Version 14 - History - Repositories access control with apache mod dav svn and mod perl - Redmine

Repositories access control with apache mod dav svn and mod perl » History » Version 14

TaeKyeong Wang, 2009-10-09 04:44
for sqlite3

-Nicolas Chuche
+h1. Repositories access control with apache mod dav svn and mod perl
 Nicolas Chuche
-Nicolas Chuche
+{{>TOC}}
-Jean-Philippe Lang
+h2. Overview
 Nicolas Chuche
-Jean-Philippe Lang
+In this documentation, we will configure apache to delegate authentication to mod_perl. It's tested on apache2 with mysql and postgresql but should work with allmost every databases for which there is a perl DBD module.
 Nicolas Chuche
-Jean-Philippe Lang
+You need Redmine r860 or later. If your Redmine is older than r916, download "Redmine.pm":http://redmine.rubyforge.org/svn/trunk/extra/svn/Redmine.pm
 Nicolas Chuche
-Jean-Philippe Lang
+You need a working apache on your SVN server and you must install some modules at least mod_dav_svn, mod_perl2, DBI and DBD::mysql (or the DBD driver for you database as it should work on allmost all databases).
 Nicolas Chuche
-Shaun Mangelsdorf
+If the repositories are not created automatically by reposman.rb, it is important that the repository name is the same as the project identifier in Redmine, otherwise Redmine.pm will fail to authenticate users.
-Nicolas Chuche
+On Debian/ubuntu you must do :
-Thomas Lecavelier
+  aptitude install libapache2-svn libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl libdigest-sha1-perl
 Nicolas Chuche
-Jean-Philippe Lang
+h2. Enabling apache modules
 Nicolas Chuche
 On debian/ubuntu :
 <pre>
 a2enmod dav
 a2enmod dav_svn
 a2enmod perl
 </pre>
-Nicolas Chuche
+h2. Apache configuration for subversion repositories and redmine 0.7.X and before
 Nicolas Chuche
-Jean-Philippe Lang
+You need to copy "Redmine.pm" on your SVN server and add something like that to your apache configuration (for example in @/etc/APACHE_DIR/conf.d/@)
 Nicolas Chuche
 You must change the Redmine.pm path and database informations to fit your needs.
-TaeKyeong Wang
+for sqlite, patch 234 line in Redmine.pm
-Nicolas Chuche
+<pre>
-TaeKyeong Wang
+- "SELECT * FROM projects WHERE projects.identifier=? and projects.is_public=true;"
 + "SELECT * FROM projects WHERE projects.identifier=? and projects.is_public='t';"
 </pre>
 <pre>
-Nicolas Chuche
+   PerlRequire /usr/local/apache/Redmine.pm
    <Location /svn>
      DAV svn
      SVNParentPath "/var/svn"
      AuthType Basic
      AuthName redmine
      Require valid-user
      PerlAccessHandler Apache::Authn::Redmine::access_handler
      PerlAuthenHandler Apache::Authn::Redmine::authen_handler
      ## for mysql
      PerlSetVar dsn DBI:mysql:database=databasename;host=my.db.server
      ## for postgres
      # PerlSetVar dsn DBI:Pg:dbname=databasename;host=my.db.server
      PerlSetVar db_user redmine
      PerlSetVar db_pass password
   </Location>
-Jean-Philippe Lang
+  # a private location in read only mode to allow Redmine browsing
   <Location /svn-private>
     DAV svn
     SVNParentPath "/var/svn"
     Order deny,allow
     Deny from all
     # only allow reading orders
     <Limit GET PROPFIND OPTIONS REPORT>
       Allow from redmine.server.ip
     </Limit>
   </Location>
-Nicolas Chuche
+</pre>
-Jean-Philippe Lang
+It will add add two Location directives, one @/svn@ with authentication and access control against the Redmine database for users and one @/svn-private@ in read-only with IP limitation for Redmine browsing.
 Nicolas Chuche
-Jean-Philippe Lang
+And that's done. You can try to browse some public repository with:
-Nicolas Chuche
+<pre>
 svn ls http://my.svn.server/svn/myproject
 </pre>
 If you try to browse some non public repository, it will ask you a password.
 Nicolas Chuche
 h2. Apache configuration for subversion repositories and redmine after 0.7.X
 There's some difference in Redmine.pm so configuration is different. Everything else in the previous part works.
-Nicolas Chuche
+You first need to copy or link Redmine.pm to /usr/lib/perl5/Apache/Redmine.pm, then you add this configuration to apache :
-Nicolas Chuche
+<pre>
-Nicolas Chuche
+   PerlLoadModule Apache::Redmine
-Nicolas Chuche
+   <Location /svn>
      DAV svn
      SVNParentPath "/var/svn"
      AuthType Basic
      AuthName redmine
      Require valid-user
      PerlAccessHandler Apache::Authn::Redmine::access_handler
      PerlAuthenHandler Apache::Authn::Redmine::authen_handler
      ## for mysql
      RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
      ## for postgres
      # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
-TaeKyeong Wang
+     ## for SQLite3
      # RedmineDSN "DBI:SQLite:dbname=database.db"
 Nicolas Chuche
      RedmineDbUser "redmine"
      RedmineDbPass "password"
   </Location>
 </pre>
-Todd Nine
+If you want to connect your LDAP authentication to Apache, you can install the Authen::Simple::LDAP perl module.  I found that connecting to my LDAP server to authenticate with every request can be quite slow.  I added the following to my configuration and had a significant performance increase.
 <pre>
    PerlLoadModule Apache::Redmine
    <Location /svn>
      DAV svn
      SVNParentPath "/var/svn"
      AuthType Basic
      AuthName redmine
      Require valid-user
      PerlAccessHandler Apache::Authn::Redmine::access_handler
      PerlAuthenHandler Apache::Authn::Redmine::authen_handler
      ## for mysql
      RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
      ## for postgres
      # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
      RedmineDbUser "redmine"
      RedmineDbPass "password"
      #Cache the last 50 auth entries
      RedmineCacheCredsMax 50
   </Location>
 </pre>
-Nicolas Chuche
+h2. Apache configuration for after redmine 0.7.X and git access
-Nicolas Chuche
+Now that reposman.rb can create git repositories, you can use Redmine.pm to access them the same way than subversion. You first need to copy or link Redmine.pm to /usr/lib/perl5/Apache/Redmine.pm, then you add this configuration to apache :
 Nicolas Chuche
 <pre>
 Alias /git /var/git
-Nicolas Chuche
+PerlLoadModule Apache::Redmine
-Nicolas Chuche
+<Location /git>
   DAV on
   AuthType Basic
   Require valid-user
   AuthName "Git"
   PerlAccessHandler Apache::Authn::Redmine::access_handler
   PerlAuthenHandler Apache::Authn::Redmine::authen_handler
   RedmineDSN "DBI:mysql:database=redmine;host=localhost"
   RedmineDbUser "redmine"
   RedmineDbPass "password"
 </Location>
 Alias /git-private /var/git
 <Location /git-private>
    Order deny,allow
    Deny from all
    <Limit GET PROPFIND OPTIONS REPORT>
       Options Indexes FollowSymLinks MultiViews
    Allow from 127.0.0.1
    </Limit>
 </Location>
 </pre>
 To verify that you can access repository through Redmine.pm, you can use curl :
 <pre>
 % curl --netrc --location http://localhost/git/ecookbook/HEAD
 ref: refs/heads/master
 </pre>
 Thomas Pihl
 h2. Gotchas
 If you run this in Phusion Passenger, make sure you don't turn PassengerHighPerformance on. If you do, the rewrites to catch subversion dav will be bypassed with some interesting dump in the log as a result.
 Example:
 > ActionController::RoutingError (No route matches "/svn/rm-code" with {:method=>:get}):
 (if your repo are named rm-code)

Project

General

Profile

Redmine

Repositories access control with apache mod dav svn and mod perl » History » Version 14