Repositories access control with apache mod dav svn and mod perl » History » Version 30

Steven Lu, 2011-08-20 18:27
Location of Redmine.pm was a little ambiguous.

1 16 Jean-Philippe Lang
h1. Repositories access control with apache, mod_dav_svn and mod_perl
2 1 Nicolas Chuche
3 2 Nicolas Chuche
{{>TOC}}
4 2 Nicolas Chuche
5 4 Jean-Philippe Lang
h2. Overview
6 1 Nicolas Chuche
7 23 Eric Davis
In this documentation, we will configure apache to delegate authentication to mod_perl. It's tested on apache2 (@apache2-mpm-prefork@) with mysql and postgresql but should work with allmost every databases for which there is a perl DBD module.  Apache2 with the high speed thread model might not load Perl correctly (@apache2-mpm-worker@).
8 1 Nicolas Chuche
9 1 Nicolas Chuche
You need a working apache on your SVN server and you must install some modules at least mod_dav_svn, mod_perl2, DBI and DBD::mysql (or the DBD driver for you database as it should work on allmost all databases).
10 4 Jean-Philippe Lang
11 15 Jean-Philippe Lang
On Debian/ubuntu you can do :
12 11 Shaun Mangelsdorf
13 27 Bill Dieter
  sudo aptitude install libapache2-svn libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl libdigest-sha1-perl libauthen-simple-ldap-perl
14 1 Nicolas Chuche
15 27 Bill Dieter
If the repositories are not created automatically by reposman.rb, it is important that the repository name is the same as the project identifier in Redmine, otherwise Redmine.pm will fail to authenticate users.  For example, if the path to the repository is @/path/to/repository/foo-bar@, then the project Identifier on the Settings page must be @foo-bar@.
16 1 Nicolas Chuche
17 1 Nicolas Chuche
h2. Enabling apache modules
18 1 Nicolas Chuche
19 1 Nicolas Chuche
On debian/ubuntu :
20 1 Nicolas Chuche
21 1 Nicolas Chuche
<pre>
22 15 Jean-Philippe Lang
sudo a2enmod dav
23 21 Marko Roeder
sudo a2enmod dav_svn # if you want to use svn
24 21 Marko Roeder
sudo a2enmod dav_fs  # if you want to use git
25 15 Jean-Philippe Lang
sudo a2enmod perl
26 4 Jean-Philippe Lang
</pre>
27 1 Nicolas Chuche
28 15 Jean-Philippe Lang
h2. Apache configuration for Subversion repositories
29 1 Nicolas Chuche
30 15 Jean-Philippe Lang
You first need to copy or link @Redmine.pm@ to @/usr/lib/perl5/Apache/Redmine.pm@
31 30 Steven Lu
* Redmine.pm can be found in $REDMINE_DIR/extra/svn/Redmine.pm
32 30 Steven Lu
* In the Debian install, it is found /usr/share/redmine/extra/svn/Redmine.pm
33 15 Jean-Philippe Lang
Then add the following Location directives to your apache configuration (for example in @/etc/APACHE_DIR/conf.d/@):
34 1 Nicolas Chuche
35 17 Joachim Fritschi
* the old how-to which suggested two separate locations for with @/svn@  and @/svn-private@ can be avoided
36 17 Joachim Fritschi
* with the @Satisfy any@ keyword from Apache you can define different authentication policies
37 17 Joachim Fritschi
* read access from the redmine-server or any validated user
38 17 Joachim Fritschi
* write access only validated users
39 15 Jean-Philippe Lang
40 17 Joachim Fritschi
41 15 Jean-Philippe Lang
<pre>
42 1 Nicolas Chuche
   # /svn location for users
43 1 Nicolas Chuche
   PerlLoadModule Apache::Redmine
44 1 Nicolas Chuche
   <Location /svn>
45 1 Nicolas Chuche
     DAV svn
46 19 Joachim Fritschi
     SVNParentPath "/var/svn"
47 17 Joachim Fritschi
     Order deny,allow
48 17 Joachim Fritschi
     Deny from all
49 17 Joachim Fritschi
     Satisfy any
50 1 Nicolas Chuche
51 1 Nicolas Chuche
     PerlAccessHandler Apache::Authn::Redmine::access_handler
52 1 Nicolas Chuche
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
53 17 Joachim Fritschi
     AuthType Basic
54 18 Joachim Fritschi
     AuthName "Redmine SVN Repository"
55 17 Joachim Fritschi
56 17 Joachim Fritschi
     #read-only access	
57 17 Joachim Fritschi
     <Limit GET PROPFIND OPTIONS REPORT>
58 19 Joachim Fritschi
        Require valid-user
59 17 Joachim Fritschi
        Allow from redmine.server.ip
60 17 Joachim Fritschi
        # Allow from another-ip
61 17 Joachim Fritschi
     	Satisfy any
62 17 Joachim Fritschi
     </Limit>
63 17 Joachim Fritschi
     # write access
64 17 Joachim Fritschi
     <LimitExcept GET PROPFIND OPTIONS REPORT>
65 17 Joachim Fritschi
   	Require valid-user
66 17 Joachim Fritschi
     </LimitExcept>
67 17 Joachim Fritschi
68 17 Joachim Fritschi
69 1 Nicolas Chuche
     ## for mysql
70 1 Nicolas Chuche
     RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
71 4 Jean-Philippe Lang
     ## for postgres
72 1 Nicolas Chuche
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
73 4 Jean-Philippe Lang
     ## for SQLite3
74 1 Nicolas Chuche
     # RedmineDSN "DBI:SQLite:dbname=database.db"
75 1 Nicolas Chuche
76 1 Nicolas Chuche
     RedmineDbUser "redmine"
77 1 Nicolas Chuche
     RedmineDbPass "password"
78 1 Nicolas Chuche
  </Location>
79 1 Nicolas Chuche
80 1 Nicolas Chuche
</pre>
81 1 Nicolas Chuche
82 17 Joachim Fritschi
h3. Testing the configuration:
83 1 Nicolas Chuche
84 17 Joachim Fritschi
After reloading apache conf, you can try to browse some repository with:
85 17 Joachim Fritschi
86 1 Nicolas Chuche
<pre>
87 1 Nicolas Chuche
svn ls http://my.svn.server/svn/myproject
88 4 Jean-Philippe Lang
</pre>
89 1 Nicolas Chuche
90 17 Joachim Fritschi
Any non-public repository should ask for a username and password.
91 4 Jean-Philippe Lang
92 17 Joachim Fritschi
To test the authentication that allows you redmine server to read all repositories:
93 1 Nicolas Chuche
94 17 Joachim Fritschi
Reading a private repository:
95 3 Jean-Philippe Lang
<pre>
96 17 Joachim Fritschi
svn ls http://my.svn.server/svn/myproject
97 17 Joachim Fritschi
</pre>
98 17 Joachim Fritschi
Try writing to the repository:
99 17 Joachim Fritschi
<pre>
100 17 Joachim Fritschi
svn mkdir http://my.svn.server/svn/myproject/testdir
101 17 Joachim Fritschi
</pre>
102 17 Joachim Fritschi
This should fail and ask for a password.
103 17 Joachim Fritschi
104 17 Joachim Fritschi
105 17 Joachim Fritschi
h3. optional LDAP Authentication
106 17 Joachim Fritschi
107 17 Joachim Fritschi
If you want to connect your LDAP authentication to Apache, you can install the Authen::Simple::LDAP perl module. I found that connecting to my LDAP server to authenticate with every request can be quite slow. I added the following to my configuration and had a significant performance increase. If you have configured an encrypted connection to the LDAP server you will need the IO::Socket::SSL module.
108 17 Joachim Fritschi
109 20 Stefan Stefansson
> *NOTE: the above wording is a little confusing. I attempt to clear up the issues I had with this in the following paragraph.*
110 20 Stefan Stefansson
> 
111 20 Stefan Stefansson
> First of all, make sure that you have the Net::LDAP module installed as well. I installed Authen::Simple::LDAP through CPAN and found that nothing worked. Eventually I figured out that this was because the Authen::Simple::LDAP did not require the Net::LDAP module as a dependency but it is needed for our purpose here. I did this on CentOS and it seems that the Net::LDAP module can be installed via yum (@yum install perl-LDAP@) but the Authen::Simple::LDAP had to be installed via CPAN since there's no RPM for it in the CentOS repositories.
112 20 Stefan Stefansson
> 
113 28 Rahul Panwar
114 28 Rahul Panwar
To install the Authen::Simple::LDAP using CPAN use commands:
115 28 Rahul Panwar
<pre>
116 28 Rahul Panwar
cpan
117 28 Rahul Panwar
cpan> install Authen::Simple::LDAP
118 28 Rahul Panwar
</pre>
119 28 Rahul Panwar
if the installation failed due to some dependencies, resolve the dependencies first.
120 28 Rahul Panwar
121 20 Stefan Stefansson
> My second point is related to the below Apache config. The @PerlLoadModule Authen::Simple::LDAP@ is actually not required for having users authenticated via LDAP. It will happen automatically if both of the above modules are installed. So there really is no difference between the config snippet below and the one above except for the @RedmineCacheCredsMax 50@ line which is probably a good idea although it can result in users that have been deleted or removed in redmine still getting access to the repositories, at least for a little while.
122 20 Stefan Stefansson
123 17 Joachim Fritschi
<pre>
124 8 Nicolas Chuche
   PerlLoadModule Apache::Redmine
125 17 Joachim Fritschi
   PerlLoadModule  Authen::Simple::LDAP
126 17 Joachim Fritschi
   # PerlLoadModule  IO::Socket::SSL
127 12 Todd Nine
   <Location /svn>
128 12 Todd Nine
     DAV svn
129 12 Todd Nine
     SVNParentPath "/var/svn"
130 12 Todd Nine
131 12 Todd Nine
     AuthType Basic
132 12 Todd Nine
     AuthName redmine
133 12 Todd Nine
     Require valid-user
134 12 Todd Nine
135 12 Todd Nine
     PerlAccessHandler Apache::Authn::Redmine::access_handler
136 12 Todd Nine
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
137 12 Todd Nine
  
138 12 Todd Nine
     ## for mysql
139 12 Todd Nine
     RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
140 12 Todd Nine
     ## for postgres
141 12 Todd Nine
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
142 12 Todd Nine
143 12 Todd Nine
     RedmineDbUser "redmine"
144 12 Todd Nine
     RedmineDbPass "password"
145 12 Todd Nine
     #Cache the last 50 auth entries
146 12 Todd Nine
     RedmineCacheCredsMax 50
147 12 Todd Nine
  </Location>
148 12 Todd Nine
</pre>
149 15 Jean-Philippe Lang
150 12 Todd Nine
151 15 Jean-Philippe Lang
h2. Apache configuration for Git repositories
152 15 Jean-Philippe Lang
153 15 Jean-Philippe Lang
Now that reposman.rb can create git repositories, you can use Redmine.pm to access them the same way than subversion. 
154 8 Nicolas Chuche
155 8 Nicolas Chuche
You first need to copy or link Redmine.pm to /usr/lib/perl5/Apache/Redmine.pm, then you add this configuration to apache : 
156 8 Nicolas Chuche
157 8 Nicolas Chuche
<pre>
158 9 Nicolas Chuche
Alias /git /var/git
159 8 Nicolas Chuche
160 8 Nicolas Chuche
PerlLoadModule Apache::Redmine
161 8 Nicolas Chuche
<Location /git>
162 8 Nicolas Chuche
  DAV on
163 8 Nicolas Chuche
164 8 Nicolas Chuche
  AuthType Basic
165 8 Nicolas Chuche
  Require valid-user
166 8 Nicolas Chuche
  AuthName "Git"
167 8 Nicolas Chuche
168 8 Nicolas Chuche
  PerlAccessHandler Apache::Authn::Redmine::access_handler
169 8 Nicolas Chuche
  PerlAuthenHandler Apache::Authn::Redmine::authen_handler
170 8 Nicolas Chuche
171 8 Nicolas Chuche
  RedmineDSN "DBI:mysql:database=redmine;host=localhost"
172 8 Nicolas Chuche
  RedmineDbUser "redmine"
173 8 Nicolas Chuche
  RedmineDbPass "password"
174 8 Nicolas Chuche
</Location>
175 8 Nicolas Chuche
176 8 Nicolas Chuche
Alias /git-private /var/git
177 8 Nicolas Chuche
178 8 Nicolas Chuche
<Location /git-private>
179 8 Nicolas Chuche
   Order deny,allow
180 8 Nicolas Chuche
   Deny from all
181 8 Nicolas Chuche
   <Limit GET PROPFIND OPTIONS REPORT>
182 8 Nicolas Chuche
      Options Indexes FollowSymLinks MultiViews
183 8 Nicolas Chuche
   Allow from 127.0.0.1
184 8 Nicolas Chuche
   </Limit>
185 8 Nicolas Chuche
</Location>
186 8 Nicolas Chuche
</pre>
187 8 Nicolas Chuche
188 8 Nicolas Chuche
To verify that you can access repository through Redmine.pm, you can use curl :
189 8 Nicolas Chuche
<pre>
190 8 Nicolas Chuche
% curl --netrc --location http://localhost/git/ecookbook/HEAD   
191 13 Thomas Pihl
ref: refs/heads/master
192 13 Thomas Pihl
</pre>
193 13 Thomas Pihl
194 22 Diego Oliveira
h2. Apache configuration for Mercurial repositories
195 22 Diego Oliveira
196 22 Diego Oliveira
Create a file caled "hgweb.config" in the same folder as "hgwebdir.cgi". This foder will be the root repository folder. Then edit the "hgweb.config" with something like this:
197 22 Diego Oliveira
198 22 Diego Oliveira
<pre>
199 22 Diego Oliveira
[paths]
200 22 Diego Oliveira
/=/path/to/root/repository/**
201 22 Diego Oliveira
202 22 Diego Oliveira
[web]
203 22 Diego Oliveira
allow_push = *
204 22 Diego Oliveira
allowbz2 = yes
205 22 Diego Oliveira
allowgz = yes
206 22 Diego Oliveira
allowzip = yes
207 22 Diego Oliveira
208 22 Diego Oliveira
</pre>
209 22 Diego Oliveira
210 22 Diego Oliveira
Follows the instructions to install Redmine.pm as described and configure your apache like this.
211 22 Diego Oliveira
212 22 Diego Oliveira
<pre>
213 22 Diego Oliveira
    RewriteEngine on
214 22 Diego Oliveira
    PerlLoadModule Apache2::Redmine
215 22 Diego Oliveira
    PerlLoadModule Authen::Simple::LDAP
216 22 Diego Oliveira
    ScriptAliasMatch ^/hg(.*)  /path/to/the/hgwebdir.cgi/$1
217 22 Diego Oliveira
    <Location /hg>
218 22 Diego Oliveira
        AuthType Basic
219 22 Diego Oliveira
        AuthName "Mercurial"
220 22 Diego Oliveira
        Require valid-user
221 22 Diego Oliveira
222 22 Diego Oliveira
        #Redmine auth
223 22 Diego Oliveira
        PerlAccessHandler Apache::Authn::Redmine::access_handler
224 22 Diego Oliveira
        PerlAuthenHandler Apache::Authn::Redmine::authen_handler
225 22 Diego Oliveira
        RedmineDSN "DBI:mysql:database=redmine;host=localhost"
226 22 Diego Oliveira
        RedmineDbUser "DB_USER"
227 22 Diego Oliveira
        RedmineDbPass "DB_PASSWD"
228 22 Diego Oliveira
    </Location>
229 22 Diego Oliveira
</pre>
230 22 Diego Oliveira
231 22 Diego Oliveira
232 13 Thomas Pihl
h2. Gotchas
233 13 Thomas Pihl
234 13 Thomas Pihl
If you run this in Phusion Passenger, make sure you don't turn PassengerHighPerformance on. If you do, the rewrites to catch subversion dav will be bypassed with some interesting dump in the log as a result.
235 13 Thomas Pihl
Example: 
236 1 Nicolas Chuche
> ActionController::RoutingError (No route matches "/svn/rm-code" with {:method=>:get}):
237 1 Nicolas Chuche
(if your repo are named rm-code)
238 27 Bill Dieter
239 27 Bill Dieter
When using @Authen::Simple::LDAP@ for authentication, it is not sufficient to have the Administrator role to access a repository.  The user must have a role with that specifically allows the user to browse, read, or write the repository.