|
Graham Dumpleton
grahamd at dscpl.com.au
Sat Apr 22 23:44:31 EDT 2006
On 23/04/2006, at 11:43 AM, Graham Dumpleton wrote:
>
> On 23/04/2006, at 8:19 AM, Graham Dumpleton wrote:
>
>>
>> On 23/04/2006, at 5:22 AM, Jim Gallacher wrote:
>>
>>> Graham Dumpleton wrote:
>>>> Add to config:
>>>> AuthAuthoritative Off
>>>
>>> That doesn't really make sense to me. Nothing like this is
>>> mentioned for other auth modules like mod_auth_ldap.
>>
>> I couldn't even find it documented. It is mentioned in source code
>> for 2.0.
>> Turns of inbuilt auth.
>
> BTW, if you are using Apache 2.2, you might actually need both:
>
> AuthzDefaultAuthoritative Off
> AuthzUserAuthoritative Off
>
> I didn't check before if it had changed form 2.0 to 2.2.
>
> I'll do some tests and get back to you on what is required for 2.2
> if that
> is what you are using.
Done testing, and on Apache 2.2, you don't need either of the above.
Here is a summary of what I found. Note that I am using mod_python 3.3
from trunk. First off, am using the handlers:
from mod_python import apache
def authenhandler(req):
apache.log_error("authenhandler")
req.phases = ["authenhandler"]
req.user = "grumpy"
req.ap_auth_type = req.auth_type()
return apache.OK
def authzhandler(req):
apache.log_error("authzhandler")
req.phases.append("authzhandler")
return apache.OK
def handler(req):
apache.log_error("handler")
req.phases.append("handler")
req.content_type = "text/plain"
req.write(req.ap_auth_type+"\n")
req.write(req.user+"\n")
req.write(str(req.phases)+"\n")
return apache.OK
For Apache 2.0, the configuration that works is:
SetHandler mod_python
PythonAuthenHandler authz_1
PythonAuthzHandler authz_1
PythonHandler authz_1
PythonDebug On
AuthType authztest
Require group grumpy
#AuthAuthoritative Off
The result in the browser is:
authztest
grumpy
['authenhandler', 'authzhandler', 'handler']
Note that I am not using AuthAuthoritative in the end here.
Now, if I instead use either:
Require user grumpy
or:
Require valid-user
even if set in conjunction with:
Require group grumpy
the result is:
authztest
grumpy
['authenhandler', 'handler']
Thus, no authzhandler run. This is because builtin mod_authz is
getting run before
my authzhandler and the user condition is being satisfied and so my
handler never
gets to run.
If you want to have something like 'valid-user' or 'user', you need
to call it something
else. For example, thus:
Require authztest::valid-user
If I do that alone though, I get authorization required response and
error log says:
[Sun Apr 23 13:21:58 2006] [error] [client ::1] access to /
testing/authz-1/ failed, reason: unknown require
directive:"authztest::valid-user"
To get past that, that is where in Apache 2.0 I need to set
AuthAuthoritative.
SetHandler mod_python
PythonAuthenHandler authz_1
PythonAuthzHandler authz_1
PythonHandler authz_1
PythonDebug On
AuthType authztest
Require authztest::valid-user
AuthAuthoritative Off
Thus I again get:
authztest
grumpy
['authenhandler', 'authzhandler', 'handler']
In Apache 2.2, things are slightly different. Using:
SetHandler mod_python
PythonAuthenHandler authz_1
PythonAuthzHandler authz_1
PythonHandler authz_1
PythonDebug On
AuthType authztest
Require group grumpy
still works okay. Using:
Require user grumpy
or:
Require valid-user
still results in:
authztest
grumpy
['authenhandler', 'handler']
In Apache 2.2, if I use:
SetHandler mod_python
PythonAuthenHandler authz_1
PythonAuthzHandler authz_1
PythonHandler authz_1
PythonDebug On
AuthType authztest
Require authztest::valid-user
I get:
authztest
grumpy
['authenhandler', 'authzhandler', 'handler']
So, no need to have any equivalent to AuthAuthoritative in Apache 2.2.
In summary, situation seems to be that if you want to perform
authorization based
on group member ship, okay to still use:
Require group grumpy
But you should not set AuthGroupFile, because if you do then the
builting authz handler
will try and do the interpretation itself.
If you want equivalents to 'valid-user' or 'user' where your
authzhandler interprets them,
you need to qualify them to avoid builtin authz module interpreting
them. Thus use something
like:
Require authztest::valid-user
Require authztest::user grumpy
and the check req.requires for pertinent tags and data.
Going back to your original configuration:
<Directory /srv/projects/aos/html/aos-admin/>
DirectoryIndex index.py
Take note of DirectoryIndex problems recorded in:
http://issues.apache.org/jira/browse/MODPYTHON-146
This would be an issue if you are trying to pass data in req through
from these handlers
to content handler. Plus notes and subprocess_env values can get
duplicated.
AllowOverride None
AddHandler mod_python .py
AuthType PyCookie
AuthName "Restricted"
Require valid-user
If req.user is set, use of 'valid-user' would cause inbuilt authz
handler to return
OK and so your authzhandler would not run. If though req.user hadn't
been
set by authenhandler, you probably get an error occur.
Require admin
The "admin" tag is not one known of by Apache. If you were using
Apache 2.0
you would most like be getting:
[Sun Apr 23 13:41:06 2006] [error] [client ::1] access to /
testing/authz-1/ failed, reason: unknown require directive:"admin"
Thus, in Apache 2.0, you would need to have AuthAuthoritative set. In
Apache 2.2
you wouldn't need to.
PythonAccessHandler mprest.authtest
PythonAuthenHandler mprest.authtest
PythonAuthzHandler mprest.authtest
PythonHandler mprest.authtest
</Directory>
Now, what was the final configuration you were trying to use and what
version of
Apache were you using?
Graham
|