# HG changeset patch # User Mads Kiilerich # Date 1459805670 -7200 # Node ID 5a47ce11427c207167c089e89bdf9677ccb01b91 # Parent b027fc1a0e85246677d59709a7e418b31f2173c6# Parent 73493ddc8c9e58dc89c47ddc5ebb082b09fce226 Merge stable diff -r b027fc1a0e85 -r 5a47ce11427c docs/installation_iis.rst --- a/docs/installation_iis.rst Wed Mar 23 18:27:50 2016 +0100 +++ b/docs/installation_iis.rst Mon Apr 04 23:34:30 2016 +0200 @@ -9,6 +9,17 @@ .. note:: + Installing Kallithea under IIS can enable Single Sign-On to the Kallithea + web interface from web browsers that can authenticate to the web server. + (As an alternative to IIS, SSO is also possible with for example Apache and + mod_sspi.) + + Mercurial and Git do however by default not support SSO on the client side + and will still require some other kind of authentication. + (An extension like hgssoauthentication_ might solve that.) + +.. note:: + For the best security, it is strongly recommended to only host the site over a secure connection, e.g. using TLS. @@ -48,7 +59,7 @@ The ISAPI handler can be generated using:: - paster install-iis my.ini --root=/ + paster install-iis my.ini --virtualdir=/ This will generate a ``dispatch.py`` file in the current directory that contains the necessary components to finalize an installation into IIS. Once this file @@ -59,10 +70,10 @@ This accomplishes two things: generating an ISAPI compliant DLL file, ``_dispatch.dll``, and installing a script map handler into IIS for the -``--root`` specified above pointing to ``_dispatch.dll``. +``--virtualdir`` specified above pointing to ``_dispatch.dll``. The ISAPI handler is registered to all file extensions, so it will automatically -be the one handling all requests to the specified root. When the website starts +be the one handling all requests to the specified virtual directory. When the website starts the ISAPI handler, it will start a thread pool managed wrapper around the paster middleware WSGI handler that Kallithea runs within and each HTTP request to the site will be processed through this logic henceforth. @@ -73,6 +84,11 @@ The recommended way to handle authentication with Kallithea using IIS is to let IIS handle all the authentication and just pass it to Kallithea. +.. note:: + + As an alternative without SSO, you can also use LDAP authentication with + Active Directory, see :ref:`ldap-setup`. + To move responsibility into IIS from Kallithea, we need to configure Kallithea to let external systems handle authentication and then let Kallithea create the user automatically. To do this, access the administration's authentication page @@ -108,3 +124,6 @@ and any exceptions occurring in the WSGI layer and below (i.e. in the Kallithea application itself) that are uncaught, will be printed here complete with stack traces, making it a lot easier to identify issues. + + +.. _hgssoauthenticatio: https://bitbucket.org/domruf/hgssoauthentication diff -r b027fc1a0e85 -r 5a47ce11427c docs/setup.rst --- a/docs/setup.rst Wed Mar 23 18:27:50 2016 +0100 +++ b/docs/setup.rst Mon Apr 04 23:34:30 2016 +0200 @@ -137,6 +137,7 @@ If you want to rebuild the index from scratch, you can use the ``-f`` flag as above, or in the admin panel you can check the "build from scratch" checkbox. +.. _ldap-setup: Setting up LDAP support ----------------------- @@ -767,6 +768,12 @@ a2enmod wsgi +- Add global Apache configuration to tell mod_wsgi that Python only will be + used in the WSGI processes and shouldn't be initialized in the Apache + processes:: + + WSGIRestrictEmbedded On + - Create a wsgi dispatch script, like the one below. Make sure you check that the paths correctly point to where you installed Kallithea and its Python Virtual Environment. @@ -779,8 +786,9 @@ .. code-block:: apache WSGIDaemonProcess kallithea \ - processes=1 threads=4 \ - python-path=/srv/kallithea/venv/lib/python2.7/site-packages + threads=4 \ + python-home=/srv/kallithea/venv + WSGIProcessGroup kallithea WSGIScriptAlias / /srv/kallithea/dispatch.wsgi WSGIPassAuthorization On @@ -788,13 +796,15 @@ .. code-block:: apache - WSGIDaemonProcess kallithea processes=1 threads=4 + WSGIDaemonProcess kallithea threads=4 + WSGIProcessGroup kallithea WSGIScriptAlias / /srv/kallithea/dispatch.wsgi WSGIPassAuthorization On -.. note:: - When running apache as root, please make sure it doesn't run Kallithea as - root, for examply by adding: ``user=www-data group=www-data`` to the configuration. +Apache will by default run as a special Apache user, on Linux systems +usually ``www-data`` or ``apache``. If you need to have the repositories +directory owned by a different user, use the user and group options to +WSGIDaemonProcess to set the name of the user and group. Example WSGI dispatch script: @@ -810,11 +820,11 @@ import site site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages") - from paste.deploy import loadapp + ini = '/srv/kallithea/my.ini' from paste.script.util.logging_config import fileConfig - - fileConfig('/srv/kallithea/my.ini') - application = loadapp('config:/srv/kallithea/my.ini') + fileConfig(ini) + from paste.deploy import loadapp + application = loadapp('config:' + ini) Or using proper virtualenv activation: diff -r b027fc1a0e85 -r 5a47ce11427c kallithea/controllers/api/__init__.py --- a/kallithea/controllers/api/__init__.py Wed Mar 23 18:27:50 2016 +0100 +++ b/kallithea/controllers/api/__init__.py Mon Apr 04 23:34:30 2016 +0200 @@ -120,7 +120,6 @@ log.debug('Content-Length: %s', length) if length == 0: - log.debug("Content-Length is 0") return jsonrpc_error(retid=self._req_id, message="Content-Length is 0") @@ -239,8 +238,7 @@ exc_info.append(new_exc_info) output = WSGIController.__call__(self, environ, change_content) - output = list(output) - headers.append(('Content-Length', str(len(output[0])))) + output = list(output) # expand iterator - just to ensure exact timing replace_header(headers, 'Content-Type', 'application/json') start_response(status[0], headers, exc_info[0]) log.info('IP: %s Request to %s time: %.3fs' % (