Redmine

HowTo to handle SVN repositories creation and access control with Redmine

Version 9 (Jean-Philippe Lang, 2007-10-14 19:33)

-Jean-Philippe Lang
+h1. HowTo to handle SVN repositories creation and access control with Redmine
 Jean-Philippe Lang
-Jean-Philippe Lang
+{{>TOC}}
 Jean-Philippe Lang
-Jean-Philippe Lang
+h2. Overview
 Jean-Philippe Lang
-Jean-Philippe Lang
+*This setup is not required if you just need to browse your repositories and changesets from Redmine.*
 Jean-Philippe Lang
-Jean-Philippe Lang
+As of version 0.5.0, Redmine is able to handle Subversion repositories creation and access control.
 Jean-Philippe Lang
-Jean-Philippe Lang
+Once you’ve done this extra setup, Redmine will create the repository for each of your projects. Users will be allowed to access the repositories using ssh+svn, according to their permissions defined in Redmine :
 Jean-Philippe Lang
-Jean-Philippe Lang
+* for public projects : read access to the repository for any user, write access for project members only,
-Jean-Philippe Lang
+* for private projects : read/write access allowed to project members only.
 Jean-Philippe Lang
-Jean-Philippe Lang
+User authentication is done using the same login/password as for Redmine access.
 Jean-Philippe Lang
-Jean-Philippe Lang
+h2. Requirements
 Jean-Philippe Lang
-Jean-Philippe Lang
+h3. Software
 Jean-Philippe Lang
-Jean-Philippe Lang
+You need Redmine 0.5.0 or higher, running with MySQL[1].
 Jean-Philippe Lang
-Jean-Philippe Lang
+Your SVN repositories must be hosted on a *nix system with the following packages:
-Jean-Philippe Lang
+* nss_mysql
-Jean-Philippe Lang
+* pam_mysql 0.7pre2 or higher, compiled with SHA1 support
 Jean-Philippe Lang
-Jean-Philippe Lang
+Scripts used in this HowTo can be found in the /extra/svn directory of Redmine.
 Jean-Philippe Lang
-Jean-Philippe Lang
+In this HowTo, we assume that:
-Jean-Philippe Lang
+* the redmine database is called @redmine@ and hosted on @localhost@
-Jean-Philippe Lang
+* the Subversion repositories are located in @/var/svn@
 Jean-Philippe Lang
-Jean-Philippe Lang
+h3. Network considerations
 Jean-Philippe Lang
-Jean-Philippe Lang
+The SVN host must be able to access both the Redmine database and HTTP server(s). In many cases, they will all be located on the same host.
 Jean-Philippe Lang
-Jean-Philippe Lang
+h2. Setup
 Jean-Philippe Lang
-Jean-Philippe Lang
+h3. Installing requires packages
 Jean-Philippe Lang
-Jean-Philippe Lang
+Get nss_mysql and other necessary packages:
 Jean-Philippe Lang
-Jean-Philippe Lang
+  apt-get install build-essential libnss-mysql libpam0g-dev libssl-dev
 Jean-Philippe Lang
-Jean-Philippe Lang
+Get and build @pam_mysql@:
 Jean-Philippe Lang
-Jean-Philippe Lang
+<pre>
-Jean-Philippe Lang
+$ cd /usr/src
-Jean-Philippe Lang
+$ wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
-Jean-Philippe Lang
+$ tar xzf pam_mysql-0.7RC1.tar.gz
-Jean-Philippe Lang
+$ cd pam_mysql-0.7RC1
-Jean-Philippe Lang
+$ ./configure --with-openssl
-Jean-Philippe Lang
+$ make && make install
-Jean-Philippe Lang
+</pre>
 Jean-Philippe Lang
-Jean-Philippe Lang
+h3. Preparing the Redmine database
 Jean-Philippe Lang
-Jean-Philippe Lang
+Some views need to be added to the Redmine database. These views are used to authenticate users and retrieve their permissions.
 Jean-Philippe Lang
-Jean-Philippe Lang
+. Create the different views in your Redmine database :
 Jean-Philippe Lang
-Jean-Philippe Lang
+  mysql --user=root redmine -p < create_views.sql
 Jean-Philippe Lang
-Jean-Philippe Lang
+. Create and grant privileges to 2 new mysql users (@redmine_nss@ and @redmine_pam@):
 Jean-Philippe Lang
-Jean-Philippe Lang
+<pre>
-Jean-Philippe Lang
+mysql --user=root -p
-Jean-Philippe Lang
+mysql> create user redmine_nss@localhost identified by 'averylongpassword';
-Jean-Philippe Lang
+mysql> grant SELECT on redmine.nss_groups to redmine_nss@localhost;
-Jean-Philippe Lang
+mysql> grant SELECT on redmine.nss_users to redmine_nss@localhost;
-Jean-Philippe Lang
+mysql> grant SELECT on redmine.nss_grouplist to redmine_nss@localhost;
-Jean-Philippe Lang
+mysql> create user redmine_pam@localhost identified by 'averylongpassword';
-Jean-Philippe Lang
+mysql> grant SELECT on redmine.ssh_users to redmine_pam@localhost;
-Jean-Philippe Lang
+</pre>
 Jean-Philippe Lang
-Jean-Philippe Lang
+h3. Configuring nss-mysql
 Jean-Philippe Lang
-Jean-Philippe Lang
+. Create the /etc/nss-mysql.conf as follows:
 Jean-Philippe Lang
-Jean-Philippe Lang
+<pre>
-Jean-Philippe Lang
+conf.version = 2;
-Jean-Philippe Lang
+users.host = inet:localhost:3306;
-Jean-Philippe Lang
+users.database = redmine;
-Jean-Philippe Lang
+users.db_user = redmine_nss;
-Jean-Philippe Lang
+users.db_password = averylongpassword;
-Jean-Philippe Lang
+users.backup_database = nss_mysql_backup;
-Jean-Philippe Lang
+users.table = nss_users;
-Jean-Philippe Lang
+users.user_column = nss_users.username;
-Jean-Philippe Lang
+users.userid_column = nss_users.username;
-Jean-Philippe Lang
+users.uid_column = nss_users.uid;
-Jean-Philippe Lang
+users.gid_column = 100;
-Jean-Philippe Lang
+users.realname_column = nss_users.realname;
-Jean-Philippe Lang
+users.homedir_column = "/false/path";
-Jean-Philippe Lang
+users.shell_column = "/usr/local/bin/svnserve.wrapper";
-Jean-Philippe Lang
+groups.group_info_table = nss_groups;
-Jean-Philippe Lang
+groups.group_name_column = nss_groups.name;
-Jean-Philippe Lang
+groups.groupid_column = nss_groups.gid;
-Jean-Philippe Lang
+groups.gid_column = nss_groups.gid;
-Jean-Philippe Lang
+groups.password_column = "x";
-Jean-Philippe Lang
+groups.members_table = nss_grouplist;
-Jean-Philippe Lang
+groups.member_userid_column = nss_grouplist.username;
-Jean-Philippe Lang
+groups.member_groupid_column = nss_grouplist.gid;
-Jean-Philippe Lang
+</pre>
 Jean-Philippe Lang
-Jean-Philippe Lang
+. Install the svnserve wrapper
 Jean-Philippe Lang
-Jean-Philippe Lang
+  sudo install svnserve.wrapper /usr/local/bin
 Jean-Philippe Lang
-Jean-Philippe Lang
+. Change /etc/nsswitch.conf
 Jean-Philippe Lang
-Jean-Philippe Lang
+Add “mysql” at the end of the two lines passwd and group like that :
 Jean-Philippe Lang
-Jean-Philippe Lang
+<pre>
-Jean-Philippe Lang
+passwd:         compat mysql
-Jean-Philippe Lang
+group:          compat mysql
-Jean-Philippe Lang
+</pre>
 Jean-Philippe Lang
-Jean-Philippe Lang
+. Test that all this stuff works :
 Jean-Philippe Lang
-Jean-Philippe Lang
+You must have users in some project to verify.
 Jean-Philippe Lang
-Jean-Philippe Lang
+<pre>
-Jean-Philippe Lang
+% getent passwd
-Jean-Philippe Lang
+[...]
-Jean-Philippe Lang
+user1:x:5002:100:user1 user1:/false/path:/usr/local/bin/svnserve.wrapper
-Jean-Philippe Lang
+user2:x:5003:100:user2 user2:/false/path:/usr/local/bin/svnserve.wrapper
 Jean-Philippe Lang
-Jean-Philippe Lang
+% getent group
-Jean-Philippe Lang
+[...]
-Jean-Philippe Lang
+project1:x:5001:
-Jean-Philippe Lang
+project2:x:5002:
-Jean-Philippe Lang
+</pre>
 Jean-Philippe Lang
-Jean-Philippe Lang
+h3. Authorize ssh pam to use mysql
 Jean-Philippe Lang
-Jean-Philippe Lang
+. Add these lines in @/etc/pam.d/ssh@ :
 Jean-Philippe Lang
-Jean-Philippe Lang
+<pre>
-Jean-Philippe Lang
+auth sufficient pam_mysql.so \
-Jean-Philippe Lang
+verbose=1 \
-Jean-Philippe Lang
+user=redmine_pam \
-Jean-Philippe Lang
+passwd=averylongpassword \
-Jean-Philippe Lang
+host=localhost \
-Jean-Philippe Lang
+db=redmine \
-Jean-Philippe Lang
+table=ssh_users \
-Jean-Philippe Lang
+usercolumn=username \
-Jean-Philippe Lang
+passwdcolumn=password crypt=4
 Jean-Philippe Lang
-Jean-Philippe Lang
+account sufficient pam_mysql.so \
-Jean-Philippe Lang
+verbose=1 \
-Jean-Philippe Lang
+user=redmine_pam \
-Jean-Philippe Lang
+passwd=averylongpassword \
-Jean-Philippe Lang
+host=localhost \
-Jean-Philippe Lang
+db=redmine \
-Jean-Philippe Lang
+table=ssh_users \
-Jean-Philippe Lang
+usercolumn=username \
-Jean-Philippe Lang
+passwdcolumn=password crypt=4
 Jean-Philippe Lang
-Jean-Philippe Lang
+password sufficient pam_mysql.so \
-Jean-Philippe Lang
+verbose=1 \
-Jean-Philippe Lang
+user=redmine_pam \
-Jean-Philippe Lang
+passwd=averylongpassword \
-Jean-Philippe Lang
+host=localhost \
-Jean-Philippe Lang
+db=redmine \
-Jean-Philippe Lang
+table=ssh_users \
-Jean-Philippe Lang
+usercolumn=username \
-Jean-Philippe Lang
+passwdcolumn=password crypt=4
-Jean-Philippe Lang
+</pre>
 Jean-Philippe Lang
-Jean-Philippe Lang
+Juste before
 Jean-Philippe Lang
-Jean-Philippe Lang
+  @include common-auth
 Jean-Philippe Lang
-Jean-Philippe Lang
+. Test this against an existing Redmine user
 Jean-Philippe Lang
-Jean-Philippe Lang
+Try to connect to the SVN host using a Redmine username (eg. jsmith):
 Jean-Philippe Lang
-Jean-Philippe Lang
+<pre>
-Jean-Philippe Lang
+$ ssh jsmith@localhost
-Jean-Philippe Lang
+jsmith@localhost's password:
-Jean-Philippe Lang
+Could not chdir to home directory /false/path: No such file or directory
-Jean-Philippe Lang
+( success ( 1 2 ( ANONYMOUS EXTERNAL ) ( edit-pipeline ) ) )
-Jean-Philippe Lang
+</pre>
 Jean-Philippe Lang
-Jean-Philippe Lang
+The chdir error is the expected result.
 Jean-Philippe Lang
-Jean-Philippe Lang
+h3. Automating repository creation
 Jean-Philippe Lang
-Jean-Philippe Lang
+Repository creation can be automated by running periodically the reposman script.
 Jean-Philippe Lang
-Jean-Philippe Lang
+It takes 2 arguments:
 Jean-Philippe Lang
-Jean-Philippe Lang
+    * @svn-dir@: path to the directory where your svn repositories are located
-Jean-Philippe Lang
+    * @redmine-host@: host name of your Redmine install
 Jean-Philippe Lang
-Jean-Philippe Lang
+Perl and Ruby versions of this script are provided. The Perl version requires @libsoap-lite-perl@.
 Jean-Philippe Lang
-Jean-Philippe Lang
+Example using the Ruby version:
 Jean-Philippe Lang
-Jean-Philippe Lang
+<pre>
-Jean-Philippe Lang
+$ sudo ./reposman.rb --svn-dir=/var/svn --redmine-host=localhost
-Jean-Philippe Lang
+repository /var/svn/project2 created
-Jean-Philippe Lang
+repository /var/svn/project1 created
-Jean-Philippe Lang
+mode change on /var/svn/project3
-Jean-Philippe Lang
+</pre>
 Jean-Philippe Lang
-Jean-Philippe Lang
+Projects are retrieved from Redmine using a SOAP web service. This web service is disabled by default in Redmine.
-Jean-Philippe Lang
+To enable it, go to “Administration -> Settings” and check “Enable WS for repository management”.
 Jean-Philippe Lang
-Jean-Philippe Lang
+Make sure this option is checked if you get this error when running reposman:
-Jean-Philippe Lang
+@Service description 'http://localhost/sys/service.wsdl' can't be loaded: 404 Not Found@
 Jean-Philippe Lang
-Jean-Philippe Lang
+h3. Accessing the repositories
 Jean-Philippe Lang
-Jean-Philippe Lang
+Members of project1 are now able to access the repository using this url:
 Jean-Philippe Lang
-Jean-Philippe Lang
+  svn+ssh://svnhost/project1
 Jean-Philippe Lang
 Jean-Philippe Lang
-Jean-Philippe Lang
+fn1. Other databases can’t be used because of various problems: no pam module, no sha1 handling,...