Bug 1393121

Summary: [Docs][RFE] Integrate Python / HTTPD with Red Hat SSO
Product: OpenShift Container Platform Reporter: Brennan Vincello <bvincell>
Component: DocumentationAssignee: Gaurav Nelson <gnelson>
Status: CLOSED CANTFIX QA Contact: Tomas Schlosser <tschloss>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: medium    
Version: 3.3.0CC: aos-bugs, bvincell, jokerman, mmccomas
Target Milestone: ---Flags: vigoyal: needinfo? (bvincell)
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-06 01:59:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Brennan Vincello 2016-11-08 22:01:24 UTC 
Document URL: 
https://docs.openshift.com/enterprise/3.1/using_images/xpaas_images/sso.html

Section Number and Name: 
Red Hat Single Sign-On (SSO) xPaaS Image

Describe the issue: 
Need documentation on how to integrate Python / HTTPD with Red Hat SSO

Suggestions for improvement: 
There are docs on how to get SSO working with JBoss EAP.   https://docs.openshift.com/enterprise/3.1/using_images/xpaas_images/sso.html.  Requesting docs to be created for SSO working with HTTPD / python S2I image.

Additional information: 
Submitted on behalf of client
Comment 2 Gaurav Nelson 2016-12-06 01:59:56 UTC 
Since, this is not doable at the moment, I am closing this bug (not a docs issue).

Please see comments from Graham Dumpleton below:
-------------------------------------------------------------------------------
It cannot be done at this time.

The current Python S2I builder image for OpenShift includes the wrong Apache httpd packages. It needs to use the SCL version and not the default RHEL/Centos versions.

An issue and PR have been raised to have the S2I builder updated:

    https://github.com/sclorg/s2i-python-container/issues/161
    https://github.com/sclorg/s2i-python-container/pull/162

If this is important to you, please comment on the PR so the developers of the Python S2I builder know there is interest in this.

Once the Python S2I builder is updated, if you need SSO for a Python WSGI application, you will need to use md_wsgi-express in conjunction with the Python S2I builder. The mod_wsgi-express package wraps up Apache/mod_wsgi, automatically creating an Apache configuration for you. An additional configuration snipper would then need to be supplied for mod_wsgi-express to set up the SSO component. Your options for SSO would be LDAP, Kerberos, or a custom scripted solution which uses the Apache mod_session module.

If you can’t wait for the Python S2I builder to be updated, then one could use Docker build strategy in OpenShift to create your own custom builder image direct from the changes in the PR.

If need be I can explain how to do that, and if can get more details on what authentication/authorisation mechanism they are able to use out of the options available, can then indicate how to use mod_wsgi-express to do it.

------------------------------------------------------------------------------