Repositories access control with apache mod dav svn and mod perl » History » Version 17

« Previous - Version 17/47 (diff) - Next » - Current version
Joachim Fritschi, 2010-01-18 10:53


Repositories access control with apache, mod_dav_svn and mod_perl

Overview

In this documentation, we will configure apache to delegate authentication to mod_perl. It's tested on apache2 with mysql and postgresql but should work with allmost every databases for which there is a perl DBD module.

You need a working apache on your SVN server and you must install some modules at least mod_dav_svn, mod_perl2, DBI and DBD::mysql (or the DBD driver for you database as it should work on allmost all databases).

On Debian/ubuntu you can do :

sudo aptitude install libapache2-svn libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl libdigest-sha1-perl

If the repositories are not created automatically by reposman.rb, it is important that the repository name is the same as the project identifier in Redmine, otherwise Redmine.pm will fail to authenticate users.

Enabling apache modules

On debian/ubuntu :

sudo a2enmod dav
sudo a2enmod dav_svn
sudo a2enmod perl

Apache configuration for Subversion repositories

You first need to copy or link Redmine.pm to /usr/lib/perl5/Apache/Redmine.pm
Then add the following Location directives to your apache configuration (for example in /etc/APACHE_DIR/conf.d/):

  • the old how-to which suggested two separate locations for with /svn and /svn-private can be avoided
  • with the Satisfy any keyword from Apache you can define different authentication policies
  • read access from the redmine-server or any validated user
  • write access only validated users
   # /svn location for users
   PerlLoadModule Apache::Redmine
   <Location /svn>
     DAV svn
     SVNParentPath "/mnt/srv/svn" 
     Order deny,allow
     Deny from all
     Satisfy any

     PerlAccessHandler Apache::Authn::Redmine::access_handler
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
     AuthType Basic
     AuthName "HRZ Development SVN Repository" 

     #read-only access    
     <Limit GET PROPFIND OPTIONS REPORT>
         Require valid-user
        Allow from redmine.server.ip
        # Allow from another-ip
         Satisfy any
     </Limit>
     # write access
     <LimitExcept GET PROPFIND OPTIONS REPORT>
       Require valid-user
     </LimitExcept>

     ## for mysql
     RedmineDSN "DBI:mysql:database=databasename;host=my.db.server" 
     ## for postgres
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server" 
     ## for SQLite3
     # RedmineDSN "DBI:SQLite:dbname=database.db" 

     RedmineDbUser "redmine" 
     RedmineDbPass "password" 
  </Location>

Testing the configuration:

After reloading apache conf, you can try to browse some repository with:

svn ls http://my.svn.server/svn/myproject

Any non-public repository should ask for a username and password.

To test the authentication that allows you redmine server to read all repositories:

Reading a private repository:

svn ls http://my.svn.server/svn/myproject

Try writing to the repository:
svn mkdir http://my.svn.server/svn/myproject/testdir

This should fail and ask for a password.

optional LDAP Authentication

If you want to connect your LDAP authentication to Apache, you can install the Authen::Simple::LDAP perl module. I found that connecting to my LDAP server to authenticate with every request can be quite slow. I added the following to my configuration and had a significant performance increase. If you have configured an encrypted connection to the LDAP server you will need the IO::Socket::SSL module.

   PerlLoadModule Apache::Redmine
   PerlLoadModule  Authen::Simple::LDAP
   # PerlLoadModule  IO::Socket::SSL
   <Location /svn>
     DAV svn
     SVNParentPath "/var/svn" 

     AuthType Basic
     AuthName redmine
     Require valid-user

     PerlAccessHandler Apache::Authn::Redmine::access_handler
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler

     ## for mysql
     RedmineDSN "DBI:mysql:database=databasename;host=my.db.server" 
     ## for postgres
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server" 

     RedmineDbUser "redmine" 
     RedmineDbPass "password" 
     #Cache the last 50 auth entries
     RedmineCacheCredsMax 50
  </Location>

Apache configuration for Git repositories

Now that reposman.rb can create git repositories, you can use Redmine.pm to access them the same way than subversion.

You first need to copy or link Redmine.pm to /usr/lib/perl5/Apache/Redmine.pm, then you add this configuration to apache :

Alias /git /var/git

PerlLoadModule Apache::Redmine
<Location /git>
  DAV on

  AuthType Basic
  Require valid-user
  AuthName "Git" 

  PerlAccessHandler Apache::Authn::Redmine::access_handler
  PerlAuthenHandler Apache::Authn::Redmine::authen_handler

  RedmineDSN "DBI:mysql:database=redmine;host=localhost" 
  RedmineDbUser "redmine" 
  RedmineDbPass "password" 
</Location>

Alias /git-private /var/git

<Location /git-private>
   Order deny,allow
   Deny from all
   <Limit GET PROPFIND OPTIONS REPORT>
      Options Indexes FollowSymLinks MultiViews
   Allow from 127.0.0.1
   </Limit>
</Location>

To verify that you can access repository through Redmine.pm, you can use curl :

% curl --netrc --location http://localhost/git/ecookbook/HEAD   
ref: refs/heads/master

Gotchas

If you run this in Phusion Passenger, make sure you don't turn PassengerHighPerformance on. If you do, the rewrites to catch subversion dav will be bypassed with some interesting dump in the log as a result.
Example:

ActionController::RoutingError (No route matches "/svn/rm-code" with {:method=>:get}):

(if your repo are named rm-code)