Project

General

Profile

Repositories access control with apache mod dav svn and mod perl » History » Version 46

Antonio García-Domínguez, 2015-04-30 13:14
Mention Apache::DBI for connection pooling

1 16 Jean-Philippe Lang
h1. Repositories access control with apache, mod_dav_svn and mod_perl
2 1 Nicolas Chuche
3 2 Nicolas Chuche
{{>TOC}}
4
5 4 Jean-Philippe Lang
h2. Overview
6 1 Nicolas Chuche
7 23 Eric Davis
In this documentation, we will configure apache to delegate authentication to mod_perl. It's tested on apache2 (@apache2-mpm-prefork@) with mysql and postgresql but should work with allmost every databases for which there is a perl DBD module.  Apache2 with the high speed thread model might not load Perl correctly (@apache2-mpm-worker@).
8 1 Nicolas Chuche
9
You need a working apache on your SVN server and you must install some modules at least mod_dav_svn, mod_perl2, DBI and DBD::mysql (or the DBD driver for you database as it should work on allmost all databases).
10 4 Jean-Philippe Lang
11 15 Jean-Philippe Lang
On Debian/ubuntu you can do :
12 11 Shaun Mangelsdorf
13 43 James Ang
<pre>sudo aptitude install libapache2-svn libapache-dbi-perl \
14
libapache2-mod-perl2 libdbd-mysql-perl libdigest-sha1-perl \
15
libauthen-simple-ldap-perl</pre>
16 41 Zack s
17 1 Nicolas Chuche
On Turnkey Redmine Virtual Appliance you can do :
18
19 43 James Ang
<pre>apt-get install libapache2-svn libapache-dbi-perl \
20
libapache2-mod-perl2 libauthen-simple-ldap-perl</pre>
21 40 Zack s
22 37 Mischa The Evil
If the repositories are not created automatically by reposman.rb, it is important that the repository name is the same as the project identifier in Redmine, otherwise Redmine.pm will fail to authenticate users.  For example, if the path to the repository is @/path/to/repository/foo-bar@, then the project Identifier on the Settings page must be @foo-bar@.
23 1 Nicolas Chuche
24
h2. Enabling apache modules
25
26
On debian/ubuntu :
27
28
<pre>
29 15 Jean-Philippe Lang
sudo a2enmod dav
30 21 Marko Roeder
sudo a2enmod dav_svn # if you want to use svn
31
sudo a2enmod dav_fs  # if you want to use git
32 15 Jean-Philippe Lang
sudo a2enmod perl
33 4 Jean-Philippe Lang
</pre>
34 1 Nicolas Chuche
35 15 Jean-Philippe Lang
h2. Apache configuration for Subversion repositories
36 1 Nicolas Chuche
37
You first need to copy or link @Redmine.pm@ to @/usr/lib/perl5/Apache/Redmine.pm@
38 37 Mischa The Evil
* Redmine.pm can be found in $REDMINE_DIR/extra/svn/Redmine.pm
39
* In the Debian install, it is found /usr/share/redmine/extra/svn/Redmine.pm
40
41 15 Jean-Philippe Lang
Then add the following Location directives to your apache configuration (for example in @/etc/APACHE_DIR/conf.d/@):
42 1 Nicolas Chuche
43 17 Joachim Fritschi
* the old how-to which suggested two separate locations for with @/svn@  and @/svn-private@ can be avoided
44
* with the @Satisfy any@ keyword from Apache you can define different authentication policies
45
* read access from the redmine-server or any validated user
46
* write access only validated users
47 15 Jean-Philippe Lang
48 17 Joachim Fritschi
49 15 Jean-Philippe Lang
<pre>
50 46 Antonio García-Domínguez
   # enables connection pooling (very useful for checkouts with many files)
51
   PerlModule Apache::DBI
52
   PerlOptions +GlobalRequest
53
54 1 Nicolas Chuche
   # /svn location for users
55
   PerlLoadModule Apache::Redmine
56
   <Location /svn>
57
     DAV svn
58 45 Friedrich Schiller
59
     ### uncomment the following line when using subversion 1.8 or newer (see http://subversion.apache.org/docs/release-notes/1.8.html#serf-skelta-default)
60
     # SVNAllowBulkUpdates Prefer
61
62 1 Nicolas Chuche
     SVNParentPath "/var/svn"
63
     Order deny,allow
64
     Deny from all
65
     Satisfy any
66 43 James Ang
     # If a client tries to svn update which involves updating many files,
67
     # the update request might result in an error Server sent unexpected
68
     # return value (413 Request  Entity Too Large) in response to REPORT
69
     # request,because the size of the update request exceeds the limit
70
     # allowed by the server. You can avoid this error by disabling the
71
     # request size limit by adding the line LimitXMLRequestBody 0
72
     # between the <Location...> and </Location> lines. 
73 42 Terence Mill
     LimitXMLRequestBody 0
74
     
75 43 James Ang
     # Only check Authentication for root path, nor again for recursive
76
     # folder.
77
     # Redmine core does only permit access on repository level, so this
78
     # doesn't hurt security. On the other hand it does boost performance
79
     # a lot!
80 42 Terence Mill
     SVNPathAuthz off
81 1 Nicolas Chuche
82
     PerlAccessHandler Apache::Authn::Redmine::access_handler
83
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
84 17 Joachim Fritschi
     AuthType Basic
85 18 Joachim Fritschi
     AuthName "Redmine SVN Repository"
86 44 F Abu-Nimeh
     AuthUserFile /dev/null
87 17 Joachim Fritschi
88
     #read-only access	
89
     <Limit GET PROPFIND OPTIONS REPORT>
90 19 Joachim Fritschi
        Require valid-user
91 17 Joachim Fritschi
        Allow from redmine.server.ip
92
        # Allow from another-ip
93
     	Satisfy any
94
     </Limit>
95
     # write access
96
     <LimitExcept GET PROPFIND OPTIONS REPORT>
97
   	Require valid-user
98
     </LimitExcept>
99
100
101 1 Nicolas Chuche
     ## for mysql
102
     RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
103 4 Jean-Philippe Lang
     ## for postgres
104 1 Nicolas Chuche
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
105 4 Jean-Philippe Lang
     ## for SQLite3
106 1 Nicolas Chuche
     # RedmineDSN "DBI:SQLite:dbname=database.db"
107
108
     RedmineDbUser "redmine"
109
     RedmineDbPass "password"
110
  </Location>
111
112
</pre>
113
114 17 Joachim Fritschi
h3. Testing the configuration:
115 1 Nicolas Chuche
116 17 Joachim Fritschi
After reloading apache conf, you can try to browse some repository with:
117
118 1 Nicolas Chuche
<pre>
119
svn ls http://my.svn.server/svn/myproject
120 4 Jean-Philippe Lang
</pre>
121 1 Nicolas Chuche
122 17 Joachim Fritschi
Any non-public repository should ask for a username and password.
123 4 Jean-Philippe Lang
124 17 Joachim Fritschi
To test the authentication that allows you redmine server to read all repositories:
125 1 Nicolas Chuche
126 17 Joachim Fritschi
Reading a private repository:
127 3 Jean-Philippe Lang
<pre>
128 17 Joachim Fritschi
svn ls http://my.svn.server/svn/myproject
129
</pre>
130
Try writing to the repository:
131
<pre>
132
svn mkdir http://my.svn.server/svn/myproject/testdir
133
</pre>
134
This should fail and ask for a password.
135
136
137
h3. optional LDAP Authentication
138
139
If you want to connect your LDAP authentication to Apache, you can install the Authen::Simple::LDAP perl module. I found that connecting to my LDAP server to authenticate with every request can be quite slow. I added the following to my configuration and had a significant performance increase. If you have configured an encrypted connection to the LDAP server you will need the IO::Socket::SSL module.
140
141 20 Stefan Stefansson
> *NOTE: the above wording is a little confusing. I attempt to clear up the issues I had with this in the following paragraph.*
142
> 
143 1 Nicolas Chuche
> First of all, make sure that you have the Net::LDAP module installed as well. I installed Authen::Simple::LDAP through CPAN and found that nothing worked. Eventually I figured out that this was because the Authen::Simple::LDAP did not require the Net::LDAP module as a dependency but it is needed for our purpose here. I did this on CentOS and it seems that the Net::LDAP module can be installed via yum (@yum install perl-LDAP@) but the Authen::Simple::LDAP had to be installed via CPAN since there's no RPM for it in the CentOS repositories.
144 37 Mischa The Evil
> 
145
146
To install the Authen::Simple::LDAP using CPAN use commands:
147
<pre>
148 20 Stefan Stefansson
cpan
149 1 Nicolas Chuche
cpan> install Authen::Simple::LDAP
150
</pre>
151
if the installation failed due to some dependencies, resolve the dependencies first.
152
153
> My second point is related to the below Apache config. The @PerlLoadModule Authen::Simple::LDAP@ is actually not required for having users authenticated via LDAP. It will happen automatically if both of the above modules are installed. So there really is no difference between the config snippet below and the one above except for the @RedmineCacheCredsMax 50@ line which is probably a good idea although it can result in users that have been deleted or removed in redmine still getting access to the repositories, at least for a little while.
154
155
<pre>
156 20 Stefan Stefansson
   PerlLoadModule Apache::Redmine
157 17 Joachim Fritschi
   PerlLoadModule  Authen::Simple::LDAP
158 1 Nicolas Chuche
   # PerlLoadModule  IO::Socket::SSL
159
   <Location /svn>
160 8 Nicolas Chuche
     DAV svn
161 43 James Ang
     # If a client tries to svn update which involves updating many files, the
162
     # update request might result in an error Server sent unexpected return
163
     # value (413 Request  Entity Too Large) in response to REPORT request,
164
     # because the size of the update request exceeds the limit allowed by the
165
     # server. You can avoid this error by disabling the request size limit by
166
     # adding the line LimitXMLRequestBody 0 between the <Location...> and
167
     # </Location> lines. 
168 42 Terence Mill
     LimitXMLRequestBody 0
169
     
170
     # Only check Authentification for root path, nor again for recursive folder
171 43 James Ang
     # Redmine core does only permit acces on repository level, so this doesn't
172
     # hurt security. On the other hand it does boost performance a lot!
173 42 Terence Mill
     SVNPathAuthz off
174
175 12 Todd Nine
     SVNParentPath "/var/svn"
176
177
     AuthType Basic
178
     AuthName redmine
179
     Require valid-user
180
181
     PerlAccessHandler Apache::Authn::Redmine::access_handler
182
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
183
  
184
     ## for mysql
185
     RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
186
     ## for postgres
187
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
188
189 1 Nicolas Chuche
     RedmineDbUser "redmine"
190 12 Todd Nine
     RedmineDbPass "password"
191
     #Cache the last 50 auth entries
192
     RedmineCacheCredsMax 50
193 15 Jean-Philippe Lang
  </Location>
194 12 Todd Nine
</pre>
195 36 neil johnson
196 1 Nicolas Chuche
h2. Apache configuration for Git repositories
197 38 Lluís Vilanova
198
*TODO*: This should probably be moved into [[HowTo configure Redmine for advanced git integration]]
199 15 Jean-Philippe Lang
200 1 Nicolas Chuche
Now that reposman.rb can create git repositories, you can use Redmine.pm to access them the same way than subversion. 
201
202
You first need to copy or link Redmine.pm to /usr/lib/perl5/Apache/Redmine.pm, then you add this configuration to apache : 
203
204
<pre>
205
206 37 Mischa The Evil
PerlLoadModule Apache::Authn::Redmine
207 1 Nicolas Chuche
208 37 Mischa The Evil
SetEnv GIT_PROJECT_ROOT /path/to/git/repos
209
SetEnv GIT_HTTP_EXPORT_ALL
210
211
ScriptAlias /git/ /usr/bin/git-http-backend/
212
213
<Location /git>
214 8 Nicolas Chuche
  AuthType Basic
215
  Require valid-user
216 1 Nicolas Chuche
  AuthName "Git"
217 8 Nicolas Chuche
218
  PerlAccessHandler Apache::Authn::Redmine::access_handler
219
  PerlAuthenHandler Apache::Authn::Redmine::authen_handler
220 1 Nicolas Chuche
221 8 Nicolas Chuche
  RedmineDSN "DBI:mysql:database=redmine;host=localhost"
222
  RedmineDbUser "redmine"
223
  RedmineDbPass "password"
224 37 Mischa The Evil
  RedmineGitSmartHttp yes
225 8 Nicolas Chuche
</Location>
226
227
Alias /git-private /var/git
228
229
<Location /git-private>
230
   Order deny,allow
231
   Deny from all
232
   <Limit GET PROPFIND OPTIONS REPORT>
233
      Options Indexes FollowSymLinks MultiViews
234
   Allow from 127.0.0.1
235
   </Limit>
236
</Location>
237
</pre>
238
239
To verify that you can access repository through Redmine.pm, you can use curl :
240
<pre>
241
% curl --netrc --location http://localhost/git/ecookbook/HEAD   
242 13 Thomas Pihl
ref: refs/heads/master
243
</pre>
244
245 22 Diego Oliveira
h2. Apache configuration for Mercurial repositories
246
247 39 Lluís Vilanova
*TODO*: This should probably be moved into [[HowTo configure Redmine for advanced Mercurial integration]]
248
249 22 Diego Oliveira
Create a file caled "hgweb.config" in the same folder as "hgwebdir.cgi". This foder will be the root repository folder. Then edit the "hgweb.config" with something like this:
250
251
<pre>
252
[paths]
253
/=/path/to/root/repository/**
254
255
[web]
256
allow_push = *
257
allowbz2 = yes
258
allowgz = yes
259
allowzip = yes
260
261
</pre>
262
263
Follows the instructions to install Redmine.pm as described and configure your apache like this.
264
265
<pre>
266
    RewriteEngine on
267
    PerlLoadModule Apache2::Redmine
268
    PerlLoadModule Authen::Simple::LDAP
269
    ScriptAliasMatch ^/hg(.*)  /path/to/the/hgwebdir.cgi/$1
270
    <Location /hg>
271
        AuthType Basic
272
        AuthName "Mercurial"
273
        Require valid-user
274 1 Nicolas Chuche
275
        #Redmine auth
276
        PerlAccessHandler Apache::Authn::Redmine::access_handler
277
        PerlAuthenHandler Apache::Authn::Redmine::authen_handler
278
        RedmineDSN "DBI:mysql:database=redmine;host=localhost"
279
        RedmineDbUser "DB_USER"
280
        RedmineDbPass "DB_PASSWD"
281
    </Location>
282 37 Mischa The Evil
283
    # Note: Do not use hg-private as the rewrite rule above will cause strange things to occur.
284
    Alias /private-hg /path/to/hg/repos
285
    
286
    <Location /private-hg>
287
        Order deny, allow
288
        Deny from all
289
        <Limit GET PROPFIND OPTIONS REPORT>
290
            Options Indexes FollowSymLinks MultiViews
291
            Allow from 127.0.0.1
292
        </Limit>
293
    </Location>
294
295 22 Diego Oliveira
296 1 Nicolas Chuche
</pre>
297 22 Diego Oliveira
298
h2. Gotchas
299 13 Thomas Pihl
300
If you run this in Phusion Passenger, make sure you don't turn PassengerHighPerformance on. If you do, the rewrites to catch subversion dav will be bypassed with some interesting dump in the log as a result.
301
Example: 
302 1 Nicolas Chuche
> ActionController::RoutingError (No route matches "/svn/rm-code" with {:method=>:get}):
303
(if your repo are named rm-code)
304 27 Bill Dieter
305 37 Mischa The Evil
When using @Authen::Simple::LDAP@ for authentication, it is not sufficient to have the Administrator role to access a repository.  The user must have a role with that specifically allows the user to browse, read, or write the repository.