Setting up a dedicated web2py server that supports multiple users, separate folders

108 views
Skip to first unread message

David Bain

unread,
Jan 3, 2011, 2:50:40 PM1/3/11
to web...@googlegroups.com
I'm setting up a webserver that supports web2py, each user should have their own web2py instance, hopefully everything will be deployed via mod_wsgi.

This my goal:
Each user will be able to deploy their apps to their own 'www' folder on the webserver

filesystem:
~user/www/

for a <user> the web2py app would be available at:
http server:
https://example.com/<user>/examples/appadmin
http://example.com/<user>/examples

Nice to have would be a Cherokee based solution

mdipierro

unread,
Jan 3, 2011, 8:27:51 PM1/3/11
to web2py-users
The main problem here is not app->path mapping (which is not supported
but could be). The problem is that if you have one web2py instance it
must run as www-data and all those folders must be readable/writable
by www-data. This means users are not protected from errors performed
by other users.
> *Nice to have would be a Cherokee based solution*

VP

unread,
Jan 3, 2011, 11:13:07 PM1/3/11
to web2py-users
I think it'll be convenient for multiple users to work on one web2py
installation, if there's a layer on top of the admin app, providing
the following features:

1. The admin app allows user registration.
2. Each user can view/edit only apps that he/she creates.


This is strictly at the (admin) app level. Everything is the same as
before at the filesystem level.

(This is particularly useful for teaching (I think): one web2py app,
many students).

Graham Dumpleton

unread,
Jan 3, 2011, 11:43:30 PM1/3/11
to web...@googlegroups.com
Use daemon mode of mod_wsgi. Have a daemon process group per user with the user/group of the daemon process corresponding to that of the user whose web2py instance will run in that daemon process group. Then delegate each web2py instance to appropriate daemon process group.

The only hard bit in this is that daemon process groups are statically defined and so to add new user, you need to update Apache configuration and restart Apache.

For quick setup instructions for daemon mode of mod_wsgi read:


That example shows a daemon process group for whole virtual host, but it isn't limited to that and is flexible enough to do what you want.

WSGIDaemonProcess default processes=2 threads=25

<VirtualHost *:80>
ServerName www.site.com

WSGIDaemonProcess bob user=bob group=bob display-name=%{GROUP}

<Directory /home/bob/www>
Options ExecCGI
AllowOverride FileInfo
AddHandler wsgi-script .wsgi
WSGIProcessGroup bob
</Directory>

WSGIDaemonProcess joe user=joe group=joe

<Directory /home/joe/www>
Options ExecCGI
AllowOverride FileInfo
AddHandler wsgi-script .wsgi
WSGIProcessGroup joe
</Directory>

</VirtualHost>

Graham

VP

unread,
Jan 4, 2011, 12:10:36 AM1/4/11
to web2py-users
From a practical point of view, I think it's not cost effective to
give one web2py clone to each user. The reason is each web2py clone/
process takes a decent chunk of RAM.


On Jan 3, 10:43 pm, Graham Dumpleton <graham.dumple...@gmail.com>
wrote:
> Use daemon mode of mod_wsgi. Have a daemon process group per user with the
> user/group of the daemon process corresponding to that of the user whose
> web2py instance will run in that daemon process group. Then delegate each
> web2py instance to appropriate daemon process group.
>
> The only hard bit in this is that daemon process groups are statically
> defined and so to add new user, you need to update Apache configuration and
> restart Apache.
>
> For quick setup instructions for daemon mode of mod_wsgi read:
>
>  http://code.google.com/p/modwsgi/wiki/QuickConfigurationGuide#Delegat...
> > *Nice to have would be a Cherokee based solution*
>
>

mdipierro

unread,
Jan 4, 2011, 6:50:47 AM1/4/11
to web2py-users
This can be done but it would not prevent one use to write code (an
app) that reads or deletes another user app. As long as this is clear,
I coud modify admin for this purpose (or create another admin).

David Bain

unread,
Jan 4, 2011, 9:28:39 AM1/4/11
to web...@googlegroups.com
I like the modified admin approach, it would be simpler, for teaching purposes it would work, it would need to be modified for production style scenarios as it would not be an acceptable risk.

mdipierro

unread,
Jan 4, 2011, 10:49:04 AM1/4/11
to web2py-users
In trunk.

- Deploy the latest admin
- edit file applications/admin/models/0.py and set
MULTI_USER_MODE = True
- Try access admin and it will require registration/login
- The first user to register is teacher (can see all apps)
- All other users are students (can only see/edit/create their own
apps)

This does not prevent one user from writing dangerous code. The code,
whoever creates it, always runs under the same privileged and has
access to the entire web2py folder.

At the moment students get access to each other appdmin controllers.

Please help with testing!

On Jan 4, 8:28 am, David Bain <pigeonfli...@gmail.com> wrote:
> I like the modified admin approach, it would be simpler, for teaching
> purposes it would work, it would need to be modified for production style
> scenarios as it would not be an acceptable risk.
>

David Bain

unread,
Jan 4, 2011, 10:54:18 AM1/4/11
to web...@googlegroups.com
Thanks Massimo,
Checking out  trunk now.

David Bain

unread,
Jan 4, 2011, 11:44:34 AM1/4/11
to web...@googlegroups.com
Massimo,
Nice! It works... so as long as I register first I'm the teacher :).
I'm just looking at web2py again in the last few weeks. I'm very happy to help with documentation of this feature. Just point me in the right direction.

see: Screenshot below:
user login.jpg
user login.jpg

Bruno Rocha

unread,
Jan 4, 2011, 11:47:49 AM1/4/11
to web...@googlegroups.com
Thanks! this will ne very usefull for me too.

2011/1/4 mdipierro <mdip...@cs.depaul.edu>

In trunk.

- Deploy the latest admin
- edit file applications/admin/models/0.py and set
 MULTI_USER_MODE = True

--

Bruno Rocha
http://about.me/rochacbruno/bio

David Bain

unread,
Jan 4, 2011, 11:48:27 AM1/4/11
to web...@googlegroups.com
Just a note. There was no option to register.
I had to visit localhost:8000/admin/default/user/register

mdipierro

unread,
Jan 4, 2011, 11:56:52 AM1/4/11
to web2py-users
Oops. I missed a file in the commit. adding it now.

One more caveat. For security, the first user is the teacher and
registration is enabled by default.
For all other users of admin (students) registration requires
verification. That means the teacher must login, user /admin/appadmin
and clear the content of the "registration_key" field for approved
students.

This is for preventing non-students from getting their hands on the
system.

Massimo

On Jan 4, 10:44 am, David Bain <pigeonfli...@gmail.com> wrote:
> Massimo,
> Nice! It works... so as long as I register first I'm the teacher :).
> I'm just looking at web2py again in the last few weeks. I'm very happy to
> help with documentation of this feature. Just point me in the right
> direction.
>
> see: Screenshot below:
> [image: user login.jpg]
>
> On Tue, Jan 4, 2011 at 10:54 AM, David Bain <pigeonfli...@gmail.com> wrote:
> > Thanks Massimo,
> > Checking out  trunk now.
>
>  user login.jpg
> 41KViewDownload

David Bain

unread,
Jan 4, 2011, 11:56:57 AM1/4/11
to web...@googlegroups.com
Okay... I've started hacking the "Teaching version" of web2py. Hardcoded my own twitter feed.
I think it would be nice to offer custom feeds on the admin page:
see screenshot below:
site.jpg
site.jpg

mdipierro

unread,
Jan 4, 2011, 11:57:41 AM1/4/11
to web2py-users
It would be nice to have some documentation. For now even a simple
blog post that explains purpose, how to, and shows some screen shots
will do.

Massimo

On Jan 4, 10:44 am, David Bain <pigeonfli...@gmail.com> wrote:
> Massimo,
> Nice! It works... so as long as I register first I'm the teacher :).
> I'm just looking at web2py again in the last few weeks. I'm very happy to
> help with documentation of this feature. Just point me in the right
> direction.
>
> see: Screenshot below:
> [image: user login.jpg]
>
> On Tue, Jan 4, 2011 at 10:54 AM, David Bain <pigeonfli...@gmail.com> wrote:
> > Thanks Massimo,
> > Checking out  trunk now.
>
>  user login.jpg
> 41KViewDownload

David Bain

unread,
Jan 4, 2011, 12:07:11 PM1/4/11
to web...@googlegroups.com
Possible bug: 
The teacher account is fine. However I created my first student account and was unable to log in with the credentials.


Here's my checklist of nice to have features
--------------------------------------------------------------
  • Bulk import of users from a csv
  • by default prevent non-teachers from being able to use the application wizard/ check for upgrades/ new simple application/deply to google app engine (I've X'ed out what should not be in the interface by default)
site-1.jpg
  • possibly allow teachers to selectively enable features
site-1.jpg

David Bain

unread,
Jan 4, 2011, 12:09:46 PM1/4/11
to web...@googlegroups.com
I missed the part about verification.  That's probably the issue.

VP

unread,
Jan 4, 2011, 12:10:21 PM1/4/11
to web2py-users

>> One more caveat. For security, the first user is the teacher and registration is enabled by default.

I haven't tried this, but will soon. One question: Would the password
of the first user be the same as the password given to web2py?

Thanks.

David Bain

unread,
Jan 4, 2011, 12:13:04 PM1/4/11
to web...@googlegroups.com
VP,
No the password is the password that the first user signs up with.

David Bain

unread,
Jan 4, 2011, 12:16:48 PM1/4/11
to web...@googlegroups.com
I'm wondering about the authentication issue. I'm working behind a firewall which blocks port 587 (used to communicate with gmail), which I'd like to use as my smtp server. 

I think for my use case I have two options:

  1. Host the server in front of the firewall
  2. Host the email sending code in front of the firewall e.g. something hosted on google appengine.

 Any other thoughts on this?

VP

unread,
Jan 4, 2011, 12:17:47 PM1/4/11
to web2py-users
Okay. Thanks.

On Jan 4, 11:13 am, David Bain <pigeonfli...@gmail.com> wrote:
> VP,
> No the password is the password that the first user signs up with.
>

David Bain

unread,
Jan 4, 2011, 12:29:21 PM1/4/11
to web...@googlegroups.com
Okay the register button is now present :)
user login-1.jpg
user login-1.jpg

mdipierro

unread,
Jan 4, 2011, 1:01:30 PM1/4/11
to web2py-users


On Jan 4, 11:07 am, David Bain <pigeonfli...@gmail.com> wrote:
> Possible bug:
> The teacher account is fine. However I created my first student account and
> was unable to log in with the credentials.
>
> Here's my checklist of nice to have features
> --------------------------------------------------------------
>
>    - Bulk import of users from a csv

you can do it already via admin/appadmin/

>    - by default prevent non-teachers from being able to use the application
>    wizard/ check for upgrades/ new simple application/deply to google app
>    engine (I've X'ed out what should not be in the interface by default)

check for upgrades should already be disabled. I will look into it.

> [image: site-1.jpg]
>
>    - possibly allow teachers to selectively enable features

We could have more flags in 0.py and corresponding if statements in
controllers.
>  site-1.jpg
> 32KViewDownload

David Bain

unread,
Jan 4, 2011, 1:07:10 PM1/4/11
to web...@googlegroups.com
@mdpierro,
More flags in 0.py would be "good enough (tm)" for my use case.

David Bain

unread,
Jan 4, 2011, 2:10:42 PM1/4/11
to web...@googlegroups.com
When I try to access /admin/appadmin in Multiuser/Teaching mode.
I get an error.

see traceback below:
Traceback (most recent call last):
File "/home/user/web2pytrunkagain/gluon/restricted.py", line 188, in restricted
exec ccode in environment
File "/home/user/web2pytrunkagain/applications/admin/controllers/appadmin.py", line 33, in <module>
if not gluon.fileutils.check_credentials(request):
File "/home/user/web2pytrunkagain/gluon/fileutils.py", line 300, in check_credentials
return get_session(request, other_application).authorized
File "/home/user/web2pytrunkagain/gluon/fileutils.py", line 278, in get_session
raise KeyError
KeyError

On Tue, Jan 4, 2011 at 1:01 PM, mdipierro <mdip...@cs.depaul.edu> wrote:

mdipierro

unread,
Jan 4, 2011, 3:45:13 PM1/4/11
to web2py-users
Can you try comment these two lines in gluon/fileutils.py

if request.application == other_application:
raise KeyError

Does this fix the problem?

Massimo

On Jan 4, 1:10 pm, David Bain <pigeonfli...@gmail.com> wrote:
> When I try to access /admin/appadmin in Multiuser/Teaching mode.
> I get an error.
>
> see traceback below:
>
> Traceback (most recent call last):
>   File "/home/user/web2pytrunkagain/gluon/restricted.py", line 188, in
> restricted
>     exec ccode in environment
>   File "/home/user/web2pytrunkagain/applications/admin/controllers/appadmin.py"
> <https://localhost:8001/admin/default/edit/admin/controllers/appadmin.py>,
> line 33, in <module>
>     if not gluon.fileutils.check_credentials(request):
>   File "/home/user/web2pytrunkagain/gluon/fileutils.py", line 300, in
> check_credentials
>     return get_session(request, other_application).authorized
>   File "/home/user/web2pytrunkagain/gluon/fileutils.py", line 278, in
> get_session
>     raise KeyError
> KeyError
>

mdipierro

unread,
Jan 4, 2011, 4:47:18 PM1/4/11
to web2py-users
I think this is now fixed.

On Jan 4, 1:10 pm, David Bain <pigeonfli...@gmail.com> wrote:
> When I try to access /admin/appadmin in Multiuser/Teaching mode.
> I get an error.
>
> see traceback below:
>
> Traceback (most recent call last):
>   File "/home/user/web2pytrunkagain/gluon/restricted.py", line 188, in
> restricted
>     exec ccode in environment
>   File "/home/user/web2pytrunkagain/applications/admin/controllers/appadmin.py"
> <https://localhost:8001/admin/default/edit/admin/controllers/appadmin.py>,
> line 33, in <module>
>     if not gluon.fileutils.check_credentials(request):
>   File "/home/user/web2pytrunkagain/gluon/fileutils.py", line 300, in
> check_credentials
>     return get_session(request, other_application).authorized
>   File "/home/user/web2pytrunkagain/gluon/fileutils.py", line 278, in
> get_session
>     raise KeyError
> KeyError
>

David Bain

unread,
Jan 4, 2011, 5:05:53 PM1/4/11
to web...@googlegroups.com
I didn't get much out of commenting out those lines. In Chrome I got an unresolvable url.

mdipierro

unread,
Jan 4, 2011, 5:14:42 PM1/4/11
to web2py-users
never mind. should now be fixed in trunk.

On Jan 4, 4:05 pm, David Bain <pigeonfli...@gmail.com> wrote:
> I didn't get much out of commenting out those lines. In Chrome I got an
> unresolvable url.
>

David Bain

unread,
Jan 4, 2011, 6:00:16 PM1/4/11
to web...@googlegroups.com
BTW... regarding using a different notification solution for validation, is that built in or will I need to "roll my own"? I can't use an smtp solution because of blocked ports, so I'll need to send the information over http/https to some server that will send the validation information.

mdipierro

unread,
Jan 4, 2011, 6:08:59 PM1/4/11
to web2py-users
If it is a linux box, you can use postfix or other local mail server.

On Jan 4, 5:00 pm, David Bain <pigeonfli...@gmail.com> wrote:
> BTW... regarding using a different notification solution for validation, is
> that built in or will I need to "roll my own"? I can't use an smtp solution
> because of blocked ports, so I'll need to send the information over
> http/https to some server that will send the validation information.
>

David Bain

unread,
Jan 4, 2011, 6:23:50 PM1/4/11
to web...@googlegroups.com
Wouldn't postfix still need the outgoing smtp port to be open in order to send emails?

The diagram below shows our setup.user login-3.jpg
user login-3.jpg

mdipierro

unread,
Jan 4, 2011, 8:06:23 PM1/4/11
to web2py-users
you are right... You can use janrain. You just need to configure admin/
models/db.py but mind you loose the configuration on web2py upgrade.

On Jan 4, 5:23 pm, David Bain <pigeonfli...@gmail.com> wrote:
> Wouldn't postfix still need the outgoing smtp port to be open in order to
> send emails?
>
> The diagram below shows our setup.[image: user login-3.jpg]
>
>  user login-3.jpg
> 38KViewDownload

David Bain

unread,
Jan 4, 2011, 9:07:58 PM1/4/11
to web...@googlegroups.com
I think janrain might work for me.

mdipierro

unread,
Jan 4, 2011, 9:23:38 PM1/4/11
to web2py-users
You can just disable require verification since, you will be approving
accounts manually.
You can also disable change_passord and no email needs to be sent my
the system
If they need to reset password they can contact you and can do it via
admin/appadmin

Massimo



On Jan 4, 8:07 pm, David Bain <pigeonfli...@gmail.com> wrote:
> I think janrain might work for me.
>
Reply all
Reply to author
Forward
0 new messages