Merge branch 'devel' of homeproj.cesnet.cz:mentat-ng into devel

doc/sphinx/_doclib/installation.rst

@@ -584,7 +584,9 @@ If you wish to use the web interface Hawat, you wil have to install and configur
 a web server. You may use any server you like as long as it supports execution of
 WSGI Python3 scripts. Do not forget to setup some initial user accounts, either
 use the demonstration fixtures, or setup real user accounts. Otherwise you will
-not be able to log in.
+not be able to log in. Also, please note that Hawat application is not reentrant,
+so employed web server must allow process base dispatch (not threaded or event
+based).
 
 Following examples demonstrate necessary Apache2 configuration when Mentat system
 is installed on target system with Debian packages. Please review and adjust the
@@ -617,29 +619,34 @@ ready for deployment out of the box:
     a2dissite default-ssl.conf
     a2ensite site_mentat.conf
 
+    # Step 5: Enforce process based Apache worker
+    a2dismod mpm_worker
+    a2dismod mpm_event
+    a2enmod mpm_prefork
+
     # !!!!! THIS STEP IS SUPER IMPORTANT !!!!!
-    # Step 5: In file /etc/mentat/mentat-hawat.py.conf change default SECRET_KEY and
+    # Step 6: In file /etc/mentat/mentat-hawat.py.conf change default SECRET_KEY and
     # in production deployment make sure, that ENABLED_BLUEPRINTS key does not
     # contain 'hawat.blueprints.auth_dev', or that is is commented out. Otherwise
     # you would enable anyone impersonate any other user without password.
     # !!!!! THIS STEP IS SUPER IMPORTANT !!!!!
     vim /etc/mentat/mentat-hawat.py.conf
 
-    # Step 6: Restart Apache service:
+    # Step 7: Restart Apache service:
     systemctl restart apache2.service
 
-    # Step 7: OPTION A: Insert demonstration data into Mentat`s metadata database
+    # Step 8: OPTION A: Insert demonstration data into Mentat`s metadata database
     # (this will insert some demo accounts, groups, networks and filters into db
     # and can be used in conjuction with htpasswd file above):
     mentat-dbmngr.py --command fixtures-add
 
-    # Step 8: OPTION B: Create initial user account/s in Mentat`s metadata database
+    # Step 9: OPTION B: Create initial user account/s in Mentat`s metadata database
     # (please adjust the attributes, do not simply copy and paste):
     mentat-dbmngr.py --command user-add login=superman "fullname=Clark Kent" email=kent@dailyplanet.com "organization=Daily Planet, inc." roles=user,admin
 
 .. warning::
 
-    Please make sure you have read step 5 in the recipe above. The :ref:`section-hawat-plugin-auth-dev`
+    Please make sure you have read step 6 in the recipe above. The :ref:`section-hawat-plugin-auth-dev`
     authentication module in particular is a HUGE security risk when enabled in production
     installation and accessible from network.
 
@@ -684,15 +691,20 @@ with `Shibboleth SSO <https://www.shibboleth.net/index/basic/>`__ login service
     a2dissite default-ssl.conf
     a2ensite site_mentat.conf
 
+    # Step 5: Enforce process based Apache worker
+    a2dismod mpm_worker
+    a2dismod mpm_event
+    a2enmod mpm_prefork
+
     # !!!!! THIS STEP IS SUPER IMPORTANT !!!!!
-    # Step 5: Change default SECRET_KEY in /etc/mentat/mentat-hawat.py.conf:
+    # Step 6: Change default SECRET_KEY in /etc/mentat/mentat-hawat.py.conf:
     # !!!!! THIS STEP IS SUPER IMPORTANT !!!!!
     vim /etc/mentat/mentat-hawat.py.conf
 
-    # Step 6: Restart Apache service:
+    # Step 7: Restart Apache service:
     systemctl restart apache2.service
 
-    # Step 7: Create initial user account/s in Mentat`s metadata database
+    # Step 8: Create initial user account/s in Mentat`s metadata database
     # (please adjust the attributes, do not simply copy and paste):
     mentat-dbmngr.py --command user-add login=superman "fullname=Clark Kent" email=kent@dailyplanet.com "organization=Daily Planet, inc." roles=user,admin