Version 4 - History - HowTo to handle SVN repositories creation and access control with Redmine - Redmine

HowTo to handle SVN repositories creation and access control with Redmine » History » Version 4

Jean-Philippe Lang, 2007-10-14 18:39

-Jean-Philippe Lang
+h1. HowTo to handle SVN repositories creation and access control with Redmine
 Jean-Philippe Lang
-Jean-Philippe Lang
+{{>TOC}}
 Jean-Philippe Lang
-Jean-Philippe Lang
+h2. Overview
 Jean-Philippe Lang
-Jean-Philippe Lang
+*This setup is not required if you just need to browse your repositories and changesets from Redmine.*
 Jean-Philippe Lang
-Jean-Philippe Lang
+As of version 0.5.0, Redmine is able to handle Subversion repositories creation and access control.
 Jean-Philippe Lang
-Jean-Philippe Lang
+Once you’ve done this extra setup, Redmine will create the repository for each of your projects. Users will be allowed to access the repositories using ssh+svn, according to their permissions defined in Redmine :
 Jean-Philippe Lang
-Jean-Philippe Lang
+* for public projects : read access to the repository for any user, write access for project members only,
-Jean-Philippe Lang
+* for private projects : read/write access allowed to project members only.
 Jean-Philippe Lang
-Jean-Philippe Lang
+User authentication is done with the same login/password as for Redmine access.
 Jean-Philippe Lang
-Jean-Philippe Lang
+h2. Requirements
 Jean-Philippe Lang
-Jean-Philippe Lang
+h3. Software
 Jean-Philippe Lang
-Jean-Philippe Lang
+You need Redmine 0.5.0 or higher, running with MySQL[1].
 Jean-Philippe Lang
-Jean-Philippe Lang
+Your SVN repositories must be hosted on a *nix system. They don’t have to be on the same host you installed Redmine on.
-Jean-Philippe Lang
+Is required on your SVN host :
 Jean-Philippe Lang
-Jean-Philippe Lang
+    * nss_mysql
-Jean-Philippe Lang
+    * pam_mysql 0.7pre2 or higher, compiled with SHA1 support[2]
-Jean-Philippe Lang
+    * perl with SOAP::Lite package
 Jean-Philippe Lang
-Jean-Philippe Lang
+Scripts used in this HowTo can be found in the /extra/svn directory of Redmine.
 Jean-Philippe Lang
-Jean-Philippe Lang
+h3. Network considerations
 Jean-Philippe Lang
-Jean-Philippe Lang
+The SVN host must be able to access both the redMine database and HTTP server(s). In many cases, they will all be located on the same host.
 Jean-Philippe Lang
-Jean-Philippe Lang
+h2. Setup
 Jean-Philippe Lang
-Jean-Philippe Lang
+h3. Preparing the Redmine database
 Jean-Philippe Lang
-Jean-Philippe Lang
+Some views need to be added to the Redmine database. These views are used to authenticate users and retrieve their permissions.
 Jean-Philippe Lang
-Jean-Philippe Lang
+. Create the different views in your Redmine database :
 Jean-Philippe Lang
-Jean-Philippe Lang
+  mysql --user=redmine_user redmine_database -p < create_views.sql
 Jean-Philippe Lang
-Jean-Philippe Lang
+. Grant privileges on these views:
 Jean-Philippe Lang
-Jean-Philippe Lang
+<pre>
-Jean-Philippe Lang
+mysql --user=root
-Jean-Philippe Lang
+mysql> create user redmine_nss@localhost identified by 'averylongpassword';
-Jean-Philippe Lang
+mysql> grant SELECT on redmine.nss_groups to redmine_nss@localhost;
-Jean-Philippe Lang
+mysql> grant SELECT on redmine.nss_users to redmine_nss@localhost;
-Jean-Philippe Lang
+mysql> grant SELECT on redmine.nss_grouplist to redmine_nss@localhost;
-Jean-Philippe Lang
+mysql> create user redmine_pam@localhost identified by 'averylongpassword';
-Jean-Philippe Lang
+mysql> grant SELECT on redmine.ssh_users to redmine_pam@localhost;
-Jean-Philippe Lang
+</pre>
 Jean-Philippe Lang
-Jean-Philippe Lang
+h3. Configuring nss-mysql on your SVN server
 Jean-Philippe Lang
-Jean-Philippe Lang
+. Create the /etc/nss-mysql.conf as follows:
 Jean-Philippe Lang
-Jean-Philippe Lang
+<pre>
-Jean-Philippe Lang
+conf.version = 2;
-Jean-Philippe Lang
+users.host = inet:localhost:3306;
-Jean-Philippe Lang
+users.database = redmine;
-Jean-Philippe Lang
+users.db_user = redmine_nss;
-Jean-Philippe Lang
+users.db_password = averylongpassword;
-Jean-Philippe Lang
+users.backup_database = nss_mysql_backup;
-Jean-Philippe Lang
+users.table = nss_users;
-Jean-Philippe Lang
+users.user_column = nss_users.username;
-Jean-Philippe Lang
+users.userid_column = nss_users.uid;
-Jean-Philippe Lang
+users.uid_column = nss_users.uid;
-Jean-Philippe Lang
+users.gid_column = 100;
-Jean-Philippe Lang
+users.realname_column = nss_users.realname;
-Jean-Philippe Lang
+users.homedir_column = "/false/path";
-Jean-Philippe Lang
+users.shell_column = "/usr/local/bin/svnserve.wrapper";
-Jean-Philippe Lang
+groups.group_info_table = nss_groups;
-Jean-Philippe Lang
+groups.group_name_column = nss_groups.name;
-Jean-Philippe Lang
+groups.groupid_column = nss_groups.gid;
-Jean-Philippe Lang
+groups.gid_column = nss_groups.gid;
-Jean-Philippe Lang
+groups.password_column = "x";
-Jean-Philippe Lang
+groups.members_table = nss_grouplist;
-Jean-Philippe Lang
+groups.member_userid_column = nss_grouplist.username;
-Jean-Philippe Lang
+groups.member_groupid_column = nss_grouplist.gid;
-Jean-Philippe Lang
+</pre>
 Jean-Philippe Lang
-Jean-Philippe Lang
+. Install the svnserve wrapper
 Jean-Philippe Lang
-Jean-Philippe Lang
+  sudo install svnserve.wrapper /usr/local/bin
 Jean-Philippe Lang
-Jean-Philippe Lang
+. Change /etc/nsswitch.conf
 Jean-Philippe Lang
-Jean-Philippe Lang
+Add “mysql” at the end of the two lines passwd and group like that :
 Jean-Philippe Lang
-Jean-Philippe Lang
+<pre>
-Jean-Philippe Lang
+passwd:         compat mysql
-Jean-Philippe Lang
+group:          compat mysql
-Jean-Philippe Lang
+</pre>
 Jean-Philippe Lang
-Jean-Philippe Lang
+. Test that all this stuff works :
 Jean-Philippe Lang
-Jean-Philippe Lang
+You must have users in some project to verify.
 Jean-Philippe Lang
-Jean-Philippe Lang
+<pre>
-Jean-Philippe Lang
+% getent passwd
-Jean-Philippe Lang
+[...]
-Jean-Philippe Lang
+user1:x:5002:100:user1 user1:/false/path:/usr/local/bin/svnserve.wrapper
-Jean-Philippe Lang
+user2:x:5003:100:user2 user2:/false/path:/usr/local/bin/svnserve.wrapper
 Jean-Philippe Lang
-Jean-Philippe Lang
+% getent group
-Jean-Philippe Lang
+[...]
-Jean-Philippe Lang
+projet redmine 1:x:5001:
-Jean-Philippe Lang
+projet redmine 2:x:5002:
-Jean-Philippe Lang
+</pre>
 Jean-Philippe Lang
-Jean-Philippe Lang
+h3. Authorize ssh pam to use mysql
 Jean-Philippe Lang
-Jean-Philippe Lang
+. Add these lines in @/etc/pam.d/ssh@ :
 Jean-Philippe Lang
-Jean-Philippe Lang
+<pre>
-Jean-Philippe Lang
+auth sufficient pam_mysql.so \
-Jean-Philippe Lang
+verbose=1 \
-Jean-Philippe Lang
+user=redmine_pam \
-Jean-Philippe Lang
+passwd=averylongpassword \
-Jean-Philippe Lang
+host=localhost \
-Jean-Philippe Lang
+db=redmine \
-Jean-Philippe Lang
+table=ssh_users \
-Jean-Philippe Lang
+usercolumn=username \
-Jean-Philippe Lang
+passwdcolumn=password crypt=4
 Jean-Philippe Lang
-Jean-Philippe Lang
+account sufficient pam_mysql.so \
-Jean-Philippe Lang
+verbose=1 \
-Jean-Philippe Lang
+user=redmine_pam \
-Jean-Philippe Lang
+passwd=averylongpassword \
-Jean-Philippe Lang
+host=localhost \
-Jean-Philippe Lang
+db=redmine \
-Jean-Philippe Lang
+table=ssh_users \
-Jean-Philippe Lang
+usercolumn=username \
-Jean-Philippe Lang
+passwdcolumn=password crypt=4
 Jean-Philippe Lang
-Jean-Philippe Lang
+password sufficient pam_mysql.so \
-Jean-Philippe Lang
+verbose=1 \
-Jean-Philippe Lang
+user=redmine_pam \
-Jean-Philippe Lang
+passwd=averylongpassword \
-Jean-Philippe Lang
+host=localhost \
-Jean-Philippe Lang
+db=redmine \
-Jean-Philippe Lang
+table=ssh_users \
-Jean-Philippe Lang
+usercolumn=username \
-Jean-Philippe Lang
+passwdcolumn=password crypt=4
-Jean-Philippe Lang
+</pre>
 Jean-Philippe Lang
-Jean-Philippe Lang
+Juste before
 Jean-Philippe Lang
-Jean-Philippe Lang
+  @include common-auth
 Jean-Philippe Lang
-Jean-Philippe Lang
+. Test this against an existing Redmine user
 Jean-Philippe Lang
-Jean-Philippe Lang
+Try to connect to the SVN host using your Redmine username and password:
 Jean-Philippe Lang
-Jean-Philippe Lang
+  ssh redmine_username@svn_host
 Jean-Philippe Lang
-Jean-Philippe Lang
+h3. Automating repository creation
 Jean-Philippe Lang
-Jean-Philippe Lang
+Repository creation can be automated by running periodically the reposman.pl script.
 Jean-Philippe Lang
-Jean-Philippe Lang
+It takes 2 arguments :
 Jean-Philippe Lang
-Jean-Philippe Lang
+    * svn-dir : path to the directory where your svn repositories are located
-Jean-Philippe Lang
+    * redmine-host : host name of your Redmine install
 Jean-Philippe Lang
-Jean-Philippe Lang
+Example:
 Jean-Philippe Lang
-Jean-Philippe Lang
+<pre>
-Jean-Philippe Lang
+$ sudo ./reposman.pl --svn-dir=/var/svn --redmine-host=redmine.mydomain.foo
-Jean-Philippe Lang
+repository /var/svn/project2 created
-Jean-Philippe Lang
+repository /var/svn/project1 created
-Jean-Philippe Lang
+mode change on /var/svn/project3
-Jean-Philippe Lang
+</pre>
 Jean-Philippe Lang
-Jean-Philippe Lang
+Projects are retrieved from Redmine using a SOAP web service. This web service is disabled by default in Redmine.
-Jean-Philippe Lang
+To enable it, go to “Administration -> Settings” and check “Enable WS for repository management”.
 Jean-Philippe Lang
-Jean-Philippe Lang
+fn2. You must use "./configure --with-openssl" in order to add SHA1 support to pam_mysql
 Jean-Philippe Lang
-Jean-Philippe Lang
+fn1. Other databases can’t be used because of various problems: no pam module, no sha1 handling, ...