HowTo to handle SVN repositories creation and access control with Redmine » History » Version 4

Jean-Philippe Lang, 2007-10-14 18:39

1 1 Jean-Philippe Lang
h1. HowTo to handle SVN repositories creation and access control with Redmine
2 1 Jean-Philippe Lang
3 2 Jean-Philippe Lang
{{>TOC}}
4 2 Jean-Philippe Lang
5 1 Jean-Philippe Lang
h2. Overview
6 1 Jean-Philippe Lang
7 1 Jean-Philippe Lang
*This setup is not required if you just need to browse your repositories and changesets from Redmine.*
8 1 Jean-Philippe Lang
9 1 Jean-Philippe Lang
As of version 0.5.0, Redmine is able to handle Subversion repositories creation and access control.
10 1 Jean-Philippe Lang
11 1 Jean-Philippe Lang
Once you’ve done this extra setup, Redmine will create the repository for each of your projects. Users will be allowed to access the repositories using ssh+svn, according to their permissions defined in Redmine :
12 1 Jean-Philippe Lang
13 1 Jean-Philippe Lang
* for public projects : read access to the repository for any user, write access for project members only,
14 1 Jean-Philippe Lang
* for private projects : read/write access allowed to project members only.
15 1 Jean-Philippe Lang
16 1 Jean-Philippe Lang
User authentication is done with the same login/password as for Redmine access.
17 1 Jean-Philippe Lang
18 1 Jean-Philippe Lang
h2. Requirements
19 1 Jean-Philippe Lang
20 1 Jean-Philippe Lang
h3. Software
21 1 Jean-Philippe Lang
22 1 Jean-Philippe Lang
You need Redmine 0.5.0 or higher, running with MySQL[1].
23 1 Jean-Philippe Lang
24 1 Jean-Philippe Lang
Your SVN repositories must be hosted on a *nix system. They don’t have to be on the same host you installed Redmine on.
25 1 Jean-Philippe Lang
Is required on your SVN host :
26 1 Jean-Philippe Lang
27 1 Jean-Philippe Lang
    * nss_mysql
28 1 Jean-Philippe Lang
    * pam_mysql 0.7pre2 or higher, compiled with SHA1 support[2]
29 1 Jean-Philippe Lang
    * perl with SOAP::Lite package
30 1 Jean-Philippe Lang
31 1 Jean-Philippe Lang
Scripts used in this HowTo can be found in the /extra/svn directory of Redmine.
32 1 Jean-Philippe Lang
33 1 Jean-Philippe Lang
h3. Network considerations
34 1 Jean-Philippe Lang
35 1 Jean-Philippe Lang
The SVN host must be able to access both the redMine database and HTTP server(s). In many cases, they will all be located on the same host.
36 1 Jean-Philippe Lang
37 1 Jean-Philippe Lang
h2. Setup
38 1 Jean-Philippe Lang
39 1 Jean-Philippe Lang
h3. Preparing the Redmine database
40 1 Jean-Philippe Lang
41 1 Jean-Philippe Lang
Some views need to be added to the Redmine database. These views are used to authenticate users and retrieve their permissions.
42 1 Jean-Philippe Lang
43 3 Jean-Philippe Lang
1. Create the different views in your Redmine database :
44 1 Jean-Philippe Lang
45 3 Jean-Philippe Lang
  mysql --user=redmine_user redmine_database -p < create_views.sql
46 1 Jean-Philippe Lang
47 3 Jean-Philippe Lang
2. Grant privileges on these views:
48 1 Jean-Philippe Lang
49 1 Jean-Philippe Lang
<pre>
50 1 Jean-Philippe Lang
mysql --user=root
51 1 Jean-Philippe Lang
mysql> create user redmine_nss@localhost identified by 'averylongpassword';
52 1 Jean-Philippe Lang
mysql> grant SELECT on redmine.nss_groups to redmine_nss@localhost;
53 1 Jean-Philippe Lang
mysql> grant SELECT on redmine.nss_users to redmine_nss@localhost;
54 1 Jean-Philippe Lang
mysql> grant SELECT on redmine.nss_grouplist to redmine_nss@localhost;
55 4 Jean-Philippe Lang
mysql> create user redmine_pam@localhost identified by 'averylongpassword';
56 4 Jean-Philippe Lang
mysql> grant SELECT on redmine.ssh_users to redmine_pam@localhost;
57 1 Jean-Philippe Lang
</pre>
58 1 Jean-Philippe Lang
59 1 Jean-Philippe Lang
h3. Configuring nss-mysql on your SVN server
60 1 Jean-Philippe Lang
61 1 Jean-Philippe Lang
3. Create the /etc/nss-mysql.conf as follows:
62 1 Jean-Philippe Lang
63 1 Jean-Philippe Lang
<pre>
64 1 Jean-Philippe Lang
conf.version = 2;
65 1 Jean-Philippe Lang
users.host = inet:localhost:3306;
66 1 Jean-Philippe Lang
users.database = redmine;
67 1 Jean-Philippe Lang
users.db_user = redmine_nss;
68 4 Jean-Philippe Lang
users.db_password = averylongpassword;
69 1 Jean-Philippe Lang
users.backup_database = nss_mysql_backup;
70 1 Jean-Philippe Lang
users.table = nss_users;
71 1 Jean-Philippe Lang
users.user_column = nss_users.username;
72 1 Jean-Philippe Lang
users.userid_column = nss_users.uid;
73 1 Jean-Philippe Lang
users.uid_column = nss_users.uid;
74 1 Jean-Philippe Lang
users.gid_column = 100;
75 1 Jean-Philippe Lang
users.realname_column = nss_users.realname;
76 1 Jean-Philippe Lang
users.homedir_column = "/false/path";
77 1 Jean-Philippe Lang
users.shell_column = "/usr/local/bin/svnserve.wrapper";
78 1 Jean-Philippe Lang
groups.group_info_table = nss_groups;
79 1 Jean-Philippe Lang
groups.group_name_column = nss_groups.name;
80 1 Jean-Philippe Lang
groups.groupid_column = nss_groups.gid;
81 1 Jean-Philippe Lang
groups.gid_column = nss_groups.gid;
82 1 Jean-Philippe Lang
groups.password_column = "x";
83 1 Jean-Philippe Lang
groups.members_table = nss_grouplist;
84 1 Jean-Philippe Lang
groups.member_userid_column = nss_grouplist.username;
85 1 Jean-Philippe Lang
groups.member_groupid_column = nss_grouplist.gid;
86 1 Jean-Philippe Lang
</pre>
87 1 Jean-Philippe Lang
88 1 Jean-Philippe Lang
4. Install the svnserve wrapper
89 1 Jean-Philippe Lang
90 1 Jean-Philippe Lang
  sudo install svnserve.wrapper /usr/local/bin
91 1 Jean-Philippe Lang
92 1 Jean-Philippe Lang
5. Change /etc/nsswitch.conf
93 1 Jean-Philippe Lang
94 4 Jean-Philippe Lang
Add “mysql” at the end of the two lines passwd and group like that :
95 1 Jean-Philippe Lang
96 1 Jean-Philippe Lang
<pre>
97 1 Jean-Philippe Lang
passwd:         compat mysql
98 1 Jean-Philippe Lang
group:          compat mysql
99 1 Jean-Philippe Lang
</pre>
100 1 Jean-Philippe Lang
101 1 Jean-Philippe Lang
6. Test that all this stuff works :
102 1 Jean-Philippe Lang
103 1 Jean-Philippe Lang
You must have users in some project to verify.
104 1 Jean-Philippe Lang
105 1 Jean-Philippe Lang
<pre>
106 1 Jean-Philippe Lang
% getent passwd
107 1 Jean-Philippe Lang
[...]
108 1 Jean-Philippe Lang
user1:x:5002:100:user1 user1:/false/path:/usr/local/bin/svnserve.wrapper
109 1 Jean-Philippe Lang
user2:x:5003:100:user2 user2:/false/path:/usr/local/bin/svnserve.wrapper
110 1 Jean-Philippe Lang
111 1 Jean-Philippe Lang
% getent group
112 1 Jean-Philippe Lang
[...]
113 1 Jean-Philippe Lang
projet redmine 1:x:5001:
114 1 Jean-Philippe Lang
projet redmine 2:x:5002:
115 1 Jean-Philippe Lang
</pre>
116 1 Jean-Philippe Lang
117 1 Jean-Philippe Lang
h3. Authorize ssh pam to use mysql
118 1 Jean-Philippe Lang
119 4 Jean-Philippe Lang
7. Add these lines in @/etc/pam.d/ssh@ :
120 1 Jean-Philippe Lang
121 4 Jean-Philippe Lang
<pre>
122 4 Jean-Philippe Lang
auth sufficient pam_mysql.so \
123 4 Jean-Philippe Lang
verbose=1 \
124 4 Jean-Philippe Lang
user=redmine_pam \
125 4 Jean-Philippe Lang
passwd=averylongpassword \
126 4 Jean-Philippe Lang
host=localhost \
127 4 Jean-Philippe Lang
db=redmine \
128 4 Jean-Philippe Lang
table=ssh_users \
129 4 Jean-Philippe Lang
usercolumn=username \
130 4 Jean-Philippe Lang
passwdcolumn=password crypt=4
131 1 Jean-Philippe Lang
132 4 Jean-Philippe Lang
account sufficient pam_mysql.so \
133 4 Jean-Philippe Lang
verbose=1 \
134 4 Jean-Philippe Lang
user=redmine_pam \
135 4 Jean-Philippe Lang
passwd=averylongpassword \
136 4 Jean-Philippe Lang
host=localhost \
137 4 Jean-Philippe Lang
db=redmine \
138 4 Jean-Philippe Lang
table=ssh_users \
139 4 Jean-Philippe Lang
usercolumn=username \
140 4 Jean-Philippe Lang
passwdcolumn=password crypt=4
141 4 Jean-Philippe Lang
142 4 Jean-Philippe Lang
password sufficient pam_mysql.so \
143 4 Jean-Philippe Lang
verbose=1 \
144 4 Jean-Philippe Lang
user=redmine_pam \
145 4 Jean-Philippe Lang
passwd=averylongpassword \
146 4 Jean-Philippe Lang
host=localhost \
147 4 Jean-Philippe Lang
db=redmine \
148 4 Jean-Philippe Lang
table=ssh_users \
149 4 Jean-Philippe Lang
usercolumn=username \
150 4 Jean-Philippe Lang
passwdcolumn=password crypt=4
151 4 Jean-Philippe Lang
</pre>
152 4 Jean-Philippe Lang
153 1 Jean-Philippe Lang
Juste before
154 1 Jean-Philippe Lang
155 1 Jean-Philippe Lang
  @include common-auth
156 1 Jean-Philippe Lang
157 1 Jean-Philippe Lang
8. Test this against an existing Redmine user
158 1 Jean-Philippe Lang
159 1 Jean-Philippe Lang
Try to connect to the SVN host using your Redmine username and password:
160 1 Jean-Philippe Lang
161 1 Jean-Philippe Lang
  ssh redmine_username@svn_host
162 1 Jean-Philippe Lang
163 1 Jean-Philippe Lang
h3. Automating repository creation
164 1 Jean-Philippe Lang
165 1 Jean-Philippe Lang
Repository creation can be automated by running periodically the reposman.pl script.
166 1 Jean-Philippe Lang
167 1 Jean-Philippe Lang
It takes 2 arguments :
168 1 Jean-Philippe Lang
169 1 Jean-Philippe Lang
    * svn-dir : path to the directory where your svn repositories are located
170 1 Jean-Philippe Lang
    * redmine-host : host name of your Redmine install
171 1 Jean-Philippe Lang
172 1 Jean-Philippe Lang
Example:
173 1 Jean-Philippe Lang
174 1 Jean-Philippe Lang
<pre>
175 4 Jean-Philippe Lang
$ sudo ./reposman.pl --svn-dir=/var/svn --redmine-host=redmine.mydomain.foo
176 1 Jean-Philippe Lang
repository /var/svn/project2 created
177 1 Jean-Philippe Lang
repository /var/svn/project1 created
178 1 Jean-Philippe Lang
mode change on /var/svn/project3
179 1 Jean-Philippe Lang
</pre>
180 1 Jean-Philippe Lang
181 1 Jean-Philippe Lang
Projects are retrieved from Redmine using a SOAP web service. This web service is disabled by default in Redmine.
182 1 Jean-Philippe Lang
To enable it, go to “Administration -> Settings” and check “Enable WS for repository management”.
183 1 Jean-Philippe Lang
184 1 Jean-Philippe Lang
fn2. You must use "./configure --with-openssl" in order to add SHA1 support to pam_mysql
185 1 Jean-Philippe Lang
186 1 Jean-Philippe Lang
fn1. Other databases can’t be used because of various problems: no pam module, no sha1 handling, ...