HowTo to handle SVN repositories creation and access control with Redmine » History » Version 4
Jean-Philippe Lang, 2007-10-14 18:39
1 | 1 | Jean-Philippe Lang | h1. HowTo to handle SVN repositories creation and access control with Redmine |
---|---|---|---|
2 | |||
3 | 2 | Jean-Philippe Lang | {{>TOC}} |
4 | |||
5 | 1 | Jean-Philippe Lang | h2. Overview |
6 | |||
7 | *This setup is not required if you just need to browse your repositories and changesets from Redmine.* |
||
8 | |||
9 | As of version 0.5.0, Redmine is able to handle Subversion repositories creation and access control. |
||
10 | |||
11 | Once you’ve done this extra setup, Redmine will create the repository for each of your projects. Users will be allowed to access the repositories using ssh+svn, according to their permissions defined in Redmine : |
||
12 | |||
13 | * for public projects : read access to the repository for any user, write access for project members only, |
||
14 | * for private projects : read/write access allowed to project members only. |
||
15 | |||
16 | User authentication is done with the same login/password as for Redmine access. |
||
17 | |||
18 | h2. Requirements |
||
19 | |||
20 | h3. Software |
||
21 | |||
22 | You need Redmine 0.5.0 or higher, running with MySQL[1]. |
||
23 | |||
24 | Your SVN repositories must be hosted on a *nix system. They don’t have to be on the same host you installed Redmine on. |
||
25 | Is required on your SVN host : |
||
26 | |||
27 | * nss_mysql |
||
28 | * pam_mysql 0.7pre2 or higher, compiled with SHA1 support[2] |
||
29 | * perl with SOAP::Lite package |
||
30 | |||
31 | Scripts used in this HowTo can be found in the /extra/svn directory of Redmine. |
||
32 | |||
33 | h3. Network considerations |
||
34 | |||
35 | The SVN host must be able to access both the redMine database and HTTP server(s). In many cases, they will all be located on the same host. |
||
36 | |||
37 | h2. Setup |
||
38 | |||
39 | h3. Preparing the Redmine database |
||
40 | |||
41 | Some views need to be added to the Redmine database. These views are used to authenticate users and retrieve their permissions. |
||
42 | |||
43 | 3 | Jean-Philippe Lang | 1. Create the different views in your Redmine database : |
44 | 1 | Jean-Philippe Lang | |
45 | 3 | Jean-Philippe Lang | mysql --user=redmine_user redmine_database -p < create_views.sql |
46 | 1 | Jean-Philippe Lang | |
47 | 3 | Jean-Philippe Lang | 2. Grant privileges on these views: |
48 | 1 | Jean-Philippe Lang | |
49 | <pre> |
||
50 | mysql --user=root |
||
51 | mysql> create user redmine_nss@localhost identified by 'averylongpassword'; |
||
52 | mysql> grant SELECT on redmine.nss_groups to redmine_nss@localhost; |
||
53 | mysql> grant SELECT on redmine.nss_users to redmine_nss@localhost; |
||
54 | mysql> grant SELECT on redmine.nss_grouplist to redmine_nss@localhost; |
||
55 | 4 | Jean-Philippe Lang | mysql> create user redmine_pam@localhost identified by 'averylongpassword'; |
56 | mysql> grant SELECT on redmine.ssh_users to redmine_pam@localhost; |
||
57 | 1 | Jean-Philippe Lang | </pre> |
58 | |||
59 | h3. Configuring nss-mysql on your SVN server |
||
60 | |||
61 | 3. Create the /etc/nss-mysql.conf as follows: |
||
62 | |||
63 | <pre> |
||
64 | conf.version = 2; |
||
65 | users.host = inet:localhost:3306; |
||
66 | users.database = redmine; |
||
67 | users.db_user = redmine_nss; |
||
68 | 4 | Jean-Philippe Lang | users.db_password = averylongpassword; |
69 | 1 | Jean-Philippe Lang | users.backup_database = nss_mysql_backup; |
70 | users.table = nss_users; |
||
71 | users.user_column = nss_users.username; |
||
72 | users.userid_column = nss_users.uid; |
||
73 | users.uid_column = nss_users.uid; |
||
74 | users.gid_column = 100; |
||
75 | users.realname_column = nss_users.realname; |
||
76 | users.homedir_column = "/false/path"; |
||
77 | users.shell_column = "/usr/local/bin/svnserve.wrapper"; |
||
78 | groups.group_info_table = nss_groups; |
||
79 | groups.group_name_column = nss_groups.name; |
||
80 | groups.groupid_column = nss_groups.gid; |
||
81 | groups.gid_column = nss_groups.gid; |
||
82 | groups.password_column = "x"; |
||
83 | groups.members_table = nss_grouplist; |
||
84 | groups.member_userid_column = nss_grouplist.username; |
||
85 | groups.member_groupid_column = nss_grouplist.gid; |
||
86 | </pre> |
||
87 | |||
88 | 4. Install the svnserve wrapper |
||
89 | |||
90 | sudo install svnserve.wrapper /usr/local/bin |
||
91 | |||
92 | 5. Change /etc/nsswitch.conf |
||
93 | |||
94 | 4 | Jean-Philippe Lang | Add “mysql” at the end of the two lines passwd and group like that : |
95 | 1 | Jean-Philippe Lang | |
96 | <pre> |
||
97 | passwd: compat mysql |
||
98 | group: compat mysql |
||
99 | </pre> |
||
100 | |||
101 | 6. Test that all this stuff works : |
||
102 | |||
103 | You must have users in some project to verify. |
||
104 | |||
105 | <pre> |
||
106 | % getent passwd |
||
107 | [...] |
||
108 | user1:x:5002:100:user1 user1:/false/path:/usr/local/bin/svnserve.wrapper |
||
109 | user2:x:5003:100:user2 user2:/false/path:/usr/local/bin/svnserve.wrapper |
||
110 | |||
111 | % getent group |
||
112 | [...] |
||
113 | projet redmine 1:x:5001: |
||
114 | projet redmine 2:x:5002: |
||
115 | </pre> |
||
116 | |||
117 | h3. Authorize ssh pam to use mysql |
||
118 | |||
119 | 4 | Jean-Philippe Lang | 7. Add these lines in @/etc/pam.d/ssh@ : |
120 | 1 | Jean-Philippe Lang | |
121 | 4 | Jean-Philippe Lang | <pre> |
122 | auth sufficient pam_mysql.so \ |
||
123 | verbose=1 \ |
||
124 | user=redmine_pam \ |
||
125 | passwd=averylongpassword \ |
||
126 | host=localhost \ |
||
127 | db=redmine \ |
||
128 | table=ssh_users \ |
||
129 | usercolumn=username \ |
||
130 | passwdcolumn=password crypt=4 |
||
131 | 1 | Jean-Philippe Lang | |
132 | 4 | Jean-Philippe Lang | account sufficient pam_mysql.so \ |
133 | verbose=1 \ |
||
134 | user=redmine_pam \ |
||
135 | passwd=averylongpassword \ |
||
136 | host=localhost \ |
||
137 | db=redmine \ |
||
138 | table=ssh_users \ |
||
139 | usercolumn=username \ |
||
140 | passwdcolumn=password crypt=4 |
||
141 | |||
142 | password sufficient pam_mysql.so \ |
||
143 | verbose=1 \ |
||
144 | user=redmine_pam \ |
||
145 | passwd=averylongpassword \ |
||
146 | host=localhost \ |
||
147 | db=redmine \ |
||
148 | table=ssh_users \ |
||
149 | usercolumn=username \ |
||
150 | passwdcolumn=password crypt=4 |
||
151 | </pre> |
||
152 | |||
153 | 1 | Jean-Philippe Lang | Juste before |
154 | |||
155 | @include common-auth |
||
156 | |||
157 | 8. Test this against an existing Redmine user |
||
158 | |||
159 | Try to connect to the SVN host using your Redmine username and password: |
||
160 | |||
161 | ssh redmine_username@svn_host |
||
162 | |||
163 | h3. Automating repository creation |
||
164 | |||
165 | Repository creation can be automated by running periodically the reposman.pl script. |
||
166 | |||
167 | It takes 2 arguments : |
||
168 | |||
169 | * svn-dir : path to the directory where your svn repositories are located |
||
170 | * redmine-host : host name of your Redmine install |
||
171 | |||
172 | Example: |
||
173 | |||
174 | <pre> |
||
175 | 4 | Jean-Philippe Lang | $ sudo ./reposman.pl --svn-dir=/var/svn --redmine-host=redmine.mydomain.foo |
176 | 1 | Jean-Philippe Lang | repository /var/svn/project2 created |
177 | repository /var/svn/project1 created |
||
178 | mode change on /var/svn/project3 |
||
179 | </pre> |
||
180 | |||
181 | Projects are retrieved from Redmine using a SOAP web service. This web service is disabled by default in Redmine. |
||
182 | To enable it, go to “Administration -> Settings” and check “Enable WS for repository management”. |
||
183 | |||
184 | fn2. You must use "./configure --with-openssl" in order to add SHA1 support to pam_mysql |
||
185 | |||
186 | fn1. Other databases can’t be used because of various problems: no pam module, no sha1 handling, ... |