HowTo to handle SVN repositories creation and access control with Redmine » History » Version 12

Nicolas Chuche, 2007-10-21 19:13

1 1 Jean-Philippe Lang
h1. HowTo to handle SVN repositories creation and access control with Redmine
2 1 Jean-Philippe Lang
3 2 Jean-Philippe Lang
{{>TOC}}
4 2 Jean-Philippe Lang
5 1 Jean-Philippe Lang
h2. Overview
6 1 Jean-Philippe Lang
7 1 Jean-Philippe Lang
*This setup is not required if you just need to browse your repositories and changesets from Redmine.*
8 1 Jean-Philippe Lang
9 1 Jean-Philippe Lang
As of version 0.5.0, Redmine is able to handle Subversion repositories creation and access control.
10 1 Jean-Philippe Lang
11 1 Jean-Philippe Lang
Once you’ve done this extra setup, Redmine will create the repository for each of your projects. Users will be allowed to access the repositories using ssh+svn, according to their permissions defined in Redmine :
12 1 Jean-Philippe Lang
13 1 Jean-Philippe Lang
* for public projects : read access to the repository for any user, write access for project members only,
14 1 Jean-Philippe Lang
* for private projects : read/write access allowed to project members only.
15 1 Jean-Philippe Lang
16 8 Jean-Philippe Lang
User authentication is done using the same login/password as for Redmine access.
17 1 Jean-Philippe Lang
18 1 Jean-Philippe Lang
h2. Requirements
19 1 Jean-Philippe Lang
20 1 Jean-Philippe Lang
h3. Software
21 1 Jean-Philippe Lang
22 1 Jean-Philippe Lang
You need Redmine 0.5.0 or higher, running with MySQL[1].
23 1 Jean-Philippe Lang
24 5 Jean-Philippe Lang
Your SVN repositories must be hosted on a *nix system with the following packages:
25 5 Jean-Philippe Lang
* nss_mysql
26 5 Jean-Philippe Lang
* pam_mysql 0.7pre2 or higher, compiled with SHA1 support
27 1 Jean-Philippe Lang
28 1 Jean-Philippe Lang
Scripts used in this HowTo can be found in the /extra/svn directory of Redmine.
29 1 Jean-Philippe Lang
30 5 Jean-Philippe Lang
In this HowTo, we assume that:
31 5 Jean-Philippe Lang
* the redmine database is called @redmine@ and hosted on @localhost@
32 5 Jean-Philippe Lang
* the Subversion repositories are located in @/var/svn@
33 5 Jean-Philippe Lang
34 1 Jean-Philippe Lang
h3. Network considerations
35 1 Jean-Philippe Lang
36 5 Jean-Philippe Lang
The SVN host must be able to access both the Redmine database and HTTP server(s). In many cases, they will all be located on the same host.
37 1 Jean-Philippe Lang
38 1 Jean-Philippe Lang
h2. Setup
39 1 Jean-Philippe Lang
40 5 Jean-Philippe Lang
h3. Installing requires packages
41 5 Jean-Philippe Lang
42 5 Jean-Philippe Lang
Get nss_mysql and other necessary packages:
43 5 Jean-Philippe Lang
44 5 Jean-Philippe Lang
  apt-get install build-essential libnss-mysql libpam0g-dev libssl-dev
45 5 Jean-Philippe Lang
46 5 Jean-Philippe Lang
Get and build @pam_mysql@:
47 5 Jean-Philippe Lang
48 5 Jean-Philippe Lang
<pre>
49 5 Jean-Philippe Lang
$ cd /usr/src
50 5 Jean-Philippe Lang
$ wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
51 5 Jean-Philippe Lang
$ tar xzf pam_mysql-0.7RC1.tar.gz
52 5 Jean-Philippe Lang
$ cd pam_mysql-0.7RC1
53 5 Jean-Philippe Lang
$ ./configure --with-openssl
54 5 Jean-Philippe Lang
$ make && make install
55 5 Jean-Philippe Lang
</pre>
56 5 Jean-Philippe Lang
57 1 Jean-Philippe Lang
h3. Preparing the Redmine database
58 1 Jean-Philippe Lang
59 1 Jean-Philippe Lang
Some views need to be added to the Redmine database. These views are used to authenticate users and retrieve their permissions.
60 1 Jean-Philippe Lang
61 3 Jean-Philippe Lang
1. Create the different views in your Redmine database :
62 1 Jean-Philippe Lang
63 7 Jean-Philippe Lang
  mysql --user=root redmine -p < create_views.sql
64 1 Jean-Philippe Lang
65 7 Jean-Philippe Lang
2. Create and grant privileges to 2 new mysql users (@redmine_nss@ and @redmine_pam@):
66 1 Jean-Philippe Lang
67 1 Jean-Philippe Lang
<pre>
68 7 Jean-Philippe Lang
mysql --user=root -p
69 1 Jean-Philippe Lang
mysql> create user redmine_nss@localhost identified by 'averylongpassword';
70 1 Jean-Philippe Lang
mysql> grant SELECT on redmine.nss_groups to redmine_nss@localhost;
71 1 Jean-Philippe Lang
mysql> grant SELECT on redmine.nss_users to redmine_nss@localhost;
72 1 Jean-Philippe Lang
mysql> grant SELECT on redmine.nss_grouplist to redmine_nss@localhost;
73 4 Jean-Philippe Lang
mysql> create user redmine_pam@localhost identified by 'averylongpassword';
74 4 Jean-Philippe Lang
mysql> grant SELECT on redmine.ssh_users to redmine_pam@localhost;
75 1 Jean-Philippe Lang
</pre>
76 1 Jean-Philippe Lang
77 8 Jean-Philippe Lang
h3. Configuring nss-mysql
78 1 Jean-Philippe Lang
79 1 Jean-Philippe Lang
3. Create the /etc/nss-mysql.conf as follows:
80 1 Jean-Philippe Lang
81 1 Jean-Philippe Lang
<pre>
82 1 Jean-Philippe Lang
conf.version = 2;
83 1 Jean-Philippe Lang
users.host = inet:localhost:3306;
84 1 Jean-Philippe Lang
users.database = redmine;
85 1 Jean-Philippe Lang
users.db_user = redmine_nss;
86 4 Jean-Philippe Lang
users.db_password = averylongpassword;
87 1 Jean-Philippe Lang
users.backup_database = nss_mysql_backup;
88 1 Jean-Philippe Lang
users.table = nss_users;
89 1 Jean-Philippe Lang
users.user_column = nss_users.username;
90 9 Jean-Philippe Lang
users.userid_column = nss_users.username;
91 1 Jean-Philippe Lang
users.uid_column = nss_users.uid;
92 1 Jean-Philippe Lang
users.gid_column = 100;
93 1 Jean-Philippe Lang
users.realname_column = nss_users.realname;
94 1 Jean-Philippe Lang
users.homedir_column = "/false/path";
95 1 Jean-Philippe Lang
users.shell_column = "/usr/local/bin/svnserve.wrapper";
96 1 Jean-Philippe Lang
groups.group_info_table = nss_groups;
97 1 Jean-Philippe Lang
groups.group_name_column = nss_groups.name;
98 1 Jean-Philippe Lang
groups.groupid_column = nss_groups.gid;
99 1 Jean-Philippe Lang
groups.gid_column = nss_groups.gid;
100 1 Jean-Philippe Lang
groups.password_column = "x";
101 1 Jean-Philippe Lang
groups.members_table = nss_grouplist;
102 1 Jean-Philippe Lang
groups.member_userid_column = nss_grouplist.username;
103 1 Jean-Philippe Lang
groups.member_groupid_column = nss_grouplist.gid;
104 1 Jean-Philippe Lang
</pre>
105 1 Jean-Philippe Lang
106 1 Jean-Philippe Lang
4. Install the svnserve wrapper
107 1 Jean-Philippe Lang
108 1 Jean-Philippe Lang
  sudo install svnserve.wrapper /usr/local/bin
109 1 Jean-Philippe Lang
110 4 Jean-Philippe Lang
5. Change /etc/nsswitch.conf
111 1 Jean-Philippe Lang
112 1 Jean-Philippe Lang
Add “mysql” at the end of the two lines passwd and group like that :
113 1 Jean-Philippe Lang
114 1 Jean-Philippe Lang
<pre>
115 1 Jean-Philippe Lang
passwd:         compat mysql
116 1 Jean-Philippe Lang
group:          compat mysql
117 1 Jean-Philippe Lang
</pre>
118 1 Jean-Philippe Lang
119 1 Jean-Philippe Lang
6. Test that all this stuff works :
120 1 Jean-Philippe Lang
121 1 Jean-Philippe Lang
You must have users in some project to verify.
122 1 Jean-Philippe Lang
123 1 Jean-Philippe Lang
<pre>
124 1 Jean-Philippe Lang
% getent passwd
125 1 Jean-Philippe Lang
[...]
126 1 Jean-Philippe Lang
user1:x:5002:100:user1 user1:/false/path:/usr/local/bin/svnserve.wrapper
127 1 Jean-Philippe Lang
user2:x:5003:100:user2 user2:/false/path:/usr/local/bin/svnserve.wrapper
128 1 Jean-Philippe Lang
129 1 Jean-Philippe Lang
% getent group
130 1 Jean-Philippe Lang
[...]
131 5 Jean-Philippe Lang
project1:x:5001:
132 5 Jean-Philippe Lang
project2:x:5002:
133 1 Jean-Philippe Lang
</pre>
134 1 Jean-Philippe Lang
135 1 Jean-Philippe Lang
h3. Authorize ssh pam to use mysql
136 1 Jean-Philippe Lang
137 4 Jean-Philippe Lang
7. Add these lines in @/etc/pam.d/ssh@ :
138 1 Jean-Philippe Lang
139 4 Jean-Philippe Lang
<pre>
140 4 Jean-Philippe Lang
auth sufficient pam_mysql.so \
141 4 Jean-Philippe Lang
verbose=1 \
142 4 Jean-Philippe Lang
user=redmine_pam \
143 4 Jean-Philippe Lang
passwd=averylongpassword \
144 4 Jean-Philippe Lang
host=localhost \
145 4 Jean-Philippe Lang
db=redmine \
146 4 Jean-Philippe Lang
table=ssh_users \
147 4 Jean-Philippe Lang
usercolumn=username \
148 4 Jean-Philippe Lang
passwdcolumn=password crypt=4
149 1 Jean-Philippe Lang
150 4 Jean-Philippe Lang
account sufficient pam_mysql.so \
151 4 Jean-Philippe Lang
verbose=1 \
152 4 Jean-Philippe Lang
user=redmine_pam \
153 4 Jean-Philippe Lang
passwd=averylongpassword \
154 4 Jean-Philippe Lang
host=localhost \
155 4 Jean-Philippe Lang
db=redmine \
156 4 Jean-Philippe Lang
table=ssh_users \
157 4 Jean-Philippe Lang
usercolumn=username \
158 4 Jean-Philippe Lang
passwdcolumn=password crypt=4
159 4 Jean-Philippe Lang
160 4 Jean-Philippe Lang
password sufficient pam_mysql.so \
161 4 Jean-Philippe Lang
verbose=1 \
162 4 Jean-Philippe Lang
user=redmine_pam \
163 4 Jean-Philippe Lang
passwd=averylongpassword \
164 4 Jean-Philippe Lang
host=localhost \
165 4 Jean-Philippe Lang
db=redmine \
166 4 Jean-Philippe Lang
table=ssh_users \
167 1 Jean-Philippe Lang
usercolumn=username \
168 1 Jean-Philippe Lang
passwdcolumn=password crypt=4
169 1 Jean-Philippe Lang
</pre>
170 1 Jean-Philippe Lang
171 1 Jean-Philippe Lang
Juste before
172 1 Jean-Philippe Lang
173 1 Jean-Philippe Lang
  @include common-auth
174 1 Jean-Philippe Lang
175 1 Jean-Philippe Lang
8. Test this against an existing Redmine user
176 1 Jean-Philippe Lang
177 6 Jean-Philippe Lang
Try to connect to the SVN host using a Redmine username (eg. jsmith):
178 1 Jean-Philippe Lang
179 6 Jean-Philippe Lang
<pre>
180 6 Jean-Philippe Lang
$ ssh jsmith@localhost
181 6 Jean-Philippe Lang
jsmith@localhost's password:
182 6 Jean-Philippe Lang
Could not chdir to home directory /false/path: No such file or directory
183 6 Jean-Philippe Lang
( success ( 1 2 ( ANONYMOUS EXTERNAL ) ( edit-pipeline ) ) )
184 6 Jean-Philippe Lang
</pre>
185 6 Jean-Philippe Lang
186 6 Jean-Philippe Lang
The chdir error is the expected result.
187 1 Jean-Philippe Lang
188 1 Jean-Philippe Lang
h3. Automating repository creation
189 1 Jean-Philippe Lang
190 8 Jean-Philippe Lang
Repository creation can be automated by running periodically the reposman script.
191 1 Jean-Philippe Lang
192 5 Jean-Philippe Lang
It takes 2 arguments:
193 1 Jean-Philippe Lang
194 5 Jean-Philippe Lang
    * @svn-dir@: path to the directory where your svn repositories are located
195 1 Jean-Philippe Lang
    * @redmine-host@: host name of your Redmine install
196 1 Jean-Philippe Lang
197 8 Jean-Philippe Lang
Perl and Ruby versions of this script are provided. The Perl version requires @libsoap-lite-perl@.
198 1 Jean-Philippe Lang
199 8 Jean-Philippe Lang
Example using the Ruby version:
200 8 Jean-Philippe Lang
201 1 Jean-Philippe Lang
<pre>
202 8 Jean-Philippe Lang
$ sudo ./reposman.rb --svn-dir=/var/svn --redmine-host=localhost
203 1 Jean-Philippe Lang
repository /var/svn/project2 created
204 1 Jean-Philippe Lang
repository /var/svn/project1 created
205 1 Jean-Philippe Lang
mode change on /var/svn/project3
206 1 Jean-Philippe Lang
</pre>
207 1 Jean-Philippe Lang
208 1 Jean-Philippe Lang
Projects are retrieved from Redmine using a SOAP web service. This web service is disabled by default in Redmine.
209 10 Jean-Philippe Lang
To enable it, go to “Administration -> Settings” and check *Enable WS for repository management*.
210 1 Jean-Philippe Lang
211 11 Nicolas Chuche
With a recent version of redMine/reposman.rb (re. 860 and later), reposman.rb can register the new repository
212 11 Nicolas Chuche
in redMine so that you have nothing to do and set the owner of repository to who you want to allow browsing private
213 12 Nicolas Chuche
repository in redMine. For more information see [[HowTo to handle SVN repositories creation and access control with Redmine (part 2)]].
214 5 Jean-Philippe Lang
Make sure this option is checked if you get this error when running reposman:
215 5 Jean-Philippe Lang
@Service description 'http://localhost/sys/service.wsdl' can't be loaded: 404 Not Found@
216 1 Jean-Philippe Lang
217 5 Jean-Philippe Lang
h3. Accessing the repositories
218 5 Jean-Philippe Lang
219 10 Jean-Philippe Lang
You can now access project1 repository using this url:
220 5 Jean-Philippe Lang
221 5 Jean-Philippe Lang
  svn+ssh://svnhost/project1
222 5 Jean-Philippe Lang
223 5 Jean-Philippe Lang
224 5 Jean-Philippe Lang
fn1. Other databases can’t be used because of various problems: no pam module, no sha1 handling,...