From 538b7943556c3fc65ad61a75048677a1adff15de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20K=C3=A1cha?= <ph@cesnet.cz>
Date: Tue, 2 Aug 2022 09:58:36 +0200
Subject: [PATCH] Document the need for process based webserver for Hawat
(closes #6191)
---
doc/sphinx/_doclib/installation.rst | 30 ++++++++++++++++++++---------
1 file changed, 21 insertions(+), 9 deletions(-)
diff --git a/doc/sphinx/_doclib/installation.rst b/doc/sphinx/_doclib/installation.rst
index c35a803c8..cb87e79d1 100644
--- a/doc/sphinx/_doclib/installation.rst
+++ b/doc/sphinx/_doclib/installation.rst
@@ -584,7 +584,9 @@ If you wish to use the web interface Hawat, you wil have to install and configur
a web server. You may use any server you like as long as it supports execution of
WSGI Python3 scripts. Do not forget to setup some initial user accounts, either
use the demonstration fixtures, or setup real user accounts. Otherwise you will
-not be able to log in.
+not be able to log in. Also, please note that Hawat application is not reentrant,
+so employed web server must allow process base dispatch (not threaded or event
+based).
Following examples demonstrate necessary Apache2 configuration when Mentat system
is installed on target system with Debian packages. Please review and adjust the
@@ -617,29 +619,34 @@ ready for deployment out of the box:
a2dissite default-ssl.conf
a2ensite site_mentat.conf
+ # Step 5: Enforce process based Apache worker
+ a2dismod mpm_worker
+ a2dismod mpm_event
+ a2enmod mpm_prefork
+
# !!!!! THIS STEP IS SUPER IMPORTANT !!!!!
- # Step 5: In file /etc/mentat/mentat-hawat.py.conf change default SECRET_KEY and
+ # Step 6: In file /etc/mentat/mentat-hawat.py.conf change default SECRET_KEY and
# in production deployment make sure, that ENABLED_BLUEPRINTS key does not
# contain 'hawat.blueprints.auth_dev', or that is is commented out. Otherwise
# you would enable anyone impersonate any other user without password.
# !!!!! THIS STEP IS SUPER IMPORTANT !!!!!
vim /etc/mentat/mentat-hawat.py.conf
- # Step 6: Restart Apache service:
+ # Step 7: Restart Apache service:
systemctl restart apache2.service
- # Step 7: OPTION A: Insert demonstration data into Mentat`s metadata database
+ # Step 8: OPTION A: Insert demonstration data into Mentat`s metadata database
# (this will insert some demo accounts, groups, networks and filters into db
# and can be used in conjuction with htpasswd file above):
mentat-dbmngr.py --command fixtures-add
- # Step 8: OPTION B: Create initial user account/s in Mentat`s metadata database
+ # Step 9: OPTION B: Create initial user account/s in Mentat`s metadata database
# (please adjust the attributes, do not simply copy and paste):
mentat-dbmngr.py --command user-add login=superman "fullname=Clark Kent" email=kent@dailyplanet.com "organization=Daily Planet, inc." roles=user,admin
.. warning::
- Please make sure you have read step 5 in the recipe above. The :ref:`section-hawat-plugin-auth-dev`
+ Please make sure you have read step 6 in the recipe above. The :ref:`section-hawat-plugin-auth-dev`
authentication module in particular is a HUGE security risk when enabled in production
installation and accessible from network.
@@ -684,15 +691,20 @@ with `Shibboleth SSO <https://www.shibboleth.net/index/basic/>`__ login service
a2dissite default-ssl.conf
a2ensite site_mentat.conf
+ # Step 5: Enforce process based Apache worker
+ a2dismod mpm_worker
+ a2dismod mpm_event
+ a2enmod mpm_prefork
+
# !!!!! THIS STEP IS SUPER IMPORTANT !!!!!
- # Step 5: Change default SECRET_KEY in /etc/mentat/mentat-hawat.py.conf:
+ # Step 6: Change default SECRET_KEY in /etc/mentat/mentat-hawat.py.conf:
# !!!!! THIS STEP IS SUPER IMPORTANT !!!!!
vim /etc/mentat/mentat-hawat.py.conf
- # Step 6: Restart Apache service:
+ # Step 7: Restart Apache service:
systemctl restart apache2.service
- # Step 7: Create initial user account/s in Mentat`s metadata database
+ # Step 8: Create initial user account/s in Mentat`s metadata database
# (please adjust the attributes, do not simply copy and paste):
mentat-dbmngr.py --command user-add login=superman "fullname=Clark Kent" email=kent@dailyplanet.com "organization=Daily Planet, inc." roles=user,admin
--
GitLab