Feature #11475
closedRedmine.pm: Allow fallback to other Apache auth providers
0%
Description
The goal was to allow other auth modules to co-exist with Redmine.pm, and thus satisfy special case requests covering global administrative/anonymous requests in addition to those allowd by Redmine based on project relationships. I tried every other possible combinations of Apache directives to achieve this goal, but it looks like by returning AUTH_REQUIRED early in the process, Redmine.pm is becoming authoritative and preventing other modules, i.e. authn_file or authz_svn, to accept valid requests.
Replacing AUTH_REQUIRED with DECLINED seems to solve the problem:
--- Redmine.pm.9887 2012-07-22 22:21:17.410411915 +0200 +++ Redmine.pm 2012-07-22 20:55:00.014411918 +0200 @@ -342,7 +342,8 @@ return OK; } else { $r->note_auth_failure(); - return AUTH_REQUIRED; +# return AUTH_REQUIRED; + return DECLINED; } }
However, I am not very confident about whether this will satisfy all cases and not break others. Comments and/or suggestions from relevant experts are welcomed and very much appreciated.
Quoting from http://perl.apache.org/docs/2.0/user/handlers/http.html#HTTP_Request_Cycle_Phases
Before discussing each handler in detail remember that if you use the stacked handlers feature all handlers in the chain will be run as long as they return Apache2::Const::OK or Apache2::Const::DECLINED...
Updated by Jean-Philippe Lang over 12 years ago
- Category set to SCM extra
- Status changed from New to Closed
- Assignee set to Jean-Philippe Lang
- Target version set to 2.1.0
- Resolution set to Fixed
Committed in r10281, thanks.
Updated by Raphael Kallensee about 12 years ago
I upgraded from Redmine 2.0.x to 2.1.x and I'm pretty sure this broke my (pretty much default) auth configuration (Ubuntu 10.04, Apache 2.2.14). When trying to authenticate for a Git ("dumb HTTP") repository, I got a HTTP 500 and Apache logged:
[Tue Oct 30 19:29:25 2012] [error] [client xxx.xxx.xxx.xxx] (9)Bad file descriptor: Could not open password file: (null) [Tue Oct 30 19:29:16 2012] [error] Internal error: pcfg_openfile() called with NULL filename
This is the relevant part of my Apache virtual host configuration:
PerlLoadModule Apache::Redmine ## GIT Alias /git /var/www/my.domain/git <Location /git> DAV on AuthType Basic AuthName "Git" Require valid-user Options +Indexes -ExecCGI -Includes php_admin_flag engine off PerlAccessHandler Apache::Authn::Redmine::access_handler PerlAuthenHandler Apache::Authn::Redmine::authen_handler RedmineDSN "DBI:mysql:database=redmine;host=localhost" RedmineDbUser "redmine" RedmineDbPass "password" </Location>
I got it working by adding
... AuthName "Git" Require valid-user AuthUserFile /dev/null # this was added to avoid the Apache error ...
But I still get some warnings in the Apache log, although authentication now works:
[Tue Oct 30 22:10:52 2012] [error] [client xxx.xxx.xxx.xxx] user xyz not found: /git/repo-name/info/refs
If it's not just me getting this behavior we should probably at least update the documentation.
Updated by Mike Stromer about 12 years ago
Raphael Kallensee, I had the same issue on Redmine 2.1.2
[Wed Oct 31 03:39:20 2012] [error] [client xxx.xxx.xxx.xxx] user USER not found: /git/info/refs
Updated by Mike Stromer about 12 years ago
I checked MYSQL log and I guess where is an issue with mysql query projects.identifier=NULL
SELECT users.hashed_password, users.salt, users.auth_source_id, roles.permissions, projects.status FROM projects, users, roles WHERE users.login='USER' AND projects.identifier=NULL AND users.status=1 AND ( roles.id IN (SELECT member_roles.role_id FROM members, member_roles WHERE members.user_id = users.id AND members.project_id = projects.id AND members.id = member_roles.member_id) OR (roles.builtin=1 AND cast(projects.is_public as CHAR) IN ('t', '1')) ) AND roles.permissions IS NOT NULL
Updated by Woody Huang almost 12 years ago
Mike Stromer wrote:
I checked MYSQL log and I guess where is an issue with mysql query projects.identifier=NULL
[...]
I got the same error under redmine2.2.2(with git 1.7.9), but projects.identifier= in MySQL log is the name of the git repos. I was wondering to modify the patch to get project identifier from the repos URL, while I realized use repos name as project identifier really make sense.
The only problem may be multi-repos under a project. Actually, the patch handlers it already, Redmine.pm comments as following:
A projet repository must be named with the projet identifier. In case of multiple repositories for the same project, use the project identifier and the repository identifier separated with a dot: /var/svn/foo /var/svn/foo.otherrepo