id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 23350,mod_wsgi authentication/authorization docs result in extra memory usage,Graham Dumpleton,Daniel Craigmile,"The documentation at: * https://docs.djangoproject.com/en/dev/howto/deployment/wsgi/apache-auth/ uses the examples: {{{ WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py WSGIPythonPath /path/to/mysite.com WSGIProcessGroup %{GLOBAL} WSGIApplicationGroup django AuthType Basic AuthName ""Top Secret"" Require valid-user AuthBasicProvider wsgi WSGIAuthUserScript /path/to/mysite.com/mysite/wsgi.py }}} and {{{ WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py WSGIProcessGroup %{GLOBAL} WSGIApplicationGroup django AuthType Basic AuthName ""Top Secret"" AuthBasicProvider wsgi WSGIAuthUserScript /path/to/mysite.com/mysite/wsgi.py WSGIAuthGroupScript /path/to/mysite.com/mysite/wsgi.py Require group secret-agents Require valid-user }}} Although these will work, they cause the Django application code to be loaded more than once into the same process. That is, you end up with an instance in one sub interpreter which handles web request, and another instance in another sub interpreter which handles just authentication and authorisation. Ideally you do no want two copies as that simply increases overall memory usage. The original mod_wsgi documentation does point to this in the statements: ''By default the auth providers are executed in context of first interpreter created by Python, ie., '%{GLOBAL}' and always in the Apache child processes, never in a daemon process. The interpreter can be overridden using the 'application-group' option to the script directive. The namespace for authentication groups is shared with that for application groups defined by WSGIApplicationGroup.'' ''Because the auth provider is always run in the Apache child processes and never in the context of a mod_wsgi daemon process, if the authentication check is making use of the internals of some Python web framework, it is recommended that the application using that web framework also be run in embedded mode and the same application group. This is the case as the Python web frameworks often bring in a huge amount of code even if using only one small part of them. This will result in a lot of memory being used in the Apache child processes just to support the auth provider.'' To combat this double of memory usage the mod_wsgi documentation gives the example of: {{{ WSGIAuthUserScript /usr/local/django/mysite/apache/auth.wsgi application-group=django }}} It is this use of the {{{application-group}}} argument for {{{WSGIAuthUserScript}}} and {{{WSGIAuthGroupScript}}} that the Django documentation doesn't use. The Django examples therefore should really use: {{{ WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py WSGIPythonPath /path/to/mysite.com WSGIProcessGroup %{GLOBAL} WSGIApplicationGroup django AuthType Basic AuthName ""Top Secret"" Require valid-user AuthBasicProvider wsgi WSGIAuthUserScript /path/to/mysite.com/mysite/wsgi.py application-group=django }}} and {{{ WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py WSGIProcessGroup %{GLOBAL} WSGIApplicationGroup django AuthType Basic AuthName ""Top Secret"" AuthBasicProvider wsgi WSGIAuthUserScript /path/to/mysite.com/mysite/wsgi.py application-group=django WSGIAuthGroupScript /path/to/mysite.com/mysite/wsgi.py application-group=django Require group secret-agents Require valid-user }}} On the presumption that there is only the one Django application, it may actually be better to turn that around and force the Django application to run in the main interpreter anyway. This is better as some third party extension modules for Python do not work properly in sub interpreters. Thus may be better to use: {{{ WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py WSGIPythonPath /path/to/mysite.com WSGIProcessGroup %{GLOBAL} WSGIApplicationGroup %{GLOBAL} AuthType Basic AuthName ""Top Secret"" Require valid-user AuthBasicProvider wsgi WSGIAuthUserScript /path/to/mysite.com/mysite/wsgi.py }}} and {{{ WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py WSGIProcessGroup %{GLOBAL} WSGIApplicationGroup %{GLOBAL} AuthType Basic AuthName ""Top Secret"" AuthBasicProvider wsgi WSGIAuthUserScript /path/to/mysite.com/mysite/wsgi.py WSGIAuthGroupScript /path/to/mysite.com/mysite/wsgi.py Require group secret-agents Require valid-user }}}",Cleanup/optimization,closed,Documentation,1.6,Normal,fixed,afraid-to-commit,,Ready for checkin,1,0,0,0,1,0