On Sep 19, 3:05 am, Robin Becker <[EMAIL PROTECTED]> wrote:
> I find I can use django users and groups to authorize apache locations and
> directories using a modified version of modpython.py(I just hacked it to check
> for required groups).
>
> I have some difficulties with this simple scheme.
>
> First off it seems to be completely separate from the normal django behaviour.
> Is there a way to get existing django tokens to be used? So if I have already
> logged in or possess a django token can I use that token to provide access to
> an
> apache controlled area?
>
> Secondly the apache validation examples all seem to use mod_python as the
> transport between apache and django. We are tending to use fastcgi (via flup
> and
> runfcgi) as it gives us greater flexibility; we can use an entirely separate
> process for the python (perhaps even a different python). Is there a way to
> use
> a fastcgi based validation?
>
> Finally, my boss wants to use a single auth database. I'm not sure that's
> feasible, but it seems reasonable to have a central controlled database app
> which only does user/groups. I think this is less desirable because of the
> possibility of permission leakage. I can imagine exporting changes into some
> other project's db so this doesn't seem impossible.
Can you perhaps gives some code examples of what your authn/authz code
looks like now so I can see how you are using groups.
The reason I am curious is that I am currently working on implementing
a solution in mod_wsgi for better using Python to support Apache
authentication and authorization. Also, the other way around,
providing hooks so a Python application can use an Apache auth
provider for the auth database. This way one can have one auth
database across Python and non Python applications, plus static pages,
hosted by Apache.
For example, Apache configuration for Basic authentication might be:
# Setup global auth provider definition.
<AuthnProviderAlias wsgi django>
WSGIAuthScript /some/path/django.wsgi
WSGIAuthenticationGroup %{GLOBAL}
</AuthnProviderAlias>
# Django instance mounted on '/'.
WSGIScriptAlias / /usr/local/django/site/apache/django.wsgi
<Directory /usr/local/django/site/apache>
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
# Trac instance mounted on '/trac' running in daemon process.
WSGIDaemonProcess trac
WSGIScriptAlias /trac /usr/local/trac/site/apache/trac.wsgi
<Directory /usr/local/trac/site/apache>
WSGIProcessGroup trac
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
# Trac login uses Django auth database.
<Location /trac/login>
AuthType Basic
AuthName "Django"
AuthBasicProvider django
Require valid-user
</Location>
The script containing the authentication routine would then be
something like:
import os
os.environ['DJANGO_SETTINGS_MODULE'] = 'site.settings'
import apache.mod_auth
from django.contrib.auth.models import User
from django import db
def check_password(environ, user, password):
db.reset_queries()
kwargs = {'username': req.user, 'is_active': True}
try:
try:
user = User.objects.get(**kwargs)
except User.DoesNotExist:
return apache.mod_auth.AUTH_USER_NOT_FOUND
if user.check_password(password):
return apache.mod_auth.AUTH_GRANTED
else:
return apache.mod_auth.AUTH_DENIED
finally:
db.connection.close()
Have left a few bits out here, but in short am using the Django auth
database to authenticate access to Trac.
The Apache 2.2 auth provider mechanism only deals with authentication
and there is no provider mechanism for authorisation, ie., looking to
see if a user is in a group etc. For authorisation Apache provides a
number of different modules to perform authorisation with what
condition needs to be satisfied defined by the Require directive. In
the above example mod_authz_user is relied on simply to validate that
the user existed and had valid password.
Now what I would need to provide in the way of authz functionality so
that checks could be made in Python code on whether user satisfied
some condition am not sure. This is why I was interested your actual
case of how you wanted to use groups.
Thanks in advance for any feedback.
Graham
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
