Repositories access control with apache mod dav svn and mod perl » History » Version 42

Terence Mill, 2012-08-06 13:18

1 16 Jean-Philippe Lang
h1. Repositories access control with apache, mod_dav_svn and mod_perl
2 1 Nicolas Chuche
3 2 Nicolas Chuche
{{>TOC}}
4 2 Nicolas Chuche
5 4 Jean-Philippe Lang
h2. Overview
6 1 Nicolas Chuche
7 23 Eric Davis
In this documentation, we will configure apache to delegate authentication to mod_perl. It's tested on apache2 (@apache2-mpm-prefork@) with mysql and postgresql but should work with allmost every databases for which there is a perl DBD module.  Apache2 with the high speed thread model might not load Perl correctly (@apache2-mpm-worker@).
8 1 Nicolas Chuche
9 1 Nicolas Chuche
You need a working apache on your SVN server and you must install some modules at least mod_dav_svn, mod_perl2, DBI and DBD::mysql (or the DBD driver for you database as it should work on allmost all databases).
10 4 Jean-Philippe Lang
11 15 Jean-Philippe Lang
On Debian/ubuntu you can do :
12 11 Shaun Mangelsdorf
13 37 Mischa The Evil
  sudo aptitude install libapache2-svn libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl libdigest-sha1-perl libauthen-simple-ldap-perl
14 1 Nicolas Chuche
15 41 Zack s
On Turnkey Redmine Virtual Appliance you can do :
16 40 Zack s
17 40 Zack s
  apt-get install libapache2-svn libapache-dbi-perl libapache2-mod-perl2 libauthen-simple-ldap-perl
18 40 Zack s
19 37 Mischa The Evil
If the repositories are not created automatically by reposman.rb, it is important that the repository name is the same as the project identifier in Redmine, otherwise Redmine.pm will fail to authenticate users.  For example, if the path to the repository is @/path/to/repository/foo-bar@, then the project Identifier on the Settings page must be @foo-bar@.
20 1 Nicolas Chuche
21 1 Nicolas Chuche
h2. Enabling apache modules
22 1 Nicolas Chuche
23 1 Nicolas Chuche
On debian/ubuntu :
24 1 Nicolas Chuche
25 1 Nicolas Chuche
<pre>
26 15 Jean-Philippe Lang
sudo a2enmod dav
27 21 Marko Roeder
sudo a2enmod dav_svn # if you want to use svn
28 21 Marko Roeder
sudo a2enmod dav_fs  # if you want to use git
29 15 Jean-Philippe Lang
sudo a2enmod perl
30 4 Jean-Philippe Lang
</pre>
31 1 Nicolas Chuche
32 15 Jean-Philippe Lang
h2. Apache configuration for Subversion repositories
33 1 Nicolas Chuche
34 1 Nicolas Chuche
You first need to copy or link @Redmine.pm@ to @/usr/lib/perl5/Apache/Redmine.pm@
35 37 Mischa The Evil
* Redmine.pm can be found in $REDMINE_DIR/extra/svn/Redmine.pm
36 37 Mischa The Evil
* In the Debian install, it is found /usr/share/redmine/extra/svn/Redmine.pm
37 37 Mischa The Evil
38 15 Jean-Philippe Lang
Then add the following Location directives to your apache configuration (for example in @/etc/APACHE_DIR/conf.d/@):
39 1 Nicolas Chuche
40 17 Joachim Fritschi
* the old how-to which suggested two separate locations for with @/svn@  and @/svn-private@ can be avoided
41 17 Joachim Fritschi
* with the @Satisfy any@ keyword from Apache you can define different authentication policies
42 17 Joachim Fritschi
* read access from the redmine-server or any validated user
43 17 Joachim Fritschi
* write access only validated users
44 15 Jean-Philippe Lang
45 17 Joachim Fritschi
46 15 Jean-Philippe Lang
<pre>
47 1 Nicolas Chuche
   # /svn location for users
48 1 Nicolas Chuche
   PerlLoadModule Apache::Redmine
49 1 Nicolas Chuche
   <Location /svn>
50 1 Nicolas Chuche
     DAV svn
51 19 Joachim Fritschi
     SVNParentPath "/var/svn"
52 17 Joachim Fritschi
     Order deny,allow
53 17 Joachim Fritschi
     Deny from all
54 17 Joachim Fritschi
     Satisfy any
55 42 Terence Mill
     # If a client tries to svn update which involves updating many files, the update request might result in
56 42 Terence Mill
     # an error Server sent unexpected return value (413 Request  Entity Too Large) in response to REPORT request,
57 42 Terence Mill
     # because the size of the update request exceeds the limit allowed by the server. You can avoid this error by
58 42 Terence Mill
     # disabling the request size limit by adding the line LimitXMLRequestBody 0 between the <Location...> and </Location> lines. 
59 42 Terence Mill
     LimitXMLRequestBody 0
60 42 Terence Mill
     
61 42 Terence Mill
     # Only check Authentification for root path, nor again for recursive folder
62 42 Terence Mill
     # Redmine core does only permit acces on repository level, so this doesn't hurt security. On the other hand it does boost performance a lot!
63 42 Terence Mill
     SVNPathAuthz off
64 1 Nicolas Chuche
65 1 Nicolas Chuche
     PerlAccessHandler Apache::Authn::Redmine::access_handler
66 1 Nicolas Chuche
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
67 17 Joachim Fritschi
     AuthType Basic
68 18 Joachim Fritschi
     AuthName "Redmine SVN Repository"
69 17 Joachim Fritschi
70 17 Joachim Fritschi
     #read-only access	
71 17 Joachim Fritschi
     <Limit GET PROPFIND OPTIONS REPORT>
72 19 Joachim Fritschi
        Require valid-user
73 17 Joachim Fritschi
        Allow from redmine.server.ip
74 17 Joachim Fritschi
        # Allow from another-ip
75 17 Joachim Fritschi
     	Satisfy any
76 17 Joachim Fritschi
     </Limit>
77 17 Joachim Fritschi
     # write access
78 17 Joachim Fritschi
     <LimitExcept GET PROPFIND OPTIONS REPORT>
79 17 Joachim Fritschi
   	Require valid-user
80 17 Joachim Fritschi
     </LimitExcept>
81 17 Joachim Fritschi
82 17 Joachim Fritschi
83 1 Nicolas Chuche
     ## for mysql
84 1 Nicolas Chuche
     RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
85 4 Jean-Philippe Lang
     ## for postgres
86 1 Nicolas Chuche
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
87 4 Jean-Philippe Lang
     ## for SQLite3
88 1 Nicolas Chuche
     # RedmineDSN "DBI:SQLite:dbname=database.db"
89 1 Nicolas Chuche
90 1 Nicolas Chuche
     RedmineDbUser "redmine"
91 1 Nicolas Chuche
     RedmineDbPass "password"
92 1 Nicolas Chuche
  </Location>
93 1 Nicolas Chuche
94 1 Nicolas Chuche
</pre>
95 1 Nicolas Chuche
96 17 Joachim Fritschi
h3. Testing the configuration:
97 1 Nicolas Chuche
98 17 Joachim Fritschi
After reloading apache conf, you can try to browse some repository with:
99 17 Joachim Fritschi
100 1 Nicolas Chuche
<pre>
101 1 Nicolas Chuche
svn ls http://my.svn.server/svn/myproject
102 4 Jean-Philippe Lang
</pre>
103 1 Nicolas Chuche
104 17 Joachim Fritschi
Any non-public repository should ask for a username and password.
105 4 Jean-Philippe Lang
106 17 Joachim Fritschi
To test the authentication that allows you redmine server to read all repositories:
107 1 Nicolas Chuche
108 17 Joachim Fritschi
Reading a private repository:
109 3 Jean-Philippe Lang
<pre>
110 17 Joachim Fritschi
svn ls http://my.svn.server/svn/myproject
111 17 Joachim Fritschi
</pre>
112 17 Joachim Fritschi
Try writing to the repository:
113 17 Joachim Fritschi
<pre>
114 17 Joachim Fritschi
svn mkdir http://my.svn.server/svn/myproject/testdir
115 17 Joachim Fritschi
</pre>
116 17 Joachim Fritschi
This should fail and ask for a password.
117 17 Joachim Fritschi
118 17 Joachim Fritschi
119 17 Joachim Fritschi
h3. optional LDAP Authentication
120 17 Joachim Fritschi
121 17 Joachim Fritschi
If you want to connect your LDAP authentication to Apache, you can install the Authen::Simple::LDAP perl module. I found that connecting to my LDAP server to authenticate with every request can be quite slow. I added the following to my configuration and had a significant performance increase. If you have configured an encrypted connection to the LDAP server you will need the IO::Socket::SSL module.
122 17 Joachim Fritschi
123 20 Stefan Stefansson
> *NOTE: the above wording is a little confusing. I attempt to clear up the issues I had with this in the following paragraph.*
124 20 Stefan Stefansson
> 
125 1 Nicolas Chuche
> First of all, make sure that you have the Net::LDAP module installed as well. I installed Authen::Simple::LDAP through CPAN and found that nothing worked. Eventually I figured out that this was because the Authen::Simple::LDAP did not require the Net::LDAP module as a dependency but it is needed for our purpose here. I did this on CentOS and it seems that the Net::LDAP module can be installed via yum (@yum install perl-LDAP@) but the Authen::Simple::LDAP had to be installed via CPAN since there's no RPM for it in the CentOS repositories.
126 1 Nicolas Chuche
> 
127 37 Mischa The Evil
128 37 Mischa The Evil
To install the Authen::Simple::LDAP using CPAN use commands:
129 37 Mischa The Evil
<pre>
130 37 Mischa The Evil
cpan
131 37 Mischa The Evil
cpan> install Authen::Simple::LDAP
132 37 Mischa The Evil
</pre>
133 37 Mischa The Evil
if the installation failed due to some dependencies, resolve the dependencies first.
134 37 Mischa The Evil
135 20 Stefan Stefansson
> My second point is related to the below Apache config. The @PerlLoadModule Authen::Simple::LDAP@ is actually not required for having users authenticated via LDAP. It will happen automatically if both of the above modules are installed. So there really is no difference between the config snippet below and the one above except for the @RedmineCacheCredsMax 50@ line which is probably a good idea although it can result in users that have been deleted or removed in redmine still getting access to the repositories, at least for a little while.
136 20 Stefan Stefansson
137 17 Joachim Fritschi
<pre>
138 8 Nicolas Chuche
   PerlLoadModule Apache::Redmine
139 17 Joachim Fritschi
   PerlLoadModule  Authen::Simple::LDAP
140 17 Joachim Fritschi
   # PerlLoadModule  IO::Socket::SSL
141 12 Todd Nine
   <Location /svn>
142 12 Todd Nine
     DAV svn
143 42 Terence Mill
     # If a client tries to svn update which involves updating many files, the update request might result in
144 42 Terence Mill
     # an error Server sent unexpected return value (413 Request  Entity Too Large) in response to REPORT request,
145 42 Terence Mill
     # because the size of the update request exceeds the limit allowed by the server. You can avoid this error by
146 42 Terence Mill
     # disabling the request size limit by adding the line LimitXMLRequestBody 0 between the <Location...> and </Location> lines. 
147 42 Terence Mill
     LimitXMLRequestBody 0
148 42 Terence Mill
     
149 42 Terence Mill
     # Only check Authentification for root path, nor again for recursive folder
150 42 Terence Mill
     # Redmine core does only permit acces on repository level, so this doesn't hurt security. On the other hand it does boost performance a lot!
151 42 Terence Mill
     SVNPathAuthz off
152 42 Terence Mill
153 12 Todd Nine
     SVNParentPath "/var/svn"
154 12 Todd Nine
155 12 Todd Nine
     AuthType Basic
156 12 Todd Nine
     AuthName redmine
157 12 Todd Nine
     Require valid-user
158 12 Todd Nine
159 12 Todd Nine
     PerlAccessHandler Apache::Authn::Redmine::access_handler
160 12 Todd Nine
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
161 12 Todd Nine
  
162 12 Todd Nine
     ## for mysql
163 12 Todd Nine
     RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
164 12 Todd Nine
     ## for postgres
165 12 Todd Nine
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
166 12 Todd Nine
167 1 Nicolas Chuche
     RedmineDbUser "redmine"
168 12 Todd Nine
     RedmineDbPass "password"
169 12 Todd Nine
     #Cache the last 50 auth entries
170 12 Todd Nine
     RedmineCacheCredsMax 50
171 15 Jean-Philippe Lang
  </Location>
172 12 Todd Nine
</pre>
173 36 neil johnson
174 1 Nicolas Chuche
h2. Apache configuration for Git repositories
175 38 Lluís Vilanova
176 38 Lluís Vilanova
*TODO*: This should probably be moved into [[HowTo configure Redmine for advanced git integration]]
177 15 Jean-Philippe Lang
178 1 Nicolas Chuche
Now that reposman.rb can create git repositories, you can use Redmine.pm to access them the same way than subversion. 
179 1 Nicolas Chuche
180 1 Nicolas Chuche
You first need to copy or link Redmine.pm to /usr/lib/perl5/Apache/Redmine.pm, then you add this configuration to apache : 
181 1 Nicolas Chuche
182 1 Nicolas Chuche
<pre>
183 1 Nicolas Chuche
184 37 Mischa The Evil
PerlLoadModule Apache::Authn::Redmine
185 1 Nicolas Chuche
186 37 Mischa The Evil
SetEnv GIT_PROJECT_ROOT /path/to/git/repos
187 37 Mischa The Evil
SetEnv GIT_HTTP_EXPORT_ALL
188 37 Mischa The Evil
189 37 Mischa The Evil
ScriptAlias /git/ /usr/bin/git-http-backend/
190 37 Mischa The Evil
191 37 Mischa The Evil
<Location /git>
192 8 Nicolas Chuche
  AuthType Basic
193 8 Nicolas Chuche
  Require valid-user
194 1 Nicolas Chuche
  AuthName "Git"
195 8 Nicolas Chuche
196 8 Nicolas Chuche
  PerlAccessHandler Apache::Authn::Redmine::access_handler
197 8 Nicolas Chuche
  PerlAuthenHandler Apache::Authn::Redmine::authen_handler
198 1 Nicolas Chuche
199 8 Nicolas Chuche
  RedmineDSN "DBI:mysql:database=redmine;host=localhost"
200 8 Nicolas Chuche
  RedmineDbUser "redmine"
201 8 Nicolas Chuche
  RedmineDbPass "password"
202 37 Mischa The Evil
  RedmineGitSmartHttp yes
203 8 Nicolas Chuche
</Location>
204 8 Nicolas Chuche
205 8 Nicolas Chuche
Alias /git-private /var/git
206 8 Nicolas Chuche
207 8 Nicolas Chuche
<Location /git-private>
208 8 Nicolas Chuche
   Order deny,allow
209 8 Nicolas Chuche
   Deny from all
210 8 Nicolas Chuche
   <Limit GET PROPFIND OPTIONS REPORT>
211 8 Nicolas Chuche
      Options Indexes FollowSymLinks MultiViews
212 8 Nicolas Chuche
   Allow from 127.0.0.1
213 8 Nicolas Chuche
   </Limit>
214 8 Nicolas Chuche
</Location>
215 8 Nicolas Chuche
</pre>
216 8 Nicolas Chuche
217 8 Nicolas Chuche
To verify that you can access repository through Redmine.pm, you can use curl :
218 8 Nicolas Chuche
<pre>
219 8 Nicolas Chuche
% curl --netrc --location http://localhost/git/ecookbook/HEAD   
220 13 Thomas Pihl
ref: refs/heads/master
221 13 Thomas Pihl
</pre>
222 13 Thomas Pihl
223 22 Diego Oliveira
h2. Apache configuration for Mercurial repositories
224 22 Diego Oliveira
225 39 Lluís Vilanova
*TODO*: This should probably be moved into [[HowTo configure Redmine for advanced Mercurial integration]]
226 39 Lluís Vilanova
227 22 Diego Oliveira
Create a file caled "hgweb.config" in the same folder as "hgwebdir.cgi". This foder will be the root repository folder. Then edit the "hgweb.config" with something like this:
228 22 Diego Oliveira
229 22 Diego Oliveira
<pre>
230 22 Diego Oliveira
[paths]
231 22 Diego Oliveira
/=/path/to/root/repository/**
232 22 Diego Oliveira
233 22 Diego Oliveira
[web]
234 22 Diego Oliveira
allow_push = *
235 22 Diego Oliveira
allowbz2 = yes
236 22 Diego Oliveira
allowgz = yes
237 22 Diego Oliveira
allowzip = yes
238 22 Diego Oliveira
239 22 Diego Oliveira
</pre>
240 22 Diego Oliveira
241 22 Diego Oliveira
Follows the instructions to install Redmine.pm as described and configure your apache like this.
242 22 Diego Oliveira
243 22 Diego Oliveira
<pre>
244 22 Diego Oliveira
    RewriteEngine on
245 22 Diego Oliveira
    PerlLoadModule Apache2::Redmine
246 22 Diego Oliveira
    PerlLoadModule Authen::Simple::LDAP
247 22 Diego Oliveira
    ScriptAliasMatch ^/hg(.*)  /path/to/the/hgwebdir.cgi/$1
248 22 Diego Oliveira
    <Location /hg>
249 22 Diego Oliveira
        AuthType Basic
250 22 Diego Oliveira
        AuthName "Mercurial"
251 22 Diego Oliveira
        Require valid-user
252 1 Nicolas Chuche
253 1 Nicolas Chuche
        #Redmine auth
254 1 Nicolas Chuche
        PerlAccessHandler Apache::Authn::Redmine::access_handler
255 1 Nicolas Chuche
        PerlAuthenHandler Apache::Authn::Redmine::authen_handler
256 1 Nicolas Chuche
        RedmineDSN "DBI:mysql:database=redmine;host=localhost"
257 1 Nicolas Chuche
        RedmineDbUser "DB_USER"
258 1 Nicolas Chuche
        RedmineDbPass "DB_PASSWD"
259 1 Nicolas Chuche
    </Location>
260 37 Mischa The Evil
261 37 Mischa The Evil
    # Note: Do not use hg-private as the rewrite rule above will cause strange things to occur.
262 37 Mischa The Evil
    Alias /private-hg /path/to/hg/repos
263 37 Mischa The Evil
    
264 37 Mischa The Evil
    <Location /private-hg>
265 37 Mischa The Evil
        Order deny, allow
266 37 Mischa The Evil
        Deny from all
267 37 Mischa The Evil
        <Limit GET PROPFIND OPTIONS REPORT>
268 37 Mischa The Evil
            Options Indexes FollowSymLinks MultiViews
269 37 Mischa The Evil
            Allow from 127.0.0.1
270 37 Mischa The Evil
        </Limit>
271 37 Mischa The Evil
    </Location>
272 37 Mischa The Evil
273 22 Diego Oliveira
274 1 Nicolas Chuche
</pre>
275 22 Diego Oliveira
276 22 Diego Oliveira
h2. Gotchas
277 13 Thomas Pihl
278 13 Thomas Pihl
If you run this in Phusion Passenger, make sure you don't turn PassengerHighPerformance on. If you do, the rewrites to catch subversion dav will be bypassed with some interesting dump in the log as a result.
279 13 Thomas Pihl
Example: 
280 1 Nicolas Chuche
> ActionController::RoutingError (No route matches "/svn/rm-code" with {:method=>:get}):
281 1 Nicolas Chuche
(if your repo are named rm-code)
282 27 Bill Dieter
283 37 Mischa The Evil
When using @Authen::Simple::LDAP@ for authentication, it is not sufficient to have the Administrator role to access a repository.  The user must have a role with that specifically allows the user to browse, read, or write the repository.