Pass necessary options to Apache when using WSGI

It's recommended to use WSGIApplicationGroup and WSGIPassAuthorization options when a service is running under Apache. Change-Id: Ia6bacab44c1d25f0253c84183f4a561d7682c6e8
2015-10-08 13:18:19 +03:00 · 2015-10-08 13:18:19 +03:00 · 2ff3a400f8
parent 3be98e8c6b
commit 2ff3a400f8
2 changed files with 52 additions and 35 deletions
--- a/manifests/wsgi/apache.pp
+++ b/manifests/wsgi/apache.pp
@ -115,36 +115,47 @@
 #   (optional) The source of the WSGI script.
 #   Defaults to undef
 #
+# [*wsgi_application_group*]
+#   (optional) The application group of the WSGI script.
+#   Defaults to '%{GLOBAL}'
+#
+# [*wsgi_pass_authorization*]
+#   (optional) Whether HTTP authorisation headers are passed through to a WSGI
+#   script when the equivalent HTTP request headers are present.
+#   Defaults to undef
+#
 # [*vhost_custom_fragment*]
 #   (optional) Passes a string of custom configuration
 #   directives to be placed at the end of the vhost configuration.
 #   Defaults to undef.
 #
 define openstacklib::wsgi::apache (
-  $service_name          = $name,
-  $bind_host             = undef,
-  $bind_port             = undef,
-  $group                 = undef,
-  $path                  = '/',
-  $priority              = '10',
-  $servername            = $::fqdn,
-  $ssl                   = false,
-  $ssl_ca                = undef,
-  $ssl_cert              = undef,
-  $ssl_certs_dir         = undef,
-  $ssl_chain             = undef,
-  $ssl_crl               = undef,
-  $ssl_crl_path          = undef,
-  $ssl_key               = undef,
-  $threads               = $::processorcount,
-  $user                  = undef,
-  $workers               = 1,
-  $wsgi_daemon_process   = $name,
-  $wsgi_process_group    = $name,
-  $wsgi_script_dir       = undef,
-  $wsgi_script_file      = undef,
-  $wsgi_script_source    = undef,
-  $vhost_custom_fragment = undef,
+  $service_name            = $name,
+  $bind_host               = undef,
+  $bind_port               = undef,
+  $group                   = undef,
+  $path                    = '/',
+  $priority                = '10',
+  $servername              = $::fqdn,
+  $ssl                     = false,
+  $ssl_ca                  = undef,
+  $ssl_cert                = undef,
+  $ssl_certs_dir           = undef,
+  $ssl_chain               = undef,
+  $ssl_crl                 = undef,
+  $ssl_crl_path            = undef,
+  $ssl_key                 = undef,
+  $threads                 = $::processorcount,
+  $user                    = undef,
+  $workers                 = 1,
+  $wsgi_daemon_process     = $name,
+  $wsgi_process_group      = $name,
+  $wsgi_script_dir         = undef,
+  $wsgi_script_file        = undef,
+  $wsgi_script_source      = undef,
+  $wsgi_application_group  = '%{GLOBAL}',
+  $wsgi_pass_authorization = undef,
+  $vhost_custom_fragment   = undef,
 ) {

  include ::apache
@ -204,6 +215,8 @@ define openstacklib::wsgi::apache (
    wsgi_daemon_process_options => $wsgi_daemon_process_options,
    wsgi_process_group          => $wsgi_process_group,
    wsgi_script_aliases         => $wsgi_script_aliases,
+    wsgi_application_group      => $wsgi_application_group,
+    wsgi_pass_authorization     => $wsgi_pass_authorization,
    custom_fragment             => $vhost_custom_fragment,
    require                     => File[$service_name],
  }
--- a/spec/defines/openstacklib_wsgi_apache_spec.rb
+++ b/spec/defines/openstacklib_wsgi_apache_spec.rb
@ -81,6 +81,7 @@ describe 'openstacklib::wsgi::apache' do
          'processes' => 1,
          'threads'   => global_facts[:processorcount],
        },
+        'wsgi_application_group'      => '%{GLOBAL}',
        'require'                     => 'File[keystone_wsgi]'
      )}
      it { is_expected.to contain_file("#{platform_parameters[:httpd_ports_file]}") }
@ -89,17 +90,18 @@ describe 'openstacklib::wsgi::apache' do
    describe 'when overriding parameters' do
      let :params do
        {
-          :wsgi_script_dir       => '/var/www/cgi-bin/keystone',
-          :wsgi_script_file      => 'main',
-          :wsgi_script_source    => '/usr/share/keystone/keystone.wsgi',
-          :servername            => 'dummy.host',
-          :bind_host             => '10.42.51.1',
-          :bind_port             => 4142,
-          :user                  => 'keystone',
-          :group                 => 'keystone',
-          :ssl                   => false,
-          :workers               => 37,
-          :vhost_custom_fragment => 'LimitRequestFieldSize 81900'
+          :wsgi_script_dir         => '/var/www/cgi-bin/keystone',
+          :wsgi_script_file        => 'main',
+          :wsgi_script_source      => '/usr/share/keystone/keystone.wsgi',
+          :wsgi_pass_authorization => 'On',
+          :servername              => 'dummy.host',
+          :bind_host               => '10.42.51.1',
+          :bind_port               => 4142,
+          :user                    => 'keystone',
+          :group                   => 'keystone',
+          :ssl                     => false,
+          :workers                 => 37,
+          :vhost_custom_fragment   => 'LimitRequestFieldSize 81900'
        }
      end
      it { is_expected.to contain_apache__vhost('keystone_wsgi').with(
@ -117,6 +119,8 @@ describe 'openstacklib::wsgi::apache' do
        },
        'wsgi_process_group'          => 'keystone_wsgi',
        'wsgi_script_aliases'         => { '/' => "/var/www/cgi-bin/keystone/main" },
+        'wsgi_application_group'      => '%{GLOBAL}',
+        'wsgi_pass_authorization'     => 'On',
        'require'                     => 'File[keystone_wsgi]',
        'custom_fragment'             => 'LimitRequestFieldSize 81900',
      )}