> >> > tool. Is this possible? >> >> >> >> Post parts of Apache configuration you are using to setup mod_wsgi for >> >> >> your applications. >> >> >> >> To suggest best way, need to see how you are using it and whether >> >> >> using WSGIScriptAlias or AddHandler. >> >> >> >> Also, what version of mod_wsgi are you using? >> >> >> >> Graham >> >> >> >> -- >> >> >> You received this message because you are subscribed to the Google >> >> >> Groups "modwsgi" group. >> >> >> To post to this group, send email to [email protected]. >> >> >> To unsubscribe from this group, send email to >> >> >> [email protected]. >> >> >> For more options, visit this group >> >> >> athttp://groups.google.com/group/modwsgi?hl=en. >> >> >> > -- >> >> > You received this message because you are subscribed to the Google >> >> > Groups "modwsgi" group. >> >> > To post to this group, send email to [email protected]. >> >> > To unsubscribe from this group, send email to >> >> > [email protected]. >> >> > For more options, visit this group >> >> > athttp://groups.google.com/group/modwsgi?hl=en. >> >> >> -- >> >> You received this message because you are subscribed to the Google Groups >> >> "modwsgi" group. >> >> To post to this group, send email to [email protected]. >> >> To unsubscribe from this group, send email to >> >> [email protected]. >> >> For more options, visit this group >> >> athttp://groups.google.com/group/modwsgi?hl=en. >> >> > -- >> > You received this message because you are subscribed to the Google Groups >> > "modwsgi" group. >> > To post to this group, send email to [email protected]. >> > To unsubscribe from this group, send email to >> > [email protected]. >> > For more options, visit this group >> > athttp://groups.google.com/group/modwsgi?hl=en. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group >> athttp://groups.google.com/group/modwsgi?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/modwsgi?hl=en. > > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
