#23350: mod_wsgi authentication/authorization docs result in extra memory usage
---------------------------------+--------------------
Reporter: GrahamDumpleton | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 1.6
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+--------------------
The documentation at:
* https://docs.djangoproject.com/en/dev/howto/deployment/wsgi/apache-auth/
uses the examples:
{{{
WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py
WSGIPythonPath /path/to/mysite.com
WSGIProcessGroup %{GLOBAL}
WSGIApplicationGroup django
<Location "/secret">
AuthType Basic
AuthName "Top Secret"
Require valid-user
AuthBasicProvider wsgi
WSGIAuthUserScript /path/to/mysite.com/mysite/wsgi.py
</Location>
}}}
and
{{{
WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py
WSGIProcessGroup %{GLOBAL}
WSGIApplicationGroup django
<Location "/secret">
AuthType Basic
AuthName "Top Secret"
AuthBasicProvider wsgi
WSGIAuthUserScript /path/to/mysite.com/mysite/wsgi.py
WSGIAuthGroupScript /path/to/mysite.com/mysite/wsgi.py
Require group secret-agents
Require valid-user
</Location>
}}}
Although these will work, they cause the Django application code to be
loaded more than once into the same process. That is, you end up with an
instance in one sub interpreter which handles web request, and another
instance in another sub interpreter which handles just authentication and
authorisation.
Ideally you do no want two copies as that simply increases overall memory
usage.
The original mod_wsgi documentation does point to this in the statements:
''By default the auth providers are executed in context of first
interpreter created by Python, ie., '%{GLOBAL}' and always in the Apache
child processes, never in a daemon process. The interpreter can be
overridden using the 'application-group' option to the script directive.
The namespace for authentication groups is shared with that for
application groups defined by WSGIApplicationGroup.''
''Because the auth provider is always run in the Apache child
processes and never in the context of a mod_wsgi daemon process, if the
authentication check is making use of the internals of some Python web
framework, it is recommended that the application using that web framework
also be run in embedded mode and the same application group. This is the
case as the Python web frameworks often bring in a huge amount of code
even if using only one small part of them. This will result in a lot of
memory being used in the Apache child processes just to support the auth
provider.''
To combat this double of memory usage the mod_wsgi documentation gives the
example of:
{{{
WSGIAuthUserScript /usr/local/django/mysite/apache/auth.wsgi application-
group=django
}}}
It is this use of the {{{application-group}}} argument for
{{{WSGIAuthUserScript}}} and {{{WSGIAuthGroupScript}}} that the Django
documentation doesn't use.
The Django examples therefore should really use:
{{{
WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py
WSGIPythonPath /path/to/mysite.com
WSGIProcessGroup %{GLOBAL}
WSGIApplicationGroup django
<Location "/secret">
AuthType Basic
AuthName "Top Secret"
Require valid-user
AuthBasicProvider wsgi
WSGIAuthUserScript /path/to/mysite.com/mysite/wsgi.py application-
group=django
</Location>
}}}
and
{{{
WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py
WSGIProcessGroup %{GLOBAL}
WSGIApplicationGroup django
<Location "/secret">
AuthType Basic
AuthName "Top Secret"
AuthBasicProvider wsgi
WSGIAuthUserScript /path/to/mysite.com/mysite/wsgi.py application-
group=django
WSGIAuthGroupScript /path/to/mysite.com/mysite/wsgi.py application-
group=django
Require group secret-agents
Require valid-user
</Location>
}}}
On the presumption that there is only the one Django application, it may
actually be better to turn that around and force the Django application to
run in the main interpreter anyway. This is better as some third party
extension modules for Python do not work properly in sub interpreters.
Thus may be better to use:
{{{
WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py
WSGIPythonPath /path/to/mysite.com
WSGIProcessGroup %{GLOBAL}
WSGIApplicationGroup %{GLOBAL}
<Location "/secret">
AuthType Basic
AuthName "Top Secret"
Require valid-user
AuthBasicProvider wsgi
WSGIAuthUserScript /path/to/mysite.com/mysite/wsgi.py
</Location>
}}}
and
{{{
WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py
WSGIProcessGroup %{GLOBAL}
WSGIApplicationGroup %{GLOBAL}
<Location "/secret">
AuthType Basic
AuthName "Top Secret"
AuthBasicProvider wsgi
WSGIAuthUserScript /path/to/mysite.com/mysite/wsgi.py
WSGIAuthGroupScript /path/to/mysite.com/mysite/wsgi.py
Require group secret-agents
Require valid-user
</Location>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/23350>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/058.28c0c88263981a40cde00c148f50707d%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
