[mod_python] Setting req->user for mod_dav_svn

Graham Dumpleton grahamd at dscpl.com.au
Tue Aug 1 02:04:57 EDT 2006


Deron Meranda wrote ..
> On 7/31/06, Graham Dumpleton <grahamd at dscpl.com.au> wrote:
> > Deron Meranda wrote ..
> > > I am using a PythonAccessHandler for all my authentication and
> > > authorization needs; ...
> >
> > Are you using PythonAccessHandler at same time as PythonHandler?
> > Aren't you seeing the hideously bad memory leak finally uncovered
> > in the past day?
> 
> Yes, I use both, but I haven't really investigated if the leak bug is
> hitting me yet.  I will look.  All of my requests go through a
> PythonAccessHandler, and probably about 80% of them also go through
> PythonHandler.

You should see the memory leak occur for any which make it through to
the PythonHandler. From memory you are on dev list as well, but bug report
URL with change is at:

  https://issues.apache.org/jira/browse/MODPYTHON-181

For about 5000 requests I would see memory use balloon from 5MB to 10MB
so leak was pretty severe.

> For some URLs I also use a multiple chained handler,
> something like
> 
>   PythonAccessHandler one::accesshandler
>   PythonHandler one::handler two::handler

The chained/stacked handlers within a single phase don't provide any
additional problems.

> > Using 3.2.10, you will have to continue to use an PythonAccessHandler
> to do
> > what you want anyway, as it is impossible with mod_python prior to 3.3
> to write
> > a correct authentication handler in the style that they are supposed
> to be
> > written when using Apache.
> 
> Yes, I am aware of the many missing features and am glad you've been
> working so hard adding those in.  Of course I'll also want to
> eventually migrate up to Apache 2.2 as well.  The more modular auth
> stuff, and its provider hooks, look quite useful.

Hmmm, in the interests of getting out 3.3 sooner rather than later I was
probably going to defer trying to work in any support for auth providers,
although it is still very tempting cause they look quite useful as you say.

If I try to implement anything, I'd probably tackle first the ability for a
Python authentication handler to use a distinct auth provider. That way
you can easily use an existing mod_auth_ldap module within a Python
implemented form/session based login mechanism. This seems more
useful to me first up than making it possible to implement an auth
provider in Python and may encourage Python users to use some of
the existing and proven auth providers available for Apache and not
roll their own.

> There's a second, optional, subversion module mod_authz_svn which
> provides fine grained access control for different branches, etc.  I
> don't know how mod_python may interact with it (especially since it
> runs during the authz phase too).  But at least in my case that's not
> too important; because my own mod_python handler can do all the access
> control decisions I need.

My understanding is that mod_authz_svn would base everything off the
req.user when matching up to stuff in the svnserve.conf file you point it
at. Thus see no problems with using mod_authz_svn.

Graham


More information about the Mod_python mailing list