Repositories access control with apache mod dav svn and mod perl » History » Version 45

Friedrich Schiller, 2014-08-05 11:41

1 16 Jean-Philippe Lang
h1. Repositories access control with apache, mod_dav_svn and mod_perl
2 1 Nicolas Chuche
3 2 Nicolas Chuche
{{>TOC}}
4 2 Nicolas Chuche
5 4 Jean-Philippe Lang
h2. Overview
6 1 Nicolas Chuche
7 23 Eric Davis
In this documentation, we will configure apache to delegate authentication to mod_perl. It's tested on apache2 (@apache2-mpm-prefork@) with mysql and postgresql but should work with allmost every databases for which there is a perl DBD module.  Apache2 with the high speed thread model might not load Perl correctly (@apache2-mpm-worker@).
8 1 Nicolas Chuche
9 1 Nicolas Chuche
You need a working apache on your SVN server and you must install some modules at least mod_dav_svn, mod_perl2, DBI and DBD::mysql (or the DBD driver for you database as it should work on allmost all databases).
10 4 Jean-Philippe Lang
11 15 Jean-Philippe Lang
On Debian/ubuntu you can do :
12 11 Shaun Mangelsdorf
13 43 James Ang
<pre>sudo aptitude install libapache2-svn libapache-dbi-perl \
14 43 James Ang
libapache2-mod-perl2 libdbd-mysql-perl libdigest-sha1-perl \
15 43 James Ang
libauthen-simple-ldap-perl</pre>
16 41 Zack s
17 1 Nicolas Chuche
On Turnkey Redmine Virtual Appliance you can do :
18 1 Nicolas Chuche
19 43 James Ang
<pre>apt-get install libapache2-svn libapache-dbi-perl \
20 43 James Ang
libapache2-mod-perl2 libauthen-simple-ldap-perl</pre>
21 40 Zack s
22 37 Mischa The Evil
If the repositories are not created automatically by reposman.rb, it is important that the repository name is the same as the project identifier in Redmine, otherwise Redmine.pm will fail to authenticate users.  For example, if the path to the repository is @/path/to/repository/foo-bar@, then the project Identifier on the Settings page must be @foo-bar@.
23 1 Nicolas Chuche
24 1 Nicolas Chuche
h2. Enabling apache modules
25 1 Nicolas Chuche
26 1 Nicolas Chuche
On debian/ubuntu :
27 1 Nicolas Chuche
28 1 Nicolas Chuche
<pre>
29 15 Jean-Philippe Lang
sudo a2enmod dav
30 21 Marko Roeder
sudo a2enmod dav_svn # if you want to use svn
31 21 Marko Roeder
sudo a2enmod dav_fs  # if you want to use git
32 15 Jean-Philippe Lang
sudo a2enmod perl
33 4 Jean-Philippe Lang
</pre>
34 1 Nicolas Chuche
35 15 Jean-Philippe Lang
h2. Apache configuration for Subversion repositories
36 1 Nicolas Chuche
37 1 Nicolas Chuche
You first need to copy or link @Redmine.pm@ to @/usr/lib/perl5/Apache/Redmine.pm@
38 37 Mischa The Evil
* Redmine.pm can be found in $REDMINE_DIR/extra/svn/Redmine.pm
39 37 Mischa The Evil
* In the Debian install, it is found /usr/share/redmine/extra/svn/Redmine.pm
40 37 Mischa The Evil
41 15 Jean-Philippe Lang
Then add the following Location directives to your apache configuration (for example in @/etc/APACHE_DIR/conf.d/@):
42 1 Nicolas Chuche
43 17 Joachim Fritschi
* the old how-to which suggested two separate locations for with @/svn@  and @/svn-private@ can be avoided
44 17 Joachim Fritschi
* with the @Satisfy any@ keyword from Apache you can define different authentication policies
45 17 Joachim Fritschi
* read access from the redmine-server or any validated user
46 17 Joachim Fritschi
* write access only validated users
47 15 Jean-Philippe Lang
48 17 Joachim Fritschi
49 15 Jean-Philippe Lang
<pre>
50 1 Nicolas Chuche
   # /svn location for users
51 1 Nicolas Chuche
   PerlLoadModule Apache::Redmine
52 1 Nicolas Chuche
   <Location /svn>
53 1 Nicolas Chuche
     DAV svn
54 45 Friedrich Schiller
55 45 Friedrich Schiller
     ### uncomment the following line when using subversion 1.8 or newer (see http://subversion.apache.org/docs/release-notes/1.8.html#serf-skelta-default)
56 45 Friedrich Schiller
     # SVNAllowBulkUpdates Prefer
57 45 Friedrich Schiller
58 1 Nicolas Chuche
     SVNParentPath "/var/svn"
59 1 Nicolas Chuche
     Order deny,allow
60 1 Nicolas Chuche
     Deny from all
61 1 Nicolas Chuche
     Satisfy any
62 43 James Ang
     # If a client tries to svn update which involves updating many files,
63 43 James Ang
     # the update request might result in an error Server sent unexpected
64 43 James Ang
     # return value (413 Request  Entity Too Large) in response to REPORT
65 43 James Ang
     # request,because the size of the update request exceeds the limit
66 43 James Ang
     # allowed by the server. You can avoid this error by disabling the
67 43 James Ang
     # request size limit by adding the line LimitXMLRequestBody 0
68 43 James Ang
     # between the <Location...> and </Location> lines. 
69 42 Terence Mill
     LimitXMLRequestBody 0
70 42 Terence Mill
     
71 43 James Ang
     # Only check Authentication for root path, nor again for recursive
72 43 James Ang
     # folder.
73 43 James Ang
     # Redmine core does only permit access on repository level, so this
74 43 James Ang
     # doesn't hurt security. On the other hand it does boost performance
75 43 James Ang
     # a lot!
76 42 Terence Mill
     SVNPathAuthz off
77 1 Nicolas Chuche
78 1 Nicolas Chuche
     PerlAccessHandler Apache::Authn::Redmine::access_handler
79 1 Nicolas Chuche
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
80 17 Joachim Fritschi
     AuthType Basic
81 18 Joachim Fritschi
     AuthName "Redmine SVN Repository"
82 44 F Abu-Nimeh
     AuthUserFile /dev/null
83 17 Joachim Fritschi
84 17 Joachim Fritschi
     #read-only access	
85 17 Joachim Fritschi
     <Limit GET PROPFIND OPTIONS REPORT>
86 19 Joachim Fritschi
        Require valid-user
87 17 Joachim Fritschi
        Allow from redmine.server.ip
88 17 Joachim Fritschi
        # Allow from another-ip
89 17 Joachim Fritschi
     	Satisfy any
90 17 Joachim Fritschi
     </Limit>
91 17 Joachim Fritschi
     # write access
92 17 Joachim Fritschi
     <LimitExcept GET PROPFIND OPTIONS REPORT>
93 17 Joachim Fritschi
   	Require valid-user
94 17 Joachim Fritschi
     </LimitExcept>
95 17 Joachim Fritschi
96 17 Joachim Fritschi
97 1 Nicolas Chuche
     ## for mysql
98 1 Nicolas Chuche
     RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
99 4 Jean-Philippe Lang
     ## for postgres
100 1 Nicolas Chuche
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
101 4 Jean-Philippe Lang
     ## for SQLite3
102 1 Nicolas Chuche
     # RedmineDSN "DBI:SQLite:dbname=database.db"
103 1 Nicolas Chuche
104 1 Nicolas Chuche
     RedmineDbUser "redmine"
105 1 Nicolas Chuche
     RedmineDbPass "password"
106 1 Nicolas Chuche
  </Location>
107 1 Nicolas Chuche
108 1 Nicolas Chuche
</pre>
109 1 Nicolas Chuche
110 17 Joachim Fritschi
h3. Testing the configuration:
111 1 Nicolas Chuche
112 17 Joachim Fritschi
After reloading apache conf, you can try to browse some repository with:
113 17 Joachim Fritschi
114 1 Nicolas Chuche
<pre>
115 1 Nicolas Chuche
svn ls http://my.svn.server/svn/myproject
116 4 Jean-Philippe Lang
</pre>
117 1 Nicolas Chuche
118 17 Joachim Fritschi
Any non-public repository should ask for a username and password.
119 4 Jean-Philippe Lang
120 17 Joachim Fritschi
To test the authentication that allows you redmine server to read all repositories:
121 1 Nicolas Chuche
122 17 Joachim Fritschi
Reading a private repository:
123 3 Jean-Philippe Lang
<pre>
124 17 Joachim Fritschi
svn ls http://my.svn.server/svn/myproject
125 17 Joachim Fritschi
</pre>
126 17 Joachim Fritschi
Try writing to the repository:
127 17 Joachim Fritschi
<pre>
128 17 Joachim Fritschi
svn mkdir http://my.svn.server/svn/myproject/testdir
129 17 Joachim Fritschi
</pre>
130 17 Joachim Fritschi
This should fail and ask for a password.
131 17 Joachim Fritschi
132 17 Joachim Fritschi
133 17 Joachim Fritschi
h3. optional LDAP Authentication
134 17 Joachim Fritschi
135 17 Joachim Fritschi
If you want to connect your LDAP authentication to Apache, you can install the Authen::Simple::LDAP perl module. I found that connecting to my LDAP server to authenticate with every request can be quite slow. I added the following to my configuration and had a significant performance increase. If you have configured an encrypted connection to the LDAP server you will need the IO::Socket::SSL module.
136 17 Joachim Fritschi
137 20 Stefan Stefansson
> *NOTE: the above wording is a little confusing. I attempt to clear up the issues I had with this in the following paragraph.*
138 20 Stefan Stefansson
> 
139 1 Nicolas Chuche
> First of all, make sure that you have the Net::LDAP module installed as well. I installed Authen::Simple::LDAP through CPAN and found that nothing worked. Eventually I figured out that this was because the Authen::Simple::LDAP did not require the Net::LDAP module as a dependency but it is needed for our purpose here. I did this on CentOS and it seems that the Net::LDAP module can be installed via yum (@yum install perl-LDAP@) but the Authen::Simple::LDAP had to be installed via CPAN since there's no RPM for it in the CentOS repositories.
140 37 Mischa The Evil
> 
141 37 Mischa The Evil
142 37 Mischa The Evil
To install the Authen::Simple::LDAP using CPAN use commands:
143 37 Mischa The Evil
<pre>
144 20 Stefan Stefansson
cpan
145 1 Nicolas Chuche
cpan> install Authen::Simple::LDAP
146 1 Nicolas Chuche
</pre>
147 1 Nicolas Chuche
if the installation failed due to some dependencies, resolve the dependencies first.
148 1 Nicolas Chuche
149 1 Nicolas Chuche
> My second point is related to the below Apache config. The @PerlLoadModule Authen::Simple::LDAP@ is actually not required for having users authenticated via LDAP. It will happen automatically if both of the above modules are installed. So there really is no difference between the config snippet below and the one above except for the @RedmineCacheCredsMax 50@ line which is probably a good idea although it can result in users that have been deleted or removed in redmine still getting access to the repositories, at least for a little while.
150 1 Nicolas Chuche
151 1 Nicolas Chuche
<pre>
152 20 Stefan Stefansson
   PerlLoadModule Apache::Redmine
153 17 Joachim Fritschi
   PerlLoadModule  Authen::Simple::LDAP
154 1 Nicolas Chuche
   # PerlLoadModule  IO::Socket::SSL
155 1 Nicolas Chuche
   <Location /svn>
156 8 Nicolas Chuche
     DAV svn
157 43 James Ang
     # If a client tries to svn update which involves updating many files, the
158 43 James Ang
     # update request might result in an error Server sent unexpected return
159 43 James Ang
     # value (413 Request  Entity Too Large) in response to REPORT request,
160 43 James Ang
     # because the size of the update request exceeds the limit allowed by the
161 43 James Ang
     # server. You can avoid this error by disabling the request size limit by
162 43 James Ang
     # adding the line LimitXMLRequestBody 0 between the <Location...> and
163 43 James Ang
     # </Location> lines. 
164 42 Terence Mill
     LimitXMLRequestBody 0
165 42 Terence Mill
     
166 42 Terence Mill
     # Only check Authentification for root path, nor again for recursive folder
167 43 James Ang
     # Redmine core does only permit acces on repository level, so this doesn't
168 43 James Ang
     # hurt security. On the other hand it does boost performance a lot!
169 42 Terence Mill
     SVNPathAuthz off
170 42 Terence Mill
171 12 Todd Nine
     SVNParentPath "/var/svn"
172 12 Todd Nine
173 12 Todd Nine
     AuthType Basic
174 12 Todd Nine
     AuthName redmine
175 12 Todd Nine
     Require valid-user
176 12 Todd Nine
177 12 Todd Nine
     PerlAccessHandler Apache::Authn::Redmine::access_handler
178 12 Todd Nine
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
179 12 Todd Nine
  
180 12 Todd Nine
     ## for mysql
181 12 Todd Nine
     RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
182 12 Todd Nine
     ## for postgres
183 12 Todd Nine
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
184 12 Todd Nine
185 1 Nicolas Chuche
     RedmineDbUser "redmine"
186 12 Todd Nine
     RedmineDbPass "password"
187 12 Todd Nine
     #Cache the last 50 auth entries
188 12 Todd Nine
     RedmineCacheCredsMax 50
189 15 Jean-Philippe Lang
  </Location>
190 12 Todd Nine
</pre>
191 36 neil johnson
192 1 Nicolas Chuche
h2. Apache configuration for Git repositories
193 38 Lluís Vilanova
194 38 Lluís Vilanova
*TODO*: This should probably be moved into [[HowTo configure Redmine for advanced git integration]]
195 15 Jean-Philippe Lang
196 1 Nicolas Chuche
Now that reposman.rb can create git repositories, you can use Redmine.pm to access them the same way than subversion. 
197 1 Nicolas Chuche
198 1 Nicolas Chuche
You first need to copy or link Redmine.pm to /usr/lib/perl5/Apache/Redmine.pm, then you add this configuration to apache : 
199 1 Nicolas Chuche
200 1 Nicolas Chuche
<pre>
201 1 Nicolas Chuche
202 37 Mischa The Evil
PerlLoadModule Apache::Authn::Redmine
203 1 Nicolas Chuche
204 37 Mischa The Evil
SetEnv GIT_PROJECT_ROOT /path/to/git/repos
205 37 Mischa The Evil
SetEnv GIT_HTTP_EXPORT_ALL
206 37 Mischa The Evil
207 37 Mischa The Evil
ScriptAlias /git/ /usr/bin/git-http-backend/
208 37 Mischa The Evil
209 37 Mischa The Evil
<Location /git>
210 8 Nicolas Chuche
  AuthType Basic
211 8 Nicolas Chuche
  Require valid-user
212 1 Nicolas Chuche
  AuthName "Git"
213 8 Nicolas Chuche
214 8 Nicolas Chuche
  PerlAccessHandler Apache::Authn::Redmine::access_handler
215 8 Nicolas Chuche
  PerlAuthenHandler Apache::Authn::Redmine::authen_handler
216 1 Nicolas Chuche
217 8 Nicolas Chuche
  RedmineDSN "DBI:mysql:database=redmine;host=localhost"
218 8 Nicolas Chuche
  RedmineDbUser "redmine"
219 8 Nicolas Chuche
  RedmineDbPass "password"
220 37 Mischa The Evil
  RedmineGitSmartHttp yes
221 8 Nicolas Chuche
</Location>
222 8 Nicolas Chuche
223 8 Nicolas Chuche
Alias /git-private /var/git
224 8 Nicolas Chuche
225 8 Nicolas Chuche
<Location /git-private>
226 8 Nicolas Chuche
   Order deny,allow
227 8 Nicolas Chuche
   Deny from all
228 8 Nicolas Chuche
   <Limit GET PROPFIND OPTIONS REPORT>
229 8 Nicolas Chuche
      Options Indexes FollowSymLinks MultiViews
230 8 Nicolas Chuche
   Allow from 127.0.0.1
231 8 Nicolas Chuche
   </Limit>
232 8 Nicolas Chuche
</Location>
233 8 Nicolas Chuche
</pre>
234 8 Nicolas Chuche
235 8 Nicolas Chuche
To verify that you can access repository through Redmine.pm, you can use curl :
236 8 Nicolas Chuche
<pre>
237 8 Nicolas Chuche
% curl --netrc --location http://localhost/git/ecookbook/HEAD   
238 13 Thomas Pihl
ref: refs/heads/master
239 13 Thomas Pihl
</pre>
240 13 Thomas Pihl
241 22 Diego Oliveira
h2. Apache configuration for Mercurial repositories
242 22 Diego Oliveira
243 39 Lluís Vilanova
*TODO*: This should probably be moved into [[HowTo configure Redmine for advanced Mercurial integration]]
244 39 Lluís Vilanova
245 22 Diego Oliveira
Create a file caled "hgweb.config" in the same folder as "hgwebdir.cgi". This foder will be the root repository folder. Then edit the "hgweb.config" with something like this:
246 22 Diego Oliveira
247 22 Diego Oliveira
<pre>
248 22 Diego Oliveira
[paths]
249 22 Diego Oliveira
/=/path/to/root/repository/**
250 22 Diego Oliveira
251 22 Diego Oliveira
[web]
252 22 Diego Oliveira
allow_push = *
253 22 Diego Oliveira
allowbz2 = yes
254 22 Diego Oliveira
allowgz = yes
255 22 Diego Oliveira
allowzip = yes
256 22 Diego Oliveira
257 22 Diego Oliveira
</pre>
258 22 Diego Oliveira
259 22 Diego Oliveira
Follows the instructions to install Redmine.pm as described and configure your apache like this.
260 22 Diego Oliveira
261 22 Diego Oliveira
<pre>
262 22 Diego Oliveira
    RewriteEngine on
263 22 Diego Oliveira
    PerlLoadModule Apache2::Redmine
264 22 Diego Oliveira
    PerlLoadModule Authen::Simple::LDAP
265 22 Diego Oliveira
    ScriptAliasMatch ^/hg(.*)  /path/to/the/hgwebdir.cgi/$1
266 22 Diego Oliveira
    <Location /hg>
267 22 Diego Oliveira
        AuthType Basic
268 22 Diego Oliveira
        AuthName "Mercurial"
269 22 Diego Oliveira
        Require valid-user
270 1 Nicolas Chuche
271 1 Nicolas Chuche
        #Redmine auth
272 1 Nicolas Chuche
        PerlAccessHandler Apache::Authn::Redmine::access_handler
273 1 Nicolas Chuche
        PerlAuthenHandler Apache::Authn::Redmine::authen_handler
274 1 Nicolas Chuche
        RedmineDSN "DBI:mysql:database=redmine;host=localhost"
275 1 Nicolas Chuche
        RedmineDbUser "DB_USER"
276 1 Nicolas Chuche
        RedmineDbPass "DB_PASSWD"
277 1 Nicolas Chuche
    </Location>
278 37 Mischa The Evil
279 37 Mischa The Evil
    # Note: Do not use hg-private as the rewrite rule above will cause strange things to occur.
280 37 Mischa The Evil
    Alias /private-hg /path/to/hg/repos
281 37 Mischa The Evil
    
282 37 Mischa The Evil
    <Location /private-hg>
283 37 Mischa The Evil
        Order deny, allow
284 37 Mischa The Evil
        Deny from all
285 37 Mischa The Evil
        <Limit GET PROPFIND OPTIONS REPORT>
286 37 Mischa The Evil
            Options Indexes FollowSymLinks MultiViews
287 37 Mischa The Evil
            Allow from 127.0.0.1
288 37 Mischa The Evil
        </Limit>
289 37 Mischa The Evil
    </Location>
290 37 Mischa The Evil
291 22 Diego Oliveira
292 1 Nicolas Chuche
</pre>
293 22 Diego Oliveira
294 22 Diego Oliveira
h2. Gotchas
295 13 Thomas Pihl
296 13 Thomas Pihl
If you run this in Phusion Passenger, make sure you don't turn PassengerHighPerformance on. If you do, the rewrites to catch subversion dav will be bypassed with some interesting dump in the log as a result.
297 13 Thomas Pihl
Example: 
298 1 Nicolas Chuche
> ActionController::RoutingError (No route matches "/svn/rm-code" with {:method=>:get}):
299 1 Nicolas Chuche
(if your repo are named rm-code)
300 27 Bill Dieter
301 37 Mischa The Evil
When using @Authen::Simple::LDAP@ for authentication, it is not sufficient to have the Administrator role to access a repository.  The user must have a role with that specifically allows the user to browse, read, or write the repository.