Run ipaserver under mod_wsgi

3 files changed, 54 insertions, 63 deletions

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index f5987fbea..dba47c5a4 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -4,7 +4,6 @@
 # LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
 ProxyRequests Off
-PythonImport ipaserver main_interpreter
 
 # ipa-rewrite.conf is loaded separately
 
@@ -12,79 +11,47 @@ PythonImport ipaserver main_interpreter
 AddType application/java-archive        jar
 
 
+# FIXME: WSGISocketPrefix is a server-scope directive.  The mod_wsgi package
+# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
+WSGISocketPrefix /var/run/httpd/wsgi
 
-<Location "/ipa">
-  AuthType Kerberos
-  AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms $REALM
-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-  KrbSaveCredentials on
-  Require valid-user
-  ErrorDocument 401 /ipa/errors/unauthorized.html
-
-  SetHandler python-program
-  PythonInterpreter main_interpreter
-  PythonHandler ipaserver::handler
-  PythonDebug Off
-  PythonOption SCRIPT_NAME /ipa
-  PythonAutoReload Off
-
-</Location>
-
-#<Location "/ipa/xml">
-#  SetHandler python-program
-#  PythonInterpreter main_interpreter
-#  PythonHandler ipaserver::xmlrpc
-#  PythonDebug Off
-#  PythonOption SCRIPT_NAME /ipa/xml
-#  PythonAutoReload Off
-#</Location>
-
-#<Location "/ipa/json">
-#  SetHandler python-program
-#  PythonInterpreter main_interpreter
-#  PythonHandler ipaserver::jsonrpc
-#  PythonDebug Off
-#  PythonOption SCRIPT_NAME /ipa/json
-#  PythonAutoReload Off
-#</Location>
-
-#<Location "/ipa/ui">
-#  SetHandler python-program
-#  PythonInterpreter main_interpreter
-#  PythonHandler ipaserver::webui
-#  PythonDebug Off
-#  PythonOption SCRIPT_NAME /ipa/ui
-#  PythonAutoReload Off
-#</Location>
 
-Alias /ipa-assets/ "/var/cache/ipa/assets/"
-<Directory "/var/cache/ipa/assets">
-  Allow from all
-  AllowOverride None
-  # add Indexes to Options to allow browsing
-  Options FollowSymLinks
-  ExpiresActive On
-  ExpiresDefault A31536000
-</Directory>
+# Configure mod_wsgi handler for /ipa
+WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500
+WSGIProcessGroup ipa
+WSGIApplicationGroup ipa
+WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
+WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
+WSGIScriptReloading Off
 
 
+# Turn off mod_msgi handler for errors, config, crl:
 <Location "/ipa/errors">
   SetHandler None
 </Location>
-
 <Location "/ipa/config">
   SetHandler None
 </Location>
-
 <Location "/ipa/crl">
   SetHandler None
 </Location>
 
 
+# Protect /ipa with Kerberos
+<Location "/ipa">
+  AuthType Kerberos
+  AuthName "Kerberos Login"
+  KrbMethodNegotiate on
+  KrbMethodK5Passwd off
+  KrbServiceName HTTP
+  KrbAuthRealms $REALM
+  Krb5KeyTab /etc/httpd/conf/ipa.keytab
+  KrbSaveCredentials on
+  Require valid-user
+  ErrorDocument 401 /ipa/errors/unauthorized.html
+</Location>
+
+
 # This is where we redirect on failed auth
 Alias /ipa/errors "/usr/share/ipa/html"
 
@@ -102,7 +69,6 @@ Alias /ipa/config "/usr/share/ipa/html"
 
 # For CRL publishing
 Alias /ipa/crl "/var/lib/pki-ca/publish"
-
 <Directory "/var/lib/pki-ca/publish">
   SetHandler None
   AllowOverride None
@@ -111,6 +77,18 @@ Alias /ipa/crl "/var/lib/pki-ca/publish"
   Allow from all
 </Directory>
 
+
+# WebUI assets
+Alias /ipa-assets/ "/var/cache/ipa/assets/"
+<Directory "/var/cache/ipa/assets">
+  Allow from all
+  AllowOverride None
+  Options FollowSymLinks
+  ExpiresActive On
+  ExpiresDefault A31536000
+</Directory>
+
+
 # Protect our CGIs
 <Directory /var/www/cgi-bin>
   AuthType Kerberos
@@ -125,20 +103,19 @@ Alias /ipa/crl "/var/lib/pki-ca/publish"
   ErrorDocument 401 /ipa/errors/unauthorized.html
 </Directory>
 
+
 # migration related pages
 Alias /ipa/migration "/usr/share/ipa/migration"
-
 <Directory "/usr/share/ipa/migration">
     AllowOverride None
     Satisfy Any
     Allow from all
-
     AddHandler mod_python .py
     PythonHandler mod_python.publisher
 </Directory>
 
-#Alias /ipatest "/usr/share/ipa/ipatest"
 
+#Alias /ipatest "/usr/share/ipa/ipatest"
 #<Directory "/usr/share/ipa/ipatest">
 #  AuthType Kerberos
 #  AuthName "Kerberos Login"
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index e3e7cf606..92d50775f 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -38,6 +38,7 @@ app_DATA =				\
 	unique-attributes.ldif		\
 	schema_compat.uldif		\
 	ldapi.ldif			\
+	wsgi.py				\
 	$(NULL)
 
 EXTRA_DIST =				\
diff --git a/install/share/wsgi.py b/install/share/wsgi.py
new file mode 100644
index 000000000..457d8e024
--- /dev/null
+++ b/install/share/wsgi.py
@@ -0,0 +1,13 @@
+"""
+WSGI appliction for IPA server.
+"""
+
+from ipalib import api
+api.bootstrap(context='server', debug=True, log=None)
+api.finalize()
+api.log.info('*** PROCESS START ***')
+import ipawebui
+ui = ipawebui.create_wsgi_app(api)
+
+# This is the WSGI callable:
+application = api.Backend.session