[mod_python] Apache 2.2 authen/authz and "require" semantics

Graham Dumpleton graham.dumpleton at gmail.com
Sun Sep 23 21:32:40 EDT 2007


On 24/09/2007, Arnar Birgisson <arnarbi at gmail.com> wrote:
> Hello there,
>
> I'm having some trouble finding the right docs/examples to solve my problem.
>
> What I want to do is to use a database (a Django model) to control
> access to svn and trac (let's just focus on svn to begin with).
>
> My urls are of the form http://svn.domain.tld/projectname/. In the db
> I have an entry for each project, and on it a boolean field indicating
> if the project should be public-readable or not.
>
> How can I leave it up to the authen- or authzhandler to decide when
> username/passwd is required? Seems if I require anything a
> login-dialog is popped up, even if the authenhandler never looks at
> the username and just return apache.OK if the project is
> public-readable. If I have no require lines, no authentication seems
> to take place and everything is wide-open regardless of the
> public-readable switch.
>
> >From [1] it seems the proper way with apache 2.2. is to provide both
> an authen- and authzhandler, but I don't quite see how things should
> work in my case.
>
> Ideally, I'd like my config to look something like this:
>
> SetEnv DJANGO_SETTINGS_MODULE projectadmin.settings
> PythonHandlerModule projectadmin.authenhandler
> Require project-access svn_read
> <LimitExcept GET PROPFIND OPTIONS REPORT>
>     Require project-access svn_write
> </LimitExcept>
>
> Making it work sanely with other auth- or authz handlers is no issue for me.
>
> Arnar
>
> [1] http://www.modpython.org/pipermail/mod_python/2007-July/024055.html

Does it have to be configurable from Apache configuration, could you
just do it all in the Python script?

What we do to prevent people performing updates against tag
directories in subversion is:

<Location /svn>

    DAV svn
    SVNParentPath /usr/local/repository/subversion

     .....

    PythonInterpreter subversion_handlers
    PythonPath 'sys.path + ["/usr/local/pkg/apps/subversion"]'
    PythonFixupHandler subversion_handlers::protect_tagged_packages

</Location>

In the Python code file, then have:

from mod_python import apache
import fnmatch

# When access is to tagged packages, only allow read/only operations
# and copy command. This means that tagged packages will be able to
# be created, but will prevent files within a tagged package being
# changed and committed back into the repository, replacing files in
# the tagged version.

RESTRICTED_URI = '/svn/drives/!svn/*/*/packages/tags/*/*/*'
ALLOW_METHODS = [ 'OPTIONS', 'GET', 'PROPFIND', 'REPORT', 'COPY' ]

def protect_tagged_packages(req):
    if fnmatch.fnmatch(req.uri, RESTRICTED_URI):
        if req.method in ALLOW_METHODS:
            return apache.OK
        return apache.HTTP_FORBIDDEN
    return apache.OK

The only thing thus permitted on a tag directory is deleting it and
renaming it. Keep these for where people stuff up.

So, we don't even use auth/authz for this bit, but just use a fixup handler.

Graham


More information about the Mod_python mailing list