HowTo to handle SVN repositories creation and access control with Redmine » History » Version 3

Jean-Philippe Lang, 2007-10-14 10:41

1 1 Jean-Philippe Lang
h1. HowTo to handle SVN repositories creation and access control with Redmine
2 1 Jean-Philippe Lang
3 2 Jean-Philippe Lang
{{>TOC}}
4 2 Jean-Philippe Lang
5 1 Jean-Philippe Lang
h2. Overview
6 1 Jean-Philippe Lang
7 1 Jean-Philippe Lang
*This setup is not required if you just need to browse your repositories and changesets from Redmine.*
8 1 Jean-Philippe Lang
9 1 Jean-Philippe Lang
As of version 0.5.0, Redmine is able to handle Subversion repositories creation and access control.
10 1 Jean-Philippe Lang
11 1 Jean-Philippe Lang
Once you’ve done this extra setup, Redmine will create the repository for each of your projects. Users will be allowed to access the repositories using ssh+svn, according to their permissions defined in Redmine :
12 1 Jean-Philippe Lang
13 1 Jean-Philippe Lang
* for public projects : read access to the repository for any user, write access for project members only,
14 1 Jean-Philippe Lang
* for private projects : read/write access allowed to project members only.
15 1 Jean-Philippe Lang
16 1 Jean-Philippe Lang
User authentication is done with the same login/password as for Redmine access.
17 1 Jean-Philippe Lang
18 1 Jean-Philippe Lang
h2. Requirements
19 1 Jean-Philippe Lang
20 1 Jean-Philippe Lang
h3. Software
21 1 Jean-Philippe Lang
22 1 Jean-Philippe Lang
You need Redmine 0.5.0 or higher, running with MySQL[1].
23 1 Jean-Philippe Lang
24 1 Jean-Philippe Lang
Your SVN repositories must be hosted on a *nix system. They don’t have to be on the same host you installed Redmine on.
25 1 Jean-Philippe Lang
Is required on your SVN host :
26 1 Jean-Philippe Lang
27 1 Jean-Philippe Lang
    * nss_mysql
28 1 Jean-Philippe Lang
    * pam_mysql 0.7pre2 or higher, compiled with SHA1 support[2]
29 1 Jean-Philippe Lang
    * perl with SOAP::Lite package
30 1 Jean-Philippe Lang
31 1 Jean-Philippe Lang
Scripts used in this HowTo can be found in the /extra/svn directory of Redmine.
32 1 Jean-Philippe Lang
33 1 Jean-Philippe Lang
h3. Network considerations
34 1 Jean-Philippe Lang
35 1 Jean-Philippe Lang
The SVN host must be able to access both the redMine database and HTTP server(s). In many cases, they will all be located on the same host.
36 1 Jean-Philippe Lang
37 1 Jean-Philippe Lang
h2. Setup
38 1 Jean-Philippe Lang
39 1 Jean-Philippe Lang
h3. Preparing the Redmine database
40 1 Jean-Philippe Lang
41 1 Jean-Philippe Lang
Some views need to be added to the Redmine database. These views are used to authenticate users and retrieve their permissions.
42 1 Jean-Philippe Lang
43 3 Jean-Philippe Lang
1. Create the different views in your Redmine database :
44 1 Jean-Philippe Lang
45 3 Jean-Philippe Lang
  mysql --user=redmine_user redmine_database -p < create_views.sql
46 1 Jean-Philippe Lang
47 3 Jean-Philippe Lang
2. Grant privileges on these views:
48 1 Jean-Philippe Lang
49 1 Jean-Philippe Lang
<pre>
50 1 Jean-Philippe Lang
mysql --user=root
51 1 Jean-Philippe Lang
mysql> create user redmine_nss@localhost identified by 'averylongpassword';
52 1 Jean-Philippe Lang
mysql> grant SELECT on redmine.nss_groups to redmine_nss@localhost;
53 1 Jean-Philippe Lang
Query OK, 0 rows affected (0.03 sec)
54 1 Jean-Philippe Lang
mysql> grant SELECT on redmine.nss_users to redmine_nss@localhost;
55 1 Jean-Philippe Lang
Query OK, 0 rows affected (0.00 sec)
56 1 Jean-Philippe Lang
mysql> grant SELECT on redmine.nss_grouplist to redmine_nss@localhost;
57 1 Jean-Philippe Lang
Query OK, 0 rows affected (0.00 sec)
58 1 Jean-Philippe Lang
create user redmine_pam@localhost identified by 'averylongpassword';
59 1 Jean-Philippe Lang
grant SELECT on redmine.ssh_users to redmine_pam@localhost;
60 1 Jean-Philippe Lang
</pre>
61 1 Jean-Philippe Lang
62 1 Jean-Philippe Lang
h3. Configuring nss-mysql on your SVN server
63 1 Jean-Philippe Lang
64 1 Jean-Philippe Lang
3. Create the /etc/nss-mysql.conf as follows:
65 1 Jean-Philippe Lang
66 1 Jean-Philippe Lang
<pre>
67 1 Jean-Philippe Lang
conf.version = 2;
68 1 Jean-Philippe Lang
users.host = inet:localhost:3306;
69 1 Jean-Philippe Lang
users.database = redmine;
70 1 Jean-Philippe Lang
users.db_user = redmine_nss;
71 1 Jean-Philippe Lang
users.db_password = averygoodpassword;
72 1 Jean-Philippe Lang
users.backup_database = nss_mysql_backup;
73 1 Jean-Philippe Lang
users.table = nss_users;
74 1 Jean-Philippe Lang
users.user_column = nss_users.username;
75 1 Jean-Philippe Lang
users.userid_column = nss_users.uid;
76 1 Jean-Philippe Lang
users.uid_column = nss_users.uid;
77 1 Jean-Philippe Lang
users.gid_column = 100;
78 1 Jean-Philippe Lang
users.realname_column = nss_users.realname;
79 1 Jean-Philippe Lang
users.homedir_column = "/false/path";
80 1 Jean-Philippe Lang
users.shell_column = "/usr/local/bin/svnserve.wrapper";
81 1 Jean-Philippe Lang
groups.group_info_table = nss_groups;
82 1 Jean-Philippe Lang
groups.group_name_column = nss_groups.name;
83 1 Jean-Philippe Lang
groups.groupid_column = nss_groups.gid;
84 1 Jean-Philippe Lang
groups.gid_column = nss_groups.gid;
85 1 Jean-Philippe Lang
groups.password_column = "x";
86 1 Jean-Philippe Lang
groups.members_table = nss_grouplist;
87 1 Jean-Philippe Lang
groups.member_userid_column = nss_grouplist.username;
88 1 Jean-Philippe Lang
groups.member_groupid_column = nss_grouplist.gid;
89 1 Jean-Philippe Lang
</pre>
90 1 Jean-Philippe Lang
91 1 Jean-Philippe Lang
4. Install the svnserve wrapper
92 1 Jean-Philippe Lang
93 1 Jean-Philippe Lang
  sudo install svnserve.wrapper /usr/local/bin
94 1 Jean-Philippe Lang
95 1 Jean-Philippe Lang
5. Change /etc/nsswitch.conf
96 1 Jean-Philippe Lang
97 1 Jean-Philippe Lang
Add “mysql” to the two lines passwd and group like that :
98 1 Jean-Philippe Lang
99 1 Jean-Philippe Lang
<pre>
100 1 Jean-Philippe Lang
passwd:         compat mysql
101 1 Jean-Philippe Lang
group:          compat mysql
102 1 Jean-Philippe Lang
</pre>
103 1 Jean-Philippe Lang
104 1 Jean-Philippe Lang
6. Test that all this stuff works :
105 1 Jean-Philippe Lang
106 1 Jean-Philippe Lang
You must have users in some project to verify.
107 1 Jean-Philippe Lang
108 1 Jean-Philippe Lang
<pre>
109 1 Jean-Philippe Lang
% getent passwd
110 1 Jean-Philippe Lang
[...]
111 1 Jean-Philippe Lang
user1:x:5002:100:user1 user1:/false/path:/usr/local/bin/svnserve.wrapper
112 1 Jean-Philippe Lang
user2:x:5003:100:user2 user2:/false/path:/usr/local/bin/svnserve.wrapper
113 1 Jean-Philippe Lang
114 1 Jean-Philippe Lang
% getent group
115 1 Jean-Philippe Lang
[...]
116 1 Jean-Philippe Lang
projet redmine 1:x:5001:
117 1 Jean-Philippe Lang
projet redmine 2:x:5002:
118 1 Jean-Philippe Lang
</pre>
119 1 Jean-Philippe Lang
120 1 Jean-Philippe Lang
h3. Authorize ssh pam to use mysql
121 1 Jean-Philippe Lang
122 1 Jean-Philippe Lang
7. Add the line :
123 1 Jean-Philippe Lang
124 1 Jean-Philippe Lang
  auth sufficient pam_mysql.so user=redmine_pam passwd=averylongpassword host=localhost db=redmine table=ssh_users usercolumn=username passwdcolumn=password crypt=4
125 1 Jean-Philippe Lang
126 1 Jean-Philippe Lang
Juste before
127 1 Jean-Philippe Lang
128 1 Jean-Philippe Lang
  @include common-auth
129 1 Jean-Philippe Lang
130 1 Jean-Philippe Lang
or
131 1 Jean-Philippe Lang
132 1 Jean-Philippe Lang
  auth required pam_unix.so nullok_secure
133 1 Jean-Philippe Lang
134 1 Jean-Philippe Lang
8. Test this against an existing Redmine user
135 1 Jean-Philippe Lang
136 1 Jean-Philippe Lang
Try to connect to the SVN host using your Redmine username and password:
137 1 Jean-Philippe Lang
138 1 Jean-Philippe Lang
  ssh redmine_username@svn_host
139 1 Jean-Philippe Lang
140 1 Jean-Philippe Lang
h3. Automating repository creation
141 1 Jean-Philippe Lang
142 1 Jean-Philippe Lang
Repository creation can be automated by running periodically the reposman.pl script.
143 1 Jean-Philippe Lang
144 1 Jean-Philippe Lang
It takes 2 arguments :
145 1 Jean-Philippe Lang
146 1 Jean-Philippe Lang
    * svn-dir : path to the directory where your svn repositories are located
147 1 Jean-Philippe Lang
    * redmine-host : host name of your Redmine install
148 1 Jean-Philippe Lang
149 1 Jean-Philippe Lang
Example:
150 1 Jean-Philippe Lang
151 1 Jean-Philippe Lang
<pre>
152 1 Jean-Philippe Lang
$ sudo reposman --svn-dir=/var/svn --redmine-host=redmine.mydomain.foo
153 1 Jean-Philippe Lang
repository /var/svn/project2 created
154 1 Jean-Philippe Lang
repository /var/svn/project1 created
155 1 Jean-Philippe Lang
mode change on /var/svn/project3
156 1 Jean-Philippe Lang
</pre>
157 1 Jean-Philippe Lang
158 1 Jean-Philippe Lang
Projects are retrieved from Redmine using a SOAP web service. This web service is disabled by default in Redmine.
159 1 Jean-Philippe Lang
To enable it, go to “Administration -> Settings” and check “Enable WS for repository management”.
160 1 Jean-Philippe Lang
161 1 Jean-Philippe Lang
fn2. You must use "./configure --with-openssl" in order to add SHA1 support to pam_mysql
162 1 Jean-Philippe Lang
163 1 Jean-Philippe Lang
fn1. Other databases can’t be used because of various problems: no pam module, no sha1 handling, ...