HowTo to handle SVN repositories creation and access control with Redmine » History » Version 13

Nicolas Chuche, 2007-10-21 19:36

1 1 Jean-Philippe Lang
h1. HowTo to handle SVN repositories creation and access control with Redmine
2 1 Jean-Philippe Lang
3 2 Jean-Philippe Lang
{{>TOC}}
4 2 Jean-Philippe Lang
5 1 Jean-Philippe Lang
h2. Overview
6 1 Jean-Philippe Lang
7 1 Jean-Philippe Lang
*This setup is not required if you just need to browse your repositories and changesets from Redmine.*
8 1 Jean-Philippe Lang
9 1 Jean-Philippe Lang
As of version 0.5.0, Redmine is able to handle Subversion repositories creation and access control.
10 1 Jean-Philippe Lang
11 1 Jean-Philippe Lang
Once you’ve done this extra setup, Redmine will create the repository for each of your projects. Users will be allowed to access the repositories using ssh+svn, according to their permissions defined in Redmine :
12 1 Jean-Philippe Lang
13 1 Jean-Philippe Lang
* for public projects : read access to the repository for any user, write access for project members only,
14 1 Jean-Philippe Lang
* for private projects : read/write access allowed to project members only.
15 1 Jean-Philippe Lang
16 8 Jean-Philippe Lang
User authentication is done using the same login/password as for Redmine access.
17 1 Jean-Philippe Lang
18 1 Jean-Philippe Lang
h2. Requirements
19 1 Jean-Philippe Lang
20 1 Jean-Philippe Lang
h3. Software
21 1 Jean-Philippe Lang
22 1 Jean-Philippe Lang
You need Redmine 0.5.0 or higher, running with MySQL[1].
23 1 Jean-Philippe Lang
24 5 Jean-Philippe Lang
Your SVN repositories must be hosted on a *nix system with the following packages:
25 5 Jean-Philippe Lang
* nss_mysql
26 5 Jean-Philippe Lang
* pam_mysql 0.7pre2 or higher, compiled with SHA1 support
27 1 Jean-Philippe Lang
28 1 Jean-Philippe Lang
Scripts used in this HowTo can be found in the /extra/svn directory of Redmine.
29 1 Jean-Philippe Lang
30 5 Jean-Philippe Lang
In this HowTo, we assume that:
31 5 Jean-Philippe Lang
* the redmine database is called @redmine@ and hosted on @localhost@
32 5 Jean-Philippe Lang
* the Subversion repositories are located in @/var/svn@
33 5 Jean-Philippe Lang
34 1 Jean-Philippe Lang
h3. Network considerations
35 1 Jean-Philippe Lang
36 5 Jean-Philippe Lang
The SVN host must be able to access both the Redmine database and HTTP server(s). In many cases, they will all be located on the same host.
37 1 Jean-Philippe Lang
38 1 Jean-Philippe Lang
h2. Setup
39 1 Jean-Philippe Lang
40 5 Jean-Philippe Lang
h3. Installing requires packages
41 5 Jean-Philippe Lang
42 5 Jean-Philippe Lang
Get nss_mysql and other necessary packages:
43 5 Jean-Philippe Lang
44 5 Jean-Philippe Lang
  apt-get install build-essential libnss-mysql libpam0g-dev libssl-dev
45 5 Jean-Philippe Lang
46 5 Jean-Philippe Lang
Get and build @pam_mysql@:
47 5 Jean-Philippe Lang
48 5 Jean-Philippe Lang
<pre>
49 5 Jean-Philippe Lang
$ cd /usr/src
50 5 Jean-Philippe Lang
$ wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
51 5 Jean-Philippe Lang
$ tar xzf pam_mysql-0.7RC1.tar.gz
52 5 Jean-Philippe Lang
$ cd pam_mysql-0.7RC1
53 5 Jean-Philippe Lang
$ ./configure --with-openssl
54 5 Jean-Philippe Lang
$ make && make install
55 5 Jean-Philippe Lang
</pre>
56 5 Jean-Philippe Lang
57 1 Jean-Philippe Lang
h3. Preparing the Redmine database
58 1 Jean-Philippe Lang
59 1 Jean-Philippe Lang
Some views need to be added to the Redmine database. These views are used to authenticate users and retrieve their permissions.
60 1 Jean-Philippe Lang
61 3 Jean-Philippe Lang
1. Create the different views in your Redmine database :
62 1 Jean-Philippe Lang
63 7 Jean-Philippe Lang
  mysql --user=root redmine -p < create_views.sql
64 1 Jean-Philippe Lang
65 7 Jean-Philippe Lang
2. Create and grant privileges to 2 new mysql users (@redmine_nss@ and @redmine_pam@):
66 1 Jean-Philippe Lang
67 1 Jean-Philippe Lang
<pre>
68 7 Jean-Philippe Lang
mysql --user=root -p
69 1 Jean-Philippe Lang
mysql> create user redmine_nss@localhost identified by 'averylongpassword';
70 1 Jean-Philippe Lang
mysql> grant SELECT on redmine.nss_groups to redmine_nss@localhost;
71 1 Jean-Philippe Lang
mysql> grant SELECT on redmine.nss_users to redmine_nss@localhost;
72 1 Jean-Philippe Lang
mysql> grant SELECT on redmine.nss_grouplist to redmine_nss@localhost;
73 4 Jean-Philippe Lang
mysql> create user redmine_pam@localhost identified by 'averylongpassword';
74 4 Jean-Philippe Lang
mysql> grant SELECT on redmine.ssh_users to redmine_pam@localhost;
75 1 Jean-Philippe Lang
</pre>
76 1 Jean-Philippe Lang
77 8 Jean-Philippe Lang
h3. Configuring nss-mysql
78 1 Jean-Philippe Lang
79 1 Jean-Philippe Lang
3. Create the /etc/nss-mysql.conf as follows:
80 1 Jean-Philippe Lang
81 1 Jean-Philippe Lang
<pre>
82 1 Jean-Philippe Lang
conf.version = 2;
83 1 Jean-Philippe Lang
users.host = inet:localhost:3306;
84 1 Jean-Philippe Lang
users.database = redmine;
85 1 Jean-Philippe Lang
users.db_user = redmine_nss;
86 4 Jean-Philippe Lang
users.db_password = averylongpassword;
87 1 Jean-Philippe Lang
users.backup_database = nss_mysql_backup;
88 1 Jean-Philippe Lang
users.table = nss_users;
89 1 Jean-Philippe Lang
users.user_column = nss_users.username;
90 9 Jean-Philippe Lang
users.userid_column = nss_users.username;
91 1 Jean-Philippe Lang
users.uid_column = nss_users.uid;
92 1 Jean-Philippe Lang
users.gid_column = 100;
93 1 Jean-Philippe Lang
users.realname_column = nss_users.realname;
94 1 Jean-Philippe Lang
users.homedir_column = "/false/path";
95 1 Jean-Philippe Lang
users.shell_column = "/usr/local/bin/svnserve.wrapper";
96 1 Jean-Philippe Lang
groups.group_info_table = nss_groups;
97 1 Jean-Philippe Lang
groups.group_name_column = nss_groups.name;
98 1 Jean-Philippe Lang
groups.groupid_column = nss_groups.gid;
99 1 Jean-Philippe Lang
groups.gid_column = nss_groups.gid;
100 1 Jean-Philippe Lang
groups.password_column = "x";
101 1 Jean-Philippe Lang
groups.members_table = nss_grouplist;
102 1 Jean-Philippe Lang
groups.member_userid_column = nss_grouplist.username;
103 1 Jean-Philippe Lang
groups.member_groupid_column = nss_grouplist.gid;
104 1 Jean-Philippe Lang
</pre>
105 1 Jean-Philippe Lang
106 1 Jean-Philippe Lang
4. Install the svnserve wrapper
107 1 Jean-Philippe Lang
108 1 Jean-Philippe Lang
  sudo install svnserve.wrapper /usr/local/bin
109 1 Jean-Philippe Lang
110 4 Jean-Philippe Lang
5. Change /etc/nsswitch.conf
111 1 Jean-Philippe Lang
112 1 Jean-Philippe Lang
Add “mysql” at the end of the two lines passwd and group like that :
113 1 Jean-Philippe Lang
114 1 Jean-Philippe Lang
<pre>
115 1 Jean-Philippe Lang
passwd:         compat mysql
116 1 Jean-Philippe Lang
group:          compat mysql
117 1 Jean-Philippe Lang
</pre>
118 1 Jean-Philippe Lang
119 1 Jean-Philippe Lang
6. Test that all this stuff works :
120 1 Jean-Philippe Lang
121 1 Jean-Philippe Lang
You must have users in some project to verify.
122 1 Jean-Philippe Lang
123 1 Jean-Philippe Lang
<pre>
124 1 Jean-Philippe Lang
% getent passwd
125 1 Jean-Philippe Lang
[...]
126 1 Jean-Philippe Lang
user1:x:5002:100:user1 user1:/false/path:/usr/local/bin/svnserve.wrapper
127 1 Jean-Philippe Lang
user2:x:5003:100:user2 user2:/false/path:/usr/local/bin/svnserve.wrapper
128 1 Jean-Philippe Lang
129 1 Jean-Philippe Lang
% getent group
130 1 Jean-Philippe Lang
[...]
131 5 Jean-Philippe Lang
project1:x:5001:
132 5 Jean-Philippe Lang
project2:x:5002:
133 1 Jean-Philippe Lang
</pre>
134 1 Jean-Philippe Lang
135 1 Jean-Philippe Lang
h3. Authorize ssh pam to use mysql
136 1 Jean-Philippe Lang
137 4 Jean-Philippe Lang
7. Add these lines in @/etc/pam.d/ssh@ :
138 1 Jean-Philippe Lang
139 4 Jean-Philippe Lang
<pre>
140 4 Jean-Philippe Lang
auth sufficient pam_mysql.so \
141 4 Jean-Philippe Lang
verbose=1 \
142 4 Jean-Philippe Lang
user=redmine_pam \
143 4 Jean-Philippe Lang
passwd=averylongpassword \
144 4 Jean-Philippe Lang
host=localhost \
145 4 Jean-Philippe Lang
db=redmine \
146 4 Jean-Philippe Lang
table=ssh_users \
147 4 Jean-Philippe Lang
usercolumn=username \
148 4 Jean-Philippe Lang
passwdcolumn=password crypt=4
149 1 Jean-Philippe Lang
150 4 Jean-Philippe Lang
account sufficient pam_mysql.so \
151 4 Jean-Philippe Lang
verbose=1 \
152 4 Jean-Philippe Lang
user=redmine_pam \
153 4 Jean-Philippe Lang
passwd=averylongpassword \
154 4 Jean-Philippe Lang
host=localhost \
155 4 Jean-Philippe Lang
db=redmine \
156 4 Jean-Philippe Lang
table=ssh_users \
157 4 Jean-Philippe Lang
usercolumn=username \
158 4 Jean-Philippe Lang
passwdcolumn=password crypt=4
159 4 Jean-Philippe Lang
160 4 Jean-Philippe Lang
password sufficient pam_mysql.so \
161 4 Jean-Philippe Lang
verbose=1 \
162 4 Jean-Philippe Lang
user=redmine_pam \
163 4 Jean-Philippe Lang
passwd=averylongpassword \
164 4 Jean-Philippe Lang
host=localhost \
165 4 Jean-Philippe Lang
db=redmine \
166 4 Jean-Philippe Lang
table=ssh_users \
167 1 Jean-Philippe Lang
usercolumn=username \
168 1 Jean-Philippe Lang
passwdcolumn=password crypt=4
169 1 Jean-Philippe Lang
</pre>
170 1 Jean-Philippe Lang
171 1 Jean-Philippe Lang
Juste before
172 1 Jean-Philippe Lang
173 1 Jean-Philippe Lang
  @include common-auth
174 1 Jean-Philippe Lang
175 1 Jean-Philippe Lang
8. Test this against an existing Redmine user
176 1 Jean-Philippe Lang
177 6 Jean-Philippe Lang
Try to connect to the SVN host using a Redmine username (eg. jsmith):
178 1 Jean-Philippe Lang
179 6 Jean-Philippe Lang
<pre>
180 6 Jean-Philippe Lang
$ ssh jsmith@localhost
181 6 Jean-Philippe Lang
jsmith@localhost's password:
182 6 Jean-Philippe Lang
Could not chdir to home directory /false/path: No such file or directory
183 6 Jean-Philippe Lang
( success ( 1 2 ( ANONYMOUS EXTERNAL ) ( edit-pipeline ) ) )
184 6 Jean-Philippe Lang
</pre>
185 6 Jean-Philippe Lang
186 6 Jean-Philippe Lang
The chdir error is the expected result.
187 1 Jean-Philippe Lang
188 1 Jean-Philippe Lang
h3. Automating repository creation
189 1 Jean-Philippe Lang
190 8 Jean-Philippe Lang
Repository creation can be automated by running periodically the reposman script.
191 1 Jean-Philippe Lang
192 5 Jean-Philippe Lang
It takes 2 arguments:
193 1 Jean-Philippe Lang
194 5 Jean-Philippe Lang
    * @svn-dir@: path to the directory where your svn repositories are located
195 1 Jean-Philippe Lang
    * @redmine-host@: host name of your Redmine install
196 1 Jean-Philippe Lang
197 8 Jean-Philippe Lang
Perl and Ruby versions of this script are provided. The Perl version requires @libsoap-lite-perl@.
198 1 Jean-Philippe Lang
199 8 Jean-Philippe Lang
Example using the Ruby version:
200 8 Jean-Philippe Lang
201 1 Jean-Philippe Lang
<pre>
202 8 Jean-Philippe Lang
$ sudo ./reposman.rb --svn-dir=/var/svn --redmine-host=localhost
203 1 Jean-Philippe Lang
repository /var/svn/project2 created
204 1 Jean-Philippe Lang
repository /var/svn/project1 created
205 1 Jean-Philippe Lang
mode change on /var/svn/project3
206 1 Jean-Philippe Lang
</pre>
207 1 Jean-Philippe Lang
208 1 Jean-Philippe Lang
Projects are retrieved from Redmine using a SOAP web service. This web service is disabled by default in Redmine.
209 10 Jean-Philippe Lang
To enable it, go to “Administration -> Settings” and check *Enable WS for repository management*.
210 1 Jean-Philippe Lang
211 13 Nicolas Chuche
Make sure this option is checked if you get this error when running reposman:
212 13 Nicolas Chuche
@Service description 'http://localhost/sys/service.wsdl' can't be loaded: 404 Not Found@
213 13 Nicolas Chuche
214 12 Nicolas Chuche
With a recent version of redMine/reposman.rb (re. 860 and later), reposman.rb can register the new repository
215 5 Jean-Philippe Lang
in redMine so that you have nothing to do and set the owner of repository to who you want to allow browsing private
216 5 Jean-Philippe Lang
repository in redMine. For more information see [[HowTo to handle SVN repositories creation and access control with Redmine (part 2)]].
217 1 Jean-Philippe Lang
218 5 Jean-Philippe Lang
h3. Accessing the repositories
219 5 Jean-Philippe Lang
220 10 Jean-Philippe Lang
You can now access project1 repository using this url:
221 5 Jean-Philippe Lang
222 5 Jean-Philippe Lang
  svn+ssh://svnhost/project1
223 5 Jean-Philippe Lang
224 5 Jean-Philippe Lang
225 5 Jean-Philippe Lang
fn1. Other databases can’t be used because of various problems: no pam module, no sha1 handling,...