Advice on deploying wsgi app using jsonfas

Robin Norwood rnorwood at redhat.com
Mon Jun 30 21:54:29 UTC 2008 

On Mon, 30 Jun 2008 16:34:27 -0500 (CDT)
Mike McGrath <mmcgrath at redhat.com> wrote:

> On Mon, 30 Jun 2008, Robin Norwood wrote:
> 
> > Hi,
> >
> > So I'm working to get amber packaged and deployable as a wsgi app
> > so I can run a demo on publictest10.  I've made pretty fair
> > progress getting things up and running (on my local system first to
> > make sure it works), but I've run into an issue.
> >
> > For the setup, I'm basically ripping off the way Ricky Zhou set up
> > fas wholesale.  I have an amber.conf file in /etc/httpd/conf.d,
> > which refers to an amber.wsgi file.  All of that seems to work
> > fine.  The problem happens when I try to connect.  I get a 500
> > error with the following in httpd's error log:
> >
> > Unable to write to session file /var/www/.fedora_session: [Errno 13]
> > Permission denied: '/var/www/.fedora_session'
> >
> > Well, it turns out that this is because my app is using jsonfas,
> > which uses fedora.client.BaseClient.  In fedora/client/__init__.py,
> > I find:
> >
> > SESSION_FILE = path.join(path.expanduser('~'), '.fedora_session')
> >
> > Which explains the error - my app is running under apache, and
> > while /var/www is apache's homedir, apache can't write to that
> > directory.
> >
> > So, as anyone else worked around this with another turbogears app
> > running under wsgi and using jsonfas?  Since turbogears and fas are
> > both pretty common, it seems likely that someone here has already
> > dealt with this.
> 
> Does your application prompt users for their username and password or
> does it have one listed in the configs somewhere to access fas?  I'm
> not familiar with the .fedora_session format, does it store everyone's
> sessions?

I believe it does.  The way it seems to work is that I specify a user
to connect to FAS in the config - this gets me a fas session.  Then,
the user enters a username/password from the web form, and jsonfas
'does magic' to authenticate the user.

> I'm asuming that if someone had access to it they'd be able to become
> whoever was logged in at that time.  Probably to other applications as
> well.  I'd like to hear Toshio's advice on this, I believe he's the
> primary architect of how .fedora_session should behave

Yeah, Toshio is the one who set this up to begin with.  I don't know if
he's ever used this sort of setup under wsgi/httpd, though.

-RN

-- 
Robin Norwood
Red Hat, Inc.

"The Sage does nothing, yet nothing remains undone."
-Lao Tzu, Te Tao Ching

More information about the infrastructure mailing list