Update doc for pipeweb behing apache, add autostart functionnality

README.org

@@ -1034,9 +1034,10 @@ Pipeline(pipedot, codedir=, prefix=, env=MyEnvironment)
 ** Launching pipeweb behind apache
 
 Pipeweb use the cherrypy web framework server and can be run behind an
-apache webserver which brings essentially two advantages:
+apache web server which brings essentially two advantages:
 - access to *_mod apache facilities (https, gzip, authentication facilities ...).
-- faster static files serving (the pipelet appli actually use quite few of them so the actual gain is marginal).
+- faster static files serving (the pipelet application actually use
+  quite few of them so the actual gain is marginal).
 
 There is actually several way of doing so, the [[http://tools.cherrypy.org/wiki/BehindApache][cherrypy]] documentation
 giving hints about each. We describe here an example case using
@@ -1049,10 +1050,10 @@ mod_rewrite and virtual hosting.
    =sudo a2enmod proxy=
    =sudo a2enmod proxy_http=
 
-2. We then configure apache to rewrite request to the cherrypy apps
-   except for the static files of the application that will be served
-   directly. Here is a sample configuration file for a dedicated
-   virtual host named pipeweb with pipelet installed under
+2. We then configure apache to rewrite request to the cherrypy
+   application except for the static files of the application that
+   will be served directly. Here is a sample configuration file for a
+   dedicated virtual host named pipeweb with pipelet installed under
    =/usr/local/lib/python2.6/dist-packages/=.
   #+begin_src apache
   <VirtualHost pipeweb:80>
@@ -1072,8 +1073,96 @@ mod_rewrite and virtual hosting.
    specified address and port:
    =pipeweb start -H 127.0.0.1=
 
+There is also some possibility to start the application on demand
+using a cgi script like:
+#+begin_src python
+    #!/usr/local/bin/python
+    print "Content-type: text/html\r\n"
+    print """<html><head><META HTTP-EQUIV="Refresh" CONTENT="1; URL=/"></head><body>Restarting site ...<a href="/">click here<a></body></html>"""
+    import os
+    os.system('pipeweb start -H 127.0.0.1')
+#+end_src
+To have it executed when the proxy detect the absence of the application:
+#+begin_src apache
+  <VirtualHost pipeweb:80>
+      #...
+      ScriptAliasMatch ^/pipeweb_autostart\.cgi$ /usr/local/bin/pipeweb_autostart.cgi
+      RewriteEngine on
+      RewriteCond  %{SCRIPT_FILENAME} !pipeweb_autostart\.cgi$
+      RewriteRule ^/static/(.*) /usr/local/lib/python2.6/dist-packages/pipelet/static/$1 [L]
+      RewriteCond  %{SCRIPT_FILENAME} !pipeweb_autostart\.cgi$
+      RewriteRule ^(.*) http://127.0.0.1:8080$1 [proxy]
+      ErrorDocument 503 /pipeweb_autostart.cgi
+      #...
+  </VirtualHost>
+#+end_src
+You may want to adjust ownership and suid of the
+=pipeweb_autostart.cgi= script so that it executes with the correct
+rights.
+
+Pipeweb handles access rights using per pipeline ACL registered in the
+database file. It support Basic and Digest http authentication. When
+deploying the pipeweb interface in a production environment, one may
+want to defer a part of the authorization process to external and
+potentially more secure systems. The pipeweb behavior in term of
+authorization is controlled by the =-A= option that accept the
+following arguments:
+- =Digest= (default) Authenticate users via HTTP Digest authentication
+  according to the user:passwd list stored in the database.
+- =Basic= Authenticate users via HTTP Basic (clear text)
+  authentication according to the user:passwd list stored in the
+  database.
+- =ACL= Check the access rights of otherwise authenticated users
+  according to the user list stored in the database.
+- =None= Do no check. (Defer the whole authentication/authorization
+  process to the proxy.)
+
+Here is a complete configuration sample making of https, basic
+authentication, and per pipeline ACL to secure data browsing.
+
+#+begin_src apache
+  <VirtualHost _default_:443>
+      ServerAdmin pipeweb_admin@localhost
+      DocumentRoot /usr/local/lib/python2.6/dist-packages/pipelet
+  
+      # ErrorLog /some/custom/error_file.log
+      # CustomLog /some/custom/access_file.log common
+  
+      SSLEngine on
+      SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
+      SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+  
+      # This handles authentication and access to the index page 
+      # Access right checking to the various registered pipelines 
+      # is left to pipeweb
+      <Location />
+          #Replace with Any suitable authentication system
+          AuthName             "pipeweb"
+          AuthType             Basic
+          AuthUserFile         /etc/apache2/pipelet.pwd
+          require              valid-user
+      </Location>
+  
+      ScriptAliasMatch ^/pipeweb_autostart\.cgi$ /usr/local/bin/pipeweb_autostart.cgi
+      RewriteEngine on
+      RewriteCond  %{SCRIPT_FILENAME} !pipeweb_autostart\.cgi$
+      RewriteRule ^/static/(.*) /usr/local/lib/python2.6/dist-packages/pipelet/static/$1 [L]
+      RewriteCond  %{SCRIPT_FILENAME} !pipeweb_autostart\.cgi$
+      RewriteRule ^(.*) http://127.0.0.1:8080$1 [proxy]
+      ErrorDocument 503 /pipeweb_autostart.cgi
+  </VirtualHost>
+#+end_src
+
+And the corresponding cgi script:
+#+begin_src python
+    #!/usr/local/bin/python
+    print "Content-type: text/html\r\n"
+    print """<html><head><META HTTP-EQUIV="Refresh" CONTENT="1; URL=/"></head><body>Restarting site ...<a href="/">click here<a></body></html>"""
+    import os
+    os.system('pipeweb start -H 127.0.0.1 -A ACL')
+#+end_src
+
 
-When deploying the pipeweb interface in a production environment, one may want 
 * The Pipelet actors
   
 This section document the code for developers.  The code documentation

pipelet/auth.py

@@ -17,7 +17,6 @@ def check_access(auth_type, access_level):
     auth_type: either 'None', 'ACL', 'Basic', 'Digest'
     access_level: the required access level.
     """
-    cherrypy.log.error('auth_type:%s'%auth_type)
     realm = "pipeweb"
     if auth_type == 'None':
         #No autorization check required
@@ -41,7 +40,6 @@ def check_access(auth_type, access_level):
             return False    
     password = dic.get(ah["username"], None)
     encrypt = lambda x:x
-    cherrypy.log.error('password:%s'%password)
     if cherrypy.lib.httpauth.checkResponse(ah, password, method=cherrypy.request.method,
                               encrypt=encrypt, realm=realm):
         cherrypy.request.login = ah["username"]

pipelet/web.py

@@ -805,7 +805,10 @@ def start(config, config_file):
     from cherrypy.process.plugins import Daemonizer, PIDFile
     cherrypy.config.update(config)
     cherrypy.config.update(config_file)
-    cherrypy.tree.mount(PipeIndex(),"",config)
+    app = cherrypy.tree.mount(PipeIndex(),"",config)
+    if hasattr(app, 'toolboxes'):
+        # CherryPy 3.1+
+        app.toolboxes['pipeauth'] = auth.pipeauth
     d = Daemonizer(cherrypy.engine)
     d.subscribe()
     p = PIDFile(cherrypy.engine, config['global']['server.pidfile'])

scripts/pipeweb_autostart.cgi

+#!/usr/bin/python
+print "Content-type: text/html\r\n"
+print """<html><head><META HTTP-EQUIV="Refresh" CONTENT="1; URL=/"></head><body>Restarting site ...<a href="/">click here<a></body></html>"""
+import os
+os.system('pipeweb start -H 127.0.0.1')

setup.py

@@ -13,5 +13,5 @@ setup(name='pipelet',
                   'pipelet.pipeline','pipelet.tracker', 'pipelet.repository', 'pipelet.launchers',
                   'pipelet.task', 'pipelet.utils', 'pipelet.web'],
       package_data={'pipelet': ['static/*']},
-      scripts=['scripts/pipeweb', 'scripts/pipeutils', 'scripts/pipeletd']
+      scripts=['scripts/pipeweb', 'scripts/pipeutils', 'scripts/pipeletd', 'scripts/pipeweb_autostart.cgi']
       )