Project

General

Profile

Mercurial repository authentication

Added by Bill Dieter over 13 years ago

I am trying to use Redmine for authentication of Mercurial repositories, and having trouble with authentication. I am following the Repositories access control with apache, mod_dav_svn and mod_perl HowTo. I can browse repositories within Redmine from the repository tab, but when I try to clone one with hg clone, I get "abort: authorization failed". If I try to access the repository through the web, the firefox keeps prompting for the password. I do not see any errors in /var/log/apache2/errors.log.

Any ideas what might be wrong or where I might look for log messages?

Below is the relevant part of the Apache configuration file:

        RewriteEngine on
        PerlLoadModule Apache2::Redmine
        PerlLoadModule Authen::Simple::LDAP
        ScriptAliasMatch /hg(.*) /var/www/Foo/cgi-bin/hgwebdir.cgi/$1
        <Location /hg>
                AuthType Basic
                AuthName "Please use your Redmine password." 
                Require valid-user

                #Redmine auth
                PerlAccessHandler Apache::Authn::Redmine::access_handler
                PerlAuthenHandler Apache::Authn::Redmine::authen_handler
                RedmineDSN "DBI:mysql:database=redmine_default;host=localhost" 
                RedmineDbUser "redmine" 
                RedmineDbPass "xxx" 
        </Location>

If I comment out everything between the Location tags, then I can clone and otherwise operate on the repository through http (e.g., hg clone http://www.example.com/hg/foo), but of course, there is no authentication.

Redmine version 0.9.3 from the Ubuntu 10.04 package

# RAILS_ENV=production script/about
About your application's environment
Ruby version              1.8.7 (x86_64-linux)
RubyGems version          1.3.5
Rails version             2.2.3
Active Record version     2.2.3
Action Pack version       2.2.3
Active Resource version   2.2.3
Action Mailer version     2.2.3
Active Support version    2.2.3
Edge Rails revision       unknown
Application root          /usr/share/redmine
Environment               production
Database adapter          mysql
Database schema version   20100221100219

Apache version is 2.2.14 and mysql version is 5.1.37 (from the default Ubuntu 10.04 packages).


Replies (5)

RE: Mercurial repository authentication - Added by Felix Schäfer over 13 years ago

Mmh, I don't see anything bad in your config and can confirm that it should work, at least in a svn setup. The only thing that comes to mind: do you have a project with the identifier foo in you redmine, and does the user you are trying to access the repo as have "read" and maybe even "write" (don't know what http methods hg uses…) permissions for "repository" in this project? (and no, admins are not reflected in the perl module, i.e. the user needs those permissions explicitly).

RE: Mercurial repository authentication - Added by Bill Dieter over 13 years ago

The project identifier is not foo in redmine, but the project repository is set to /var/www/Foo/repos/foo in the Project Settings under the Repository tab, and that is where the files are. Does the directory in the file system have to match the project name?

The user I am using has both the administrator and manager roles for this particular project, and with the config I am using the manager has all permissions on the repository ("Manage repository", "Browse repository", "View changesets", "Commit access").

I don't know the details of the hg http protocol, but it looks from my Apache access.log like it is using GET. The first line below appears after I enter the hg command, and the second appears after typing user name and password.

128.163.7.129 - - [03/Nov/2010:18:22:32 -0400] "GET /hg/foo?pairs=0000000000000000000000000000000000000000-0000000000000000000000000000000000000000&cmd=between HTTP/1.1" 401 3236 "-" "mercurial/proto-1.0" 
128.163.7.129 - bdieter [03/Nov/2010:18:23:40 -0400] "GET /hg/foo?pairs=0000000000000000000000000000000000000000-0000000000000000000000000000000000000000&cmd=between HTTP/1.1" 401 3236 "-" "mercurial/proto-1.0" 

RE: Mercurial repository authentication - Added by Felix Schäfer over 13 years ago

Bill Dieter wrote:

The project identifier is not foo in redmine, but the project repository is set to /var/www/Foo/repos/foo in the Project Settings under the Repository tab, and that is where the files are. Does the directory in the file system have to match the project name?

The setting in the repository tab is irrelevant in this case, the perl module recognizes the "project" of the repository you are trying to access from the "next part" of the URL after the location setting from apache against the project identifiers in redmine. So yes, in this case the directory the repo is in has to match the project identifier.

RE: Mercurial repository authentication - Added by Bill Dieter over 13 years ago

That fixed it. Now that I go back through the instructions again, I see that they said the repository directory has to match the identifier. I edited the wiki page to have an example where it talks about the directory and project id needing to match. Hopefully, that will help other people.

I also added a few sentences to the "Gotchas" section about the user having to have a role that lets them access the repository, because it sounds like that might be a common problem.

I had to install libauthen-simple-ldap-perl (on Ubuntu 10.04) to get he perl simple LDAP module. Looking over the instructions, it looks like git and one of the svn variations use the perl simple LDAP module for authentication, so I added it to the list of packages on the wiki page. I am not sure if adding the package to the list is the right thing to do, because it looks like one of the svn options does not need it.

If you would prefer to keep the list to a minimum, I could try to figure out where to add text saying to download the module so that users will only download it if they need it.

Thanks again,
Bill.

RE: Mercurial repository authentication - Added by Felix Schäfer over 13 years ago

Bill Dieter wrote:

That fixed it. Now that I go back through the instructions again, I see that they said the repository directory has to match the identifier. I edited the wiki page to have an example where it talks about the directory and project id needing to match. Hopefully, that will help other people.

I also added a few sentences to the "Gotchas" section about the user having to have a role that lets them access the repository, because it sounds like that might be a common problem.

I had to install libauthen-simple-ldap-perl (on Ubuntu 10.04) to get he perl simple LDAP module. Looking over the instructions, it looks like git and one of the svn variations use the perl simple LDAP module for authentication, so I added it to the list of packages on the wiki page. I am not sure if adding the package to the list is the right thing to do, because it looks like one of the svn options does not need it.

If you would prefer to keep the list to a minimum, I could try to figure out where to add text saying to download the module so that users will only download it if they need it.

Thanks a lot, though I'd like to send you back for 2 amendments: the perl-LDAP-thingie package is abviously only needed if you use LDAP, and the thing that being admin isn't enough isn't specific to LDAP auth.

    (1-5/5)