HowTo to handle SVN repositories creation and access control with Redmine » History » Version 1
Jean-Philippe Lang, 2007-10-01 17:32
| 1 | 1 | Jean-Philippe Lang | h1. HowTo to handle SVN repositories creation and access control with Redmine |
|---|---|---|---|
| 2 | |||
| 3 | h2. Overview |
||
| 4 | |||
| 5 | *This setup is not required if you just need to browse your repositories and changesets from Redmine.* |
||
| 6 | |||
| 7 | As of version 0.5.0, Redmine is able to handle Subversion repositories creation and access control. |
||
| 8 | |||
| 9 | Once you’ve done this extra setup, Redmine will create the repository for each of your projects. Users will be allowed to access the repositories using ssh+svn, according to their permissions defined in Redmine : |
||
| 10 | |||
| 11 | * for public projects : read access to the repository for any user, write access for project members only, |
||
| 12 | * for private projects : read/write access allowed to project members only. |
||
| 13 | |||
| 14 | User authentication is done with the same login/password as for Redmine access. |
||
| 15 | |||
| 16 | h2. Requirements |
||
| 17 | |||
| 18 | h3. Software |
||
| 19 | |||
| 20 | You need Redmine 0.5.0 or higher, running with MySQL[1]. |
||
| 21 | |||
| 22 | Your SVN repositories must be hosted on a *nix system. They don’t have to be on the same host you installed Redmine on. |
||
| 23 | Is required on your SVN host : |
||
| 24 | |||
| 25 | * nss_mysql |
||
| 26 | * pam_mysql 0.7pre2 or higher, compiled with SHA1 support[2] |
||
| 27 | * perl with SOAP::Lite package |
||
| 28 | |||
| 29 | Scripts used in this HowTo can be found in the /extra/svn directory of Redmine. |
||
| 30 | |||
| 31 | h3. Network considerations |
||
| 32 | |||
| 33 | The SVN host must be able to access both the redMine database and HTTP server(s). In many cases, they will all be located on the same host. |
||
| 34 | |||
| 35 | h2. Setup |
||
| 36 | |||
| 37 | h3. Preparing the Redmine database |
||
| 38 | |||
| 39 | Some views need to be added to the Redmine database. These views are used to authenticate users and retrieve their permissions. |
||
| 40 | |||
| 41 | 1. Create the different views in your redMine database : |
||
| 42 | |||
| 43 | mysql --user=redmine_user redmine_database -p < db_views.sql |
||
| 44 | |||
| 45 | 2. Grant privileges : |
||
| 46 | |||
| 47 | <pre> |
||
| 48 | mysql --user=root |
||
| 49 | mysql> create user redmine_nss@localhost identified by 'averylongpassword'; |
||
| 50 | mysql> grant SELECT on redmine.nss_groups to redmine_nss@localhost; |
||
| 51 | Query OK, 0 rows affected (0.03 sec) |
||
| 52 | mysql> grant SELECT on redmine.nss_users to redmine_nss@localhost; |
||
| 53 | Query OK, 0 rows affected (0.00 sec) |
||
| 54 | mysql> grant SELECT on redmine.nss_grouplist to redmine_nss@localhost; |
||
| 55 | Query OK, 0 rows affected (0.00 sec) |
||
| 56 | create user redmine_pam@localhost identified by 'averylongpassword'; |
||
| 57 | grant SELECT on redmine.ssh_users to redmine_pam@localhost; |
||
| 58 | </pre> |
||
| 59 | |||
| 60 | h3. Configuring nss-mysql on your SVN server |
||
| 61 | |||
| 62 | 3. Create the /etc/nss-mysql.conf as follows: |
||
| 63 | |||
| 64 | <pre> |
||
| 65 | conf.version = 2; |
||
| 66 | users.host = inet:localhost:3306; |
||
| 67 | users.database = redmine; |
||
| 68 | users.db_user = redmine_nss; |
||
| 69 | users.db_password = averygoodpassword; |
||
| 70 | users.backup_database = nss_mysql_backup; |
||
| 71 | users.table = nss_users; |
||
| 72 | users.user_column = nss_users.username; |
||
| 73 | users.userid_column = nss_users.uid; |
||
| 74 | users.uid_column = nss_users.uid; |
||
| 75 | users.gid_column = 100; |
||
| 76 | users.realname_column = nss_users.realname; |
||
| 77 | users.homedir_column = "/false/path"; |
||
| 78 | users.shell_column = "/usr/local/bin/svnserve.wrapper"; |
||
| 79 | groups.group_info_table = nss_groups; |
||
| 80 | groups.group_name_column = nss_groups.name; |
||
| 81 | groups.groupid_column = nss_groups.gid; |
||
| 82 | groups.gid_column = nss_groups.gid; |
||
| 83 | groups.password_column = "x"; |
||
| 84 | groups.members_table = nss_grouplist; |
||
| 85 | groups.member_userid_column = nss_grouplist.username; |
||
| 86 | groups.member_groupid_column = nss_grouplist.gid; |
||
| 87 | </pre> |
||
| 88 | |||
| 89 | 4. Install the svnserve wrapper |
||
| 90 | |||
| 91 | sudo install svnserve.wrapper /usr/local/bin |
||
| 92 | |||
| 93 | 5. Change /etc/nsswitch.conf |
||
| 94 | |||
| 95 | Add “mysql” to the two lines passwd and group like that : |
||
| 96 | |||
| 97 | <pre> |
||
| 98 | passwd: compat mysql |
||
| 99 | group: compat mysql |
||
| 100 | </pre> |
||
| 101 | |||
| 102 | 6. Test that all this stuff works : |
||
| 103 | |||
| 104 | You must have users in some project to verify. |
||
| 105 | |||
| 106 | <pre> |
||
| 107 | % getent passwd |
||
| 108 | [...] |
||
| 109 | user1:x:5002:100:user1 user1:/false/path:/usr/local/bin/svnserve.wrapper |
||
| 110 | user2:x:5003:100:user2 user2:/false/path:/usr/local/bin/svnserve.wrapper |
||
| 111 | |||
| 112 | % getent group |
||
| 113 | [...] |
||
| 114 | projet redmine 1:x:5001: |
||
| 115 | projet redmine 2:x:5002: |
||
| 116 | </pre> |
||
| 117 | |||
| 118 | h3. Authorize ssh pam to use mysql |
||
| 119 | |||
| 120 | 7. Add the line : |
||
| 121 | |||
| 122 | auth sufficient pam_mysql.so user=redmine_pam passwd=averylongpassword host=localhost db=redmine table=ssh_users usercolumn=username passwdcolumn=password crypt=4 |
||
| 123 | |||
| 124 | Juste before |
||
| 125 | |||
| 126 | @include common-auth |
||
| 127 | |||
| 128 | or |
||
| 129 | |||
| 130 | auth required pam_unix.so nullok_secure |
||
| 131 | |||
| 132 | 8. Test this against an existing Redmine user |
||
| 133 | |||
| 134 | Try to connect to the SVN host using your Redmine username and password: |
||
| 135 | |||
| 136 | ssh redmine_username@svn_host |
||
| 137 | |||
| 138 | h3. Automating repository creation |
||
| 139 | |||
| 140 | Repository creation can be automated by running periodically the reposman.pl script. |
||
| 141 | |||
| 142 | It takes 2 arguments : |
||
| 143 | |||
| 144 | * svn-dir : path to the directory where your svn repositories are located |
||
| 145 | * redmine-host : host name of your Redmine install |
||
| 146 | |||
| 147 | Example: |
||
| 148 | |||
| 149 | <pre> |
||
| 150 | $ sudo reposman --svn-dir=/var/svn --redmine-host=redmine.mydomain.foo |
||
| 151 | repository /var/svn/project2 created |
||
| 152 | repository /var/svn/project1 created |
||
| 153 | mode change on /var/svn/project3 |
||
| 154 | </pre> |
||
| 155 | |||
| 156 | Projects are retrieved from Redmine using a SOAP web service. This web service is disabled by default in Redmine. |
||
| 157 | To enable it, go to “Administration -> Settings” and check “Enable WS for repository management”. |
||
| 158 | |||
| 159 | fn2. You must use "./configure --with-openssl" in order to add SHA1 support to pam_mysql |
||
| 160 | |||
| 161 | fn1. Other databases can’t be used because of various problems: no pam module, no sha1 handling, ... |