Mailman 3 March 2006 - Twisted-web

Re: [Nevow-commits] r5247 - Change package_data so that distutils and setuptools include the athena_private
by Tristan Seligmann 10 Mar '06

10 Mar '06

* mg(a)divmod.net <mg(a)divmod.net> [2006-03-09 09:12:35 -0500]: > resource correctly. > > Note: the actual package data is the athena_private directory in the nevow > package, not the files in the non-existant nevow.athena_private package. > Modified: trunk/Nevow/setupcommon.py > ============================================================================== > --- trunk/Nevow/setupcommon.py (original) > +++ trunk/Nevow/setupcommon.py Thu Mar 9 09:12:35 2006 > @@ -17,6 +17,7 @@ > 'freeform-default.css' > ], > 'nevow': [ > + 'athena_private/*', > 'athena.js', > 'defer.js', > 'divmod.js', > @@ -48,7 +49,4 @@ > 'test_object.js', > 'testsupport.js', > ], > - 'nevow.athena_private': [ > - 'connection-status-down.png', > - ], > } > This change does fix setuptools behaviour, but now distutils no longer works. I gues someone who knows more about distutils and setuptools than I do needs to figure this one out; I originally added the non-existent nevow.athena_private package because that was the only way that seemed to work for distutils. Argh! -- mithrandi, i Ainil en-Balandor, a faer Ambar

2 3

secure access to xmlrpc, soap (access from ip-ranges, login, ssl) - a feasible approach?
by Marco Aschwanden 09 Mar '06

09 Mar '06

Hi I would like to write a server, that delivers the same services over xmlrpc or soap. It is no problem to design this. The problem arises when it comes to authentification. What I want: - Deliver services in xmlrpc or soap - Deliver services only to people in well defined ip-ranges (192.168.1.*,...) - Deliver services only to logged in users (except for login requests which should always pass!) - User don't have to log in each time they do a request! (overhead would be deadly) - Deliver services encrypted (ssl) if desired What I have: - I have a server that delivers services over xmlrpc or soap - I have a class that keeps track for users that have logged in/expired/available. - I have a class that can test, whether the request comes from a valid ip. The problem(s): - I know that twisted has "cred" library to authentificate people. I don't see how this is usable with a stateless protocol like xmlrpc or soap. As far as I understood the "cred"-library does not apply to xmlrpc or soap. If it does, than a simple exmaple would be very nice. To me it seems, that the best point to enforce "authentification" and "logged sessions" is to override render-method of --> twisted.web.xmlrpc.XMLRPC --> twisted.soap.SOAPPublisher from twisted.web.xmlrpc import XMLRPC import xmlrpclib import bsw_config class XMLRPC_WITH_AUTH(XMLRPC): def __init__(self): XMLRPC.__init__(self) def render(self, request): """Overriding this let me introduce authentification.""" # <Modification> # --> verify whether the ip is in the allowed range --> # I do it here, before any further handling is done! # verify --> request.client.host is allowed # </Modification> request.content.seek(0, 0) args, functionPath = xmlrpclib.loads(request.content.read()) # <Modification> # Always let login request pass! (xxx Multicall?) if not functionPath == u"do_login": # verify user logged in already based on IP (port always changes - # because xmlrpc is stateless) # what other possibilty do I have for a unique id? if not verify_user_is_logged_in(request.client.host): self._cbRender(Fault(xxx, xxx) , request) return server.NOT_DONE_YET # </Modification> try: function = self._getFunction(functionPath) except Fault, f: self._cbRender(f, request) else: request.setHeader("content-type", "text/xml") defer.maybeDeferred(function, *args).addErrback( self._ebRender ).addCallback( self._cbRender, request ) return server.NOT_DONE_YET The two <modification></modification> show my intended interventions. Is this a feasible approach? The only unique id I have from the client is his IP - the socket/port, as I said, changes with each request (stateless nature of xmlrpc/soap). This poses a security risk, because clients served from the same proxy/router/firewall have the same IP... which forces me to add a unique token to each request (please not). Do you know another unique item of each request, that identifies the client further? To further secure the transport, I would like to be able to transport the data over ssl. Is this as easy as: reactor.listenSSL(XMLRPC_PORT, server.Site(XmlrpcPublisher()), some_cert) reactor.listenSSL(SOAP_PORT, server.Site(SoapPublisher()), some_cert) Thanks for all your answers in advance, Greetins, Marco

1 0

remote admin app, ssh connection costs
by Gustavo Rahal 03 Mar '06

03 Mar '06

Hi All I did a small xmlrpc webservice that basicly expose some methods to interact (run commands, for example) with a lists of UNIX servers. At startup, the webservice connects via ssh to all the UNIX servers (currently 16) and leave the connections open waiting for requests from clients. The app was designed mostly as a way of learninig how to use twisted ssh modules, deferreds etc... Some questions (I'll try to be brief): 1) At startup, the ssh connections to the UNIX servers goes as far as the client connection step (connection.SSHConnection) and are kept open. So, each time a client requests (via xmlrpc) a shell command to run, the webservice opens a channel to this server (channel.SSHChannel) runs the command, gets the output and closes the channel. Would it be better to leave a channel open so there is no overhead of openning a channel each time there is a command to run? What are the pros and cons? 2) Supposing that the number of servers grow, how many simultaneous ssh connections is a reasonable amount? Let's say a Pentium III 500MHz with 1 GB RAM and a 4 Mbits link. What is a reasonable amont? 0-50, 50-100, 100-150? I know it depends on the internet link and server specs but is there a math that calculate a reasonable amount of tcp/ssh connections? I guess that's it for now... Thanks Gustavo

2 1