I probably cannot tell you the answer, but perhaps your question isn't clear enough.
Is this what you're saying? 1. You only have access to one UNIX account on this server. 2. There are more than 16 groups that are needed to access clearcase repositories, and your UNIX account is a member of all (or at least more than 16) of them. 3. If you run a clearcase command, it will only use the first 16 groups of the process's unix account and so if you required group 17 or higher for permissions the command would fail. 4. You currently use this flash binary to explicitly list the effective groups that a subprocess uses, e.g., your httpd program, and hence you have to spawn multiple httpd processes to handle all combinations of groups you need for clearcase permissions. 5. You wish to only run 1 instance of httpd, and want to know if mod_wsgi can spawn multiple virtual hosts, each using some subset of groups like the flash command does. On Wed, May 19, 2010 at 1:55 PM, Jan Koprowski <[email protected]>wrote: > I don't need ideas how achieve my goal another way. I have policy > limits enforced by IT in my company on Linux system where I don't have > even root. > > In my company is command line tool "flash" which get as parameters > groups and command to run. So i made something like this: > /usr/bin/flash --groups a b c /home/me/apache/bin/httpd -f /user/me/ > apache/conf/httpd.conf > > I also must work on one user which must have access to all > repositories (there is tens of projects to handle) and standardized > way is use "flash" command to operate on this repositories. I just > asking is WSGI can do something like "flash" can? > > I know ACL system well - really, but I'm just simple user not > superuser. I don't defend our IT - they should do something with > limitations and flash is only a workaround but for now I'm just > thinking is WSGI allow me increase number of apache servers to one. > > Thank You for Your help but I feel that You think in OpenSource > project categories not in corporate limitations and only simple answer > to my question will help. > > However I'm very greatful for You try to help :) > > Greetings from Poland! > -- > Jan Koprowski > > On May 19, 2:48 pm, Graham Dumpleton <[email protected]> > wrote: > > On 19 May 2010 22:15, Jan Koprowski <[email protected]> wrote: > > > > > I need this to use ClearCase (cleartool binary). ACL in ClearCase > > > based on Unix system groups but it get only first 16 groups. So If > > > user belongs to 50 groups You must before using cleartool eject 34 > > > groups and leave only 16. And I need to choose "few" groups in WSGI > > > which will be inherit by WSGI child process. Then my application may > > > read ClearCase repositories. > > > > Okay. Ignoring mod_wsgi for the moment, how would you even achieve > > that from shell command line or in standalone Python script? > > > > If understood how you would do it in that simpler situation, then may > > have an idea of what needs to be done. > > > > Right now I would have thought that what groups you are in would be > > fixed by what is in /etc/groups and that it couldn't be limited > > dynamically at run time by a process. > > > > BTW, presuming the limitation you are hitting is probably something > > similar to what is described in: > > > > http://blogs.sun.com/peteh/date/20050614 > > > > In other word, some basic interface which has fixed limitation on > > number of groups. > > > > One question I would have is why you have 50 groups to even start > > with. Read something like: > > > > http://www.softpanorama.org/Access_control/groups_administration.shtml > > > > and it mentions the drawbacks of being a member of many groups. One > > part of the solution for that is to use ACLs instead for access as > > then you dont pollute the set of groups with too fine a grained group > > membership sets. > > > > Even so, the problem seems to crop up in various places. One non > > standard way I found where people try to address it is: > > > > http://www.cs.washington.edu/lab/GrpAdmin/grpframe.html > > > > That they have to go to those lengths suggests that UNIX itself > > doesn't supply any mechanism to do what you want. > > > > BTW, why can't you just run the WSGI application as user who isn't in > > so many groups and so under the 16 limit? > > > > Graham > > > > > > > > > > > > > Greetings from Poland! > > > -- > > > Jan Koprowski > > > > > On May 19, 2:02 pm, Graham Dumpleton <[email protected]> > > > wrote: > > >> On 19 May 2010 21:49, Jan Koprowski <[email protected]> wrote: > > > > >> > (I will try write better in English) > > >> > Hmm... This is not I'm talking about. > > >> > WSGIDaemonProcess project1 group=users > > > > >> > I know "group=name" set main group. Question is I can set few > groups. > > >> > Something like > > > > >> > WSGIDaemonProcess project1 groups=users,admin,chem > > > > >> > and WSGI process will be run inheriting these three groups when the > > >> > main group will be users (first on the list). > > > > >> Doing tricky things with ACLs and group membership is not something I > > >> really know about. > > > > >> All I really understand is that a process executing as a user can only > > >> have one effective group at a time. > > > > >> Although this is comes into play in relationship to group ownership of > > >> files/directories created by that user at that time, except to extent > > >> dictated by g+s bit on directories, it should be noted that as far as > > >> accessing files/directories, it is the user which is more important. > > >> That is, if user is a member of groups users, admin and chem, then it > > >> should be able to access files/directories where group ownership is > > >> any one of them, irrespective of what the current effective group is. > > >> At least that is how I understand it. > > > > >> Use of ACLs in modern UNIX systems complicates all this and frankly I > > >> have never sat down and learnt properly how they work, but understand > > >> that they allow more fine grained control over access by a user to > > >> files/directories without needing to resort to group membership for > > >> the user. > > > > >> That is probably all I can say. > > > > >> It may help if you can explain the underlying driver for why you think > > >> you need what you want rather than asking how to implement your > > >> perceived solution. There may be easier/better ways of addressing your > > >> underlying problem. > > > > >> Graham > > > > >> > On May 19, 1:35 pm, Graham Dumpleton <[email protected]> > > >> > wrote: > > >> >> On 19 May 2010 21:29, Jan Koprowski <[email protected]> > wrote: > > > > >> >> > One more thing :) > > >> >> > I know I can set one main groups for Process but question is I > can run > > >> >> > WSGI from apache which smaller subset of groups (two, and more) > > >> >> > Now I have few apache servers and I try to switch to one apache > server > > >> >> > and I hope WSGI serve this :) but if not I still stay with few > apache > > >> >> > servers :) > > > > >> >> I appreciate English may not be your first language, but it is a > bit > > >> >> hard to follow what you are after. All I can do is offer the > following > > >> >> example and you will need to read documentation and experiment with > > >> >> it. This assumes you are using mod_wsgi 3.X. > > > > >> >> WSGIDaemonProcess group1 > > >> >> WSGIDaemonProcess group2 > > >> >> WSGIDaemonProcess group3 > > > > >> >> WSGIScriptAlias / /some/path/application1.wsgi > process-group=group1 > > >> >> application-group=%{GLOBAL} > > >> >> WSGIScriptAlias /suburl1 /some/path/application2.wsgi > > >> >> process-group=group2 application-group=%{GLOBAL} > > >> >> WSGIScriptAlias /suburl2 /some/path/application3.wsgi > > >> >> process-group=group3 application-group=%{GLOBAL} > > > > >> >> This creates three seperate mod_wsgi daemon process and delegates > each > > >> >> WSGI application to a different one of those three. > > > > >> >> The same concept applies whether or not you are using virtual hosts > > >> >> and applications may be within different virtual hosts and not with > > >> >> same but at different sub URLs. > > > > >> >> Graham > > > > >> >> > On May 19, 1:16 pm, Graham Dumpleton <[email protected] > > > > >> >> > wrote: > > >> >> >> On 19 May 2010 21:13, Jan Koprowski <[email protected]> > wrote: > > > > >> >> >> > Hi! > > > > >> >> >> > How set few groups for particular WSGI process? My Python > > >> >> >> > application communicate with clearcase which get only first 16 > groups > > >> >> >> > and I must run Python App only to 16 groups but different for > each > > >> >> >> > tool. Is this possible? > > > > >> >> >> Post parts of Apache configuration you are using to setup > mod_wsgi for > > >> >> >> your applications. > > > > >> >> >> To suggest best way, need to see how you are using it and > whether > > >> >> >> using WSGIScriptAlias or AddHandler. > > > > >> >> >> Also, what version of mod_wsgi are you using? > > > > >> >> >> Graham > > > > >> >> >> -- > > >> >> >> You received this message because you are subscribed to the > Google Groups "modwsgi" group. > > >> >> >> To post to this group, send email to [email protected]. > > >> >> >> To unsubscribe from this group, send email to > [email protected]<modwsgi%[email protected]> > . > > >> >> >> For more options, visit this group athttp:// > groups.google.com/group/modwsgi?hl=en. > > > > >> >> > -- > > >> >> > You received this message because you are subscribed to the > Google Groups "modwsgi" group. > > >> >> > To post to this group, send email to [email protected]. > > >> >> > To unsubscribe from this group, send email to > [email protected]<modwsgi%[email protected]> > . > > >> >> > For more options, visit this group athttp:// > groups.google.com/group/modwsgi?hl=en. > > > > >> >> -- > > >> >> You received this message because you are subscribed to the Google > Groups "modwsgi" group. > > >> >> To post to this group, send email to [email protected]. > > >> >> To unsubscribe from this group, send email to > [email protected]<modwsgi%[email protected]> > . > > >> >> For more options, visit this group athttp:// > groups.google.com/group/modwsgi?hl=en. > > > > >> > -- > > >> > You received this message because you are subscribed to the Google > Groups "modwsgi" group. > > >> > To post to this group, send email to [email protected]. > > >> > To unsubscribe from this group, send email to > [email protected]<modwsgi%[email protected]> > . > > >> > For more options, visit this group athttp:// > groups.google.com/group/modwsgi?hl=en. > > > > >> -- > > >> You received this message because you are subscribed to the Google > Groups "modwsgi" group. > > >> To post to this group, send email to [email protected]. > > >> To unsubscribe from this group, send email to > [email protected]<modwsgi%[email protected]> > . > > >> For more options, visit this group athttp:// > groups.google.com/group/modwsgi?hl=en. > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "modwsgi" group. > > > To post to this group, send email to [email protected]. > > > To unsubscribe from this group, send email to > [email protected]<modwsgi%[email protected]> > . > > > For more options, visit this group athttp:// > groups.google.com/group/modwsgi?hl=en. > > > > -- > > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > [email protected]<modwsgi%[email protected]> > . > > For more options, visit this group athttp:// > groups.google.com/group/modwsgi?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<modwsgi%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/modwsgi?hl=en. > > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
