On 20 May 2010 03:55, Jan Koprowski <[email protected]> wrote: > I don't need ideas how achieve my goal another way. I have policy > limits enforced by IT in my company on Linux system where I don't have > even root. > > In my company is command line tool "flash" which get as parameters > groups and command to run. So i made something like this: > /usr/bin/flash --groups a b c /home/me/apache/bin/httpd -f /user/me/ > apache/conf/httpd.conf > > I also must work on one user which must have access to all > repositories (there is tens of projects to handle) and standardized > way is use "flash" command to operate on this repositories. I just > asking is WSGI can do something like "flash" can?
You haven't described how the 'flash' command is implemented and I am not aware of what UNIX mechanisms allow you to do what that script is doing. Is the 'flash' command an operating system command, something supplied by ClearCase, or something written by your local admins? Is it a binary, or written in a scripting language? If the latter, then perhaps its code will tell you what it is doing so can suggest equivalent. Trying to search for a flash command associated with ClearCase on Google is near impossible because of the prevalence of the flash plugin for browsers and all the matches you get for that. > I know ACL system well - really, but I'm just simple user not > superuser. I don't defend our IT - they should do something with > limitations and flash is only a workaround but for now I'm just > thinking is WSGI allow me increase number of apache servers to one. > > Thank You for Your help but I feel that You think in OpenSource > project categories not in corporate limitations and only simple answer > to my question will help. Not at all. Doesn't matter where this was being done, if people are going to do something in a way which is known to cause issues and there are perhaps better ways of doing it, I will always call it into question and try and get people to investigate alternatives. If you work within restrictions that don't allow that then so be it and we try and work out how to work within those restrictions. BTW, is there any reason why your request handler cant execute a separate script, ie., not embedded, so as to do the operation you want and return the required data? That way the separate script could use flash command internally to switch fix ups before doing what is required. Graham > However I'm very greatful for You try to help :) > > Greetings from Poland! > -- > Jan Koprowski > > On May 19, 2:48 pm, Graham Dumpleton <[email protected]> > wrote: >> On 19 May 2010 22:15, Jan Koprowski <[email protected]> wrote: >> >> > I need this to use ClearCase (cleartool binary). ACL in ClearCase >> > based on Unix system groups but it get only first 16 groups. So If >> > user belongs to 50 groups You must before using cleartool eject 34 >> > groups and leave only 16. And I need to choose "few" groups in WSGI >> > which will be inherit by WSGI child process. Then my application may >> > read ClearCase repositories. >> >> Okay. Ignoring mod_wsgi for the moment, how would you even achieve >> that from shell command line or in standalone Python script? >> >> If understood how you would do it in that simpler situation, then may >> have an idea of what needs to be done. >> >> Right now I would have thought that what groups you are in would be >> fixed by what is in /etc/groups and that it couldn't be limited >> dynamically at run time by a process. >> >> BTW, presuming the limitation you are hitting is probably something >> similar to what is described in: >> >> http://blogs.sun.com/peteh/date/20050614 >> >> In other word, some basic interface which has fixed limitation on >> number of groups. >> >> One question I would have is why you have 50 groups to even start >> with. Read something like: >> >> http://www.softpanorama.org/Access_control/groups_administration.shtml >> >> and it mentions the drawbacks of being a member of many groups. One >> part of the solution for that is to use ACLs instead for access as >> then you dont pollute the set of groups with too fine a grained group >> membership sets. >> >> Even so, the problem seems to crop up in various places. One non >> standard way I found where people try to address it is: >> >> http://www.cs.washington.edu/lab/GrpAdmin/grpframe.html >> >> That they have to go to those lengths suggests that UNIX itself >> doesn't supply any mechanism to do what you want. >> >> BTW, why can't you just run the WSGI application as user who isn't in >> so many groups and so under the 16 limit? >> >> Graham >> >> >> >> >> >> > Greetings from Poland! >> > -- >> > Jan Koprowski >> >> > On May 19, 2:02 pm, Graham Dumpleton <[email protected]> >> > wrote: >> >> On 19 May 2010 21:49, Jan Koprowski <[email protected]> wrote: >> >> >> > (I will try write better in English) >> >> > Hmm... This is not I'm talking about. >> >> > WSGIDaemonProcess project1 group=users >> >> >> > I know "group=name" set main group. Question is I can set few groups. >> >> > Something like >> >> >> > WSGIDaemonProcess project1 groups=users,admin,chem >> >> >> > and WSGI process will be run inheriting these three groups when the >> >> > main group will be users (first on the list). >> >> >> Doing tricky things with ACLs and group membership is not something I >> >> really know about. >> >> >> All I really understand is that a process executing as a user can only >> >> have one effective group at a time. >> >> >> Although this is comes into play in relationship to group ownership of >> >> files/directories created by that user at that time, except to extent >> >> dictated by g+s bit on directories, it should be noted that as far as >> >> accessing files/directories, it is the user which is more important. >> >> That is, if user is a member of groups users, admin and chem, then it >> >> should be able to access files/directories where group ownership is >> >> any one of them, irrespective of what the current effective group is. >> >> At least that is how I understand it. >> >> >> Use of ACLs in modern UNIX systems complicates all this and frankly I >> >> have never sat down and learnt properly how they work, but understand >> >> that they allow more fine grained control over access by a user to >> >> files/directories without needing to resort to group membership for >> >> the user. >> >> >> That is probably all I can say. >> >> >> It may help if you can explain the underlying driver for why you think >> >> you need what you want rather than asking how to implement your >> >> perceived solution. There may be easier/better ways of addressing your >> >> underlying problem. >> >> >> Graham >> >> >> > On May 19, 1:35 pm, Graham Dumpleton <[email protected]> >> >> > wrote: >> >> >> On 19 May 2010 21:29, Jan Koprowski <[email protected]> wrote: >> >> >> >> > One more thing :) >> >> >> > I know I can set one main groups for Process but question is I can >> >> >> > run >> >> >> > WSGI from apache which smaller subset of groups (two, and more) >> >> >> > Now I have few apache servers and I try to switch to one apache >> >> >> > server >> >> >> > and I hope WSGI serve this :) but if not I still stay with few apache >> >> >> > servers :) >> >> >> >> I appreciate English may not be your first language, but it is a bit >> >> >> hard to follow what you are after. All I can do is offer the following >> >> >> example and you will need to read documentation and experiment with >> >> >> it. This assumes you are using mod_wsgi 3.X. >> >> >> >> WSGIDaemonProcess group1 >> >> >> WSGIDaemonProcess group2 >> >> >> WSGIDaemonProcess group3 >> >> >> >> WSGIScriptAlias / /some/path/application1.wsgi process-group=group1 >> >> >> application-group=%{GLOBAL} >> >> >> WSGIScriptAlias /suburl1 /some/path/application2.wsgi >> >> >> process-group=group2 application-group=%{GLOBAL} >> >> >> WSGIScriptAlias /suburl2 /some/path/application3.wsgi >> >> >> process-group=group3 application-group=%{GLOBAL} >> >> >> >> This creates three seperate mod_wsgi daemon process and delegates each >> >> >> WSGI application to a different one of those three. >> >> >> >> The same concept applies whether or not you are using virtual hosts >> >> >> and applications may be within different virtual hosts and not with >> >> >> same but at different sub URLs. >> >> >> >> Graham >> >> >> >> > On May 19, 1:16 pm, Graham Dumpleton <[email protected]> >> >> >> > wrote: >> >> >> >> On 19 May 2010 21:13, Jan Koprowski <[email protected]> wrote: >> >> >> >> >> > Hi! >> >> >> >> >> > How set few groups for particular WSGI process? My Python >> >> >> >> > application communicate with clearcase which get only first 16 >> >> >> >> > groups >> >> >> >> > and I must run Python App only to 16 groups but different for each >> >> >> >> > tool. Is this possible? >> >> >> >> >> Post parts of Apache configuration you are using to setup mod_wsgi >> >> >> >> for >> >> >> >> your applications. >> >> >> >> >> To suggest best way, need to see how you are using it and whether >> >> >> >> using WSGIScriptAlias or AddHandler. >> >> >> >> >> Also, what version of mod_wsgi are you using? >> >> >> >> >> Graham >> >> >> >> >> -- >> >> >> >> You received this message because you are subscribed to the Google >> >> >> >> Groups "modwsgi" group. >> >> >> >> To post to this group, send email to [email protected]. >> >> >> >> To unsubscribe from this group, send email to >> >> >> >> [email protected]. >> >> >> >> For more options, visit this group >> >> >> >> athttp://groups.google.com/group/modwsgi?hl=en. >> >> >> >> > -- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups "modwsgi" group. >> >> >> > To post to this group, send email to [email protected]. >> >> >> > To unsubscribe from this group, send email to >> >> >> > [email protected]. >> >> >> > For more options, visit this group >> >> >> > athttp://groups.google.com/group/modwsgi?hl=en. >> >> >> >> -- >> >> >> You received this message because you are subscribed to the Google >> >> >> Groups "modwsgi" group. >> >> >> To post to this group, send email to [email protected]. >> >> >> To unsubscribe from this group, send email to >> >> >> [email protected]. >> >> >> For more options, visit this group >> >> >> athttp://groups.google.com/group/modwsgi?hl=en. >> >> >> > -- >> >> > You received this message because you are subscribed to the Google >> >> > Groups "modwsgi" group. >> >> > To post to this group, send email to [email protected]. >> >> > To unsubscribe from this group, send email to >> >> > [email protected]. >> >> > For more options, visit this group >> >> > athttp://groups.google.com/group/modwsgi?hl=en. >> >> >> -- >> >> You received this message because you are subscribed to the Google Groups >> >> "modwsgi" group. >> >> To post to this group, send email to [email protected]. >> >> To unsubscribe from this group, send email to >> >> [email protected]. >> >> For more options, visit this group >> >> athttp://groups.google.com/group/modwsgi?hl=en. >> >> > -- >> > You received this message because you are subscribed to the Google Groups >> > "modwsgi" group. >> > To post to this group, send email to [email protected]. >> > To unsubscribe from this group, send email to >> > [email protected]. >> > For more options, visit this group >> > athttp://groups.google.com/group/modwsgi?hl=en. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group >> athttp://groups.google.com/group/modwsgi?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/modwsgi?hl=en. > > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
