Exactly! Perfectly! On May 19, 8:58 pm, Alec Shaner <[email protected]> wrote: > I probably cannot tell you the answer, but perhaps your question isn't clear > enough. > > Is this what you're saying? > > 1. You only have access to one UNIX account on this server. > 2. There are more than 16 groups that are needed to access clearcase > repositories, and your UNIX account is a member of all (or at least more > than 16) of them. > 3. If you run a clearcase command, it will only use the first 16 groups of > the process's unix account and so if you required group 17 or higher for > permissions the command would fail. > 4. You currently use this flash binary to explicitly list the effective > groups that a subprocess uses, e.g., your httpd program, and hence you have > to spawn multiple httpd processes to handle all combinations of groups you > need for clearcase permissions. > 5. You wish to only run 1 instance of httpd, and want to know if mod_wsgi > can spawn multiple virtual hosts, each using some subset of groups like the > flash command does. > > On Wed, May 19, 2010 at 1:55 PM, Jan Koprowski <[email protected]>wrote: > > > > > I don't need ideas how achieve my goal another way. I have policy > > limits enforced by IT in my company on Linux system where I don't have > > even root. > > > In my company is command line tool "flash" which get as parameters > > groups and command to run. So i made something like this: > > /usr/bin/flash --groups a b c /home/me/apache/bin/httpd -f /user/me/ > > apache/conf/httpd.conf > > > I also must work on one user which must have access to all > > repositories (there is tens of projects to handle) and standardized > > way is use "flash" command to operate on this repositories. I just > > asking is WSGI can do something like "flash" can? > > > I know ACL system well - really, but I'm just simple user not > > superuser. I don't defend our IT - they should do something with > > limitations and flash is only a workaround but for now I'm just > > thinking is WSGI allow me increase number of apache servers to one. > > > Thank You for Your help but I feel that You think in OpenSource > > project categories not in corporate limitations and only simple answer > > to my question will help. > > > However I'm very greatful for You try to help :) > > > Greetings from Poland! > > -- > > Jan Koprowski > > > On May 19, 2:48 pm, Graham Dumpleton <[email protected]> > > wrote: > > > On 19 May 2010 22:15, Jan Koprowski <[email protected]> wrote: > > > > > I need this to use ClearCase (cleartool binary). ACL in ClearCase > > > > based on Unix system groups but it get only first 16 groups. So If > > > > user belongs to 50 groups You must before using cleartool eject 34 > > > > groups and leave only 16. And I need to choose "few" groups in WSGI > > > > which will be inherit by WSGI child process. Then my application may > > > > read ClearCase repositories. > > > > Okay. Ignoring mod_wsgi for the moment, how would you even achieve > > > that from shell command line or in standalone Python script? > > > > If understood how you would do it in that simpler situation, then may > > > have an idea of what needs to be done. > > > > Right now I would have thought that what groups you are in would be > > > fixed by what is in /etc/groups and that it couldn't be limited > > > dynamically at run time by a process. > > > > BTW, presuming the limitation you are hitting is probably something > > > similar to what is described in: > > > > http://blogs.sun.com/peteh/date/20050614 > > > > In other word, some basic interface which has fixed limitation on > > > number of groups. > > > > One question I would have is why you have 50 groups to even start > > > with. Read something like: > > > > http://www.softpanorama.org/Access_control/groups_administration.shtml > > > > and it mentions the drawbacks of being a member of many groups. One > > > part of the solution for that is to use ACLs instead for access as > > > then you dont pollute the set of groups with too fine a grained group > > > membership sets. > > > > Even so, the problem seems to crop up in various places. One non > > > standard way I found where people try to address it is: > > > > http://www.cs.washington.edu/lab/GrpAdmin/grpframe.html > > > > That they have to go to those lengths suggests that UNIX itself > > > doesn't supply any mechanism to do what you want. > > > > BTW, why can't you just run the WSGI application as user who isn't in > > > so many groups and so under the 16 limit? > > > > Graham > > > > > Greetings from Poland! > > > > -- > > > > Jan Koprowski > > > > > On May 19, 2:02 pm, Graham Dumpleton <[email protected]> > > > > wrote: > > > >> On 19 May 2010 21:49, Jan Koprowski <[email protected]> wrote: > > > > >> > (I will try write better in English) > > > >> > Hmm... This is not I'm talking about. > > > >> > WSGIDaemonProcess project1 group=users > > > > >> > I know "group=name" set main group. Question is I can set few > > groups. > > > >> > Something like > > > > >> > WSGIDaemonProcess project1 groups=users,admin,chem > > > > >> > and WSGI process will be run inheriting these three groups when the > > > >> > main group will be users (first on the list). > > > > >> Doing tricky things with ACLs and group membership is not something I > > > >> really know about. > > > > >> All I really understand is that a process executing as a user can only > > > >> have one effective group at a time. > > > > >> Although this is comes into play in relationship to group ownership of > > > >> files/directories created by that user at that time, except to extent > > > >> dictated by g+s bit on directories, it should be noted that as far as > > > >> accessing files/directories, it is the user which is more important. > > > >> That is, if user is a member of groups users, admin and chem, then it > > > >> should be able to access files/directories where group ownership is > > > >> any one of them, irrespective of what the current effective group is. > > > >> At least that is how I understand it. > > > > >> Use of ACLs in modern UNIX systems complicates all this and frankly I > > > >> have never sat down and learnt properly how they work, but understand > > > >> that they allow more fine grained control over access by a user to > > > >> files/directories without needing to resort to group membership for > > > >> the user. > > > > >> That is probably all I can say. > > > > >> It may help if you can explain the underlying driver for why you think > > > >> you need what you want rather than asking how to implement your > > > >> perceived solution. There may be easier/better ways of addressing your > > > >> underlying problem. > > > > >> Graham > > > > >> > On May 19, 1:35 pm, Graham Dumpleton <[email protected]> > > > >> > wrote: > > > >> >> On 19 May 2010 21:29, Jan Koprowski <[email protected]> > > wrote: > > > > >> >> > One more thing :) > > > >> >> > I know I can set one main groups for Process but question is I > > can run > > > >> >> > WSGI from apache which smaller subset of groups (two, and more) > > > >> >> > Now I have few apache servers and I try to switch to one apache > > server > > > >> >> > and I hope WSGI serve this :) but if not I still stay with few > > apache > > > >> >> > servers :) > > > > >> >> I appreciate English may not be your first language, but it is a > > bit > > > >> >> hard to follow what you are after. All I can do is offer the > > following > > > >> >> example and you will need to read documentation and experiment with > > > >> >> it. This assumes you are using mod_wsgi 3.X. > > > > >> >> WSGIDaemonProcess group1 > > > >> >> WSGIDaemonProcess group2 > > > >> >> WSGIDaemonProcess group3 > > > > >> >> WSGIScriptAlias / /some/path/application1.wsgi > > process-group=group1 > > > >> >> application-group=%{GLOBAL} > > > >> >> WSGIScriptAlias /suburl1 /some/path/application2.wsgi > > > >> >> process-group=group2 application-group=%{GLOBAL} > > > >> >> WSGIScriptAlias /suburl2 /some/path/application3.wsgi > > > >> >> process-group=group3 application-group=%{GLOBAL} > > > > >> >> This creates three seperate mod_wsgi daemon process and delegates > > each > > > >> >> WSGI application to a different one of those three. > > > > >> >> The same concept applies whether or not you are using virtual hosts > > > >> >> and applications may be within different virtual hosts and not with > > > >> >> same but at different sub URLs. > > > > >> >> Graham > > > > >> >> > On May 19, 1:16 pm, Graham Dumpleton <[email protected] > > > > >> >> > wrote: > > > >> >> >> On 19 May 2010 21:13, Jan Koprowski <[email protected]> > > wrote: > > > > >> >> >> > Hi! > > > > >> >> >> > How set few groups for particular WSGI process? My Python > > > >> >> >> > application communicate with clearcase which get only first 16 > > groups > > > >> >> >> > and I must run Python App only to 16 groups but different for > > each > > > >> >> >> > tool. Is this possible? > > > > >> >> >> Post parts of Apache configuration you are using to setup > > mod_wsgi for > > > >> >> >> your applications. > > > > >> >> >> To suggest best way, need to see how you are using it and > > whether > > > >> >> >> using WSGIScriptAlias or AddHandler. > > > > >> >> >> Also, what version of mod_wsgi are you using? > > > > >> >> >> Graham > > > > >> >> >> -- > > > >> >> >> You received this message because you are subscribed to the > > Google Groups "modwsgi" group. > > > >> >> >> To post to this group, send email to [email protected]. > > > >> >> >> To unsubscribe from this group, send email to > > [email protected]<modwsgi%[email protected] > > > > > . > > > >> >> >> For more options, visit this group athttp:// > > groups.google.com/group/modwsgi?hl=en. > > > > >> >> > -- > > > >> >> > You received this message because you are subscribed to the > > Google Groups "modwsgi" group. > > > >> >> > To post to this group, send email to [email protected]. > > > >> >> > To unsubscribe from this... > > read more »
-- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
