Project

General

Profile

Repositories access control with apache mod dav svn and mod perl » History » Revision 17

Revision 16 (Jean-Philippe Lang, 2010-01-09 14:18) → Revision 17/47 (Joachim Fritschi, 2010-01-18 10:53)

h1. Repositories access control with apache, mod_dav_svn and mod_perl 

 {{>TOC}} 

 h2. Overview 

 In this documentation, we will configure apache to delegate authentication to mod_perl. It's tested on apache2 with mysql and postgresql but should work with allmost every databases for which there is a perl DBD module. 

 You need a working apache on your SVN server and you must install some modules at least mod_dav_svn, mod_perl2, DBI and DBD::mysql (or the DBD driver for you database as it should work on allmost all databases). 

 On Debian/ubuntu you can do : 

   sudo aptitude install libapache2-svn libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl libdigest-sha1-perl 

 If the repositories are not created automatically by reposman.rb, it is important that the repository name is the same as the project identifier in Redmine, otherwise Redmine.pm will fail to authenticate users. 

 h2. Enabling apache modules 

 On debian/ubuntu : 

 <pre> 
 sudo a2enmod dav 
 sudo a2enmod dav_svn 
 sudo a2enmod perl 
 </pre> 

 h2. Apache configuration for Subversion repositories 

 You first need to copy or link @Redmine.pm@ to @/usr/lib/perl5/Apache/Redmine.pm@ 
 Then add the following Location directives to your apache configuration (for example in @/etc/APACHE_DIR/conf.d/@): 

 * the old how-to which suggested two separate locations for with first one @/svn@    and @/svn-private@ can will be avoided 
 * used by users to access repositories with the @Satisfy any@ keyword from Apache you can define different authentication policies 
 * read access from the redmine-server or any validated user 
 * write access only validated users 


 second @/svn-private@ provides a private read-only with IP limitation so that Redmine can browse repositories 

 <pre> 
    # /svn location for users 
    PerlLoadModule Apache::Redmine 
    <Location /svn> 
      DAV svn 
      SVNParentPath "/mnt/srv/svn" 
      Order deny,allow 
      Deny from all 
      Satisfy any "/var/svn" 

      PerlAccessHandler Apache::Authn::Redmine::access_handler 
      PerlAuthenHandler Apache::Authn::Redmine::authen_handler 
      AuthType Basic 
      AuthName "HRZ Development SVN Repository" 

      #read-only access 	
      <Limit GET PROPFIND OPTIONS REPORT> 
     	 Require valid-user 
         Allow from redmine.server.ip 
         # Allow from another-ip 
     	 Satisfy any redmine 
      </Limit> 
      # write access 
      <LimitExcept GET PROPFIND OPTIONS REPORT> 
   	 Require valid-user 

      PerlAccessHandler Apache::Authn::Redmine::access_handler 
      </LimitExcept> 


      PerlAuthenHandler Apache::Authn::Redmine::authen_handler 
  
      ## for mysql 
      RedmineDSN "DBI:mysql:database=databasename;host=my.db.server" 
      ## for postgres 
      # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server" 
      ## for SQLite3 
      # RedmineDSN "DBI:SQLite:dbname=database.db" 

      RedmineDbUser "redmine" 
      RedmineDbPass "password" 
   </Location> 

 

   # /svn location for Redmine 
   <Location /svn-private> 
     DAV svn 
     SVNParentPath "/var/svn" 
     Order deny,allow 
     Deny from all 
     # only allow reading orders 
     <Limit GET PROPFIND OPTIONS REPORT> 
       Allow from redmine.server.ip 
     </Limit> 
   </Location> 
 </pre> 

 h3. Testing the configuration: 

 After reloading apache conf, you can try to browse some public repository with: 

 <pre> 
 svn ls http://my.svn.server/svn/myproject 
 </pre> 

 Any non-public repository should ask for a username and password. 

 To test the authentication that allows If you redmine server try to read all repositories: 

 Reading browse a repository of a private repository: 
 <pre> 
 svn ls http://my.svn.server/svn/myproject 
 </pre> 
 Try writing to the repository: 
 <pre> 
 svn mkdir http://my.svn.server/svn/myproject/testdir 
 </pre> 
 This should fail and ask project, you'll be asked for a your Redmine password. 


 h3. optional LDAP Authentication 

 If you want to connect your LDAP authentication to Apache, you can install the Authen::Simple::LDAP perl module. I found that connecting to my LDAP server to authenticate with every request can be quite slow. I added the following to my configuration and had a significant performance increase. If you have configured an encrypted connection to the LDAP server you will need the IO::Socket::SSL module. 

 <pre> 
    PerlLoadModule Apache::Redmine 
    PerlLoadModule    Authen::Simple::LDAP 
    # PerlLoadModule    IO::Socket::SSL 
    <Location /svn> 
      DAV svn 
      SVNParentPath "/var/svn" 

      AuthType Basic 
      AuthName redmine 
      Require valid-user 

      PerlAccessHandler Apache::Authn::Redmine::access_handler 
      PerlAuthenHandler Apache::Authn::Redmine::authen_handler 
  
      ## for mysql 
      RedmineDSN "DBI:mysql:database=databasename;host=my.db.server" 
      ## for postgres 
      # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server" 

      RedmineDbUser "redmine" 
      RedmineDbPass "password" 
      #Cache the last 50 auth entries 
      RedmineCacheCredsMax 50 
   </Location> 
 </pre> 


 h2. Apache configuration for Git repositories 

 Now that reposman.rb can create git repositories, you can use Redmine.pm to access them the same way than subversion.  

 You first need to copy or link Redmine.pm to /usr/lib/perl5/Apache/Redmine.pm, then you add this configuration to apache :  

 <pre> 
 Alias /git /var/git 

 PerlLoadModule Apache::Redmine 
 <Location /git> 
   DAV on 

   AuthType Basic 
   Require valid-user 
   AuthName "Git" 

   PerlAccessHandler Apache::Authn::Redmine::access_handler 
   PerlAuthenHandler Apache::Authn::Redmine::authen_handler 

   RedmineDSN "DBI:mysql:database=redmine;host=localhost" 
   RedmineDbUser "redmine" 
   RedmineDbPass "password" 
 </Location> 

 Alias /git-private /var/git 

 <Location /git-private> 
    Order deny,allow 
    Deny from all 
    <Limit GET PROPFIND OPTIONS REPORT> 
       Options Indexes FollowSymLinks MultiViews 
    Allow from 127.0.0.1 
    </Limit> 
 </Location> 
 </pre> 

 To verify that you can access repository through Redmine.pm, you can use curl : 
 <pre> 
 % curl --netrc --location http://localhost/git/ecookbook/HEAD    
 ref: refs/heads/master 
 </pre> 

 h2. Gotchas 

 If you run this in Phusion Passenger, make sure you don't turn PassengerHighPerformance on. If you do, the rewrites to catch subversion dav will be bypassed with some interesting dump in the log as a result. 
 Example:  
 > ActionController::RoutingError (No route matches "/svn/rm-code" with {:method=>:get}): 
 (if your repo are named rm-code)