HowTo to handle SVN repositories creation and access control with Redmine » History » Version 8
Jean-Philippe Lang, 2007-10-14 19:16
1 | 1 | Jean-Philippe Lang | h1. HowTo to handle SVN repositories creation and access control with Redmine |
---|---|---|---|
2 | |||
3 | 2 | Jean-Philippe Lang | {{>TOC}} |
4 | |||
5 | 1 | Jean-Philippe Lang | h2. Overview |
6 | |||
7 | *This setup is not required if you just need to browse your repositories and changesets from Redmine.* |
||
8 | |||
9 | As of version 0.5.0, Redmine is able to handle Subversion repositories creation and access control. |
||
10 | |||
11 | Once you’ve done this extra setup, Redmine will create the repository for each of your projects. Users will be allowed to access the repositories using ssh+svn, according to their permissions defined in Redmine : |
||
12 | |||
13 | * for public projects : read access to the repository for any user, write access for project members only, |
||
14 | * for private projects : read/write access allowed to project members only. |
||
15 | |||
16 | 8 | Jean-Philippe Lang | User authentication is done using the same login/password as for Redmine access. |
17 | 1 | Jean-Philippe Lang | |
18 | h2. Requirements |
||
19 | |||
20 | h3. Software |
||
21 | |||
22 | You need Redmine 0.5.0 or higher, running with MySQL[1]. |
||
23 | |||
24 | 5 | Jean-Philippe Lang | Your SVN repositories must be hosted on a *nix system with the following packages: |
25 | * nss_mysql |
||
26 | * pam_mysql 0.7pre2 or higher, compiled with SHA1 support |
||
27 | 1 | Jean-Philippe Lang | |
28 | Scripts used in this HowTo can be found in the /extra/svn directory of Redmine. |
||
29 | |||
30 | 5 | Jean-Philippe Lang | In this HowTo, we assume that: |
31 | * the redmine database is called @redmine@ and hosted on @localhost@ |
||
32 | * the Subversion repositories are located in @/var/svn@ |
||
33 | |||
34 | 1 | Jean-Philippe Lang | h3. Network considerations |
35 | |||
36 | 5 | Jean-Philippe Lang | The SVN host must be able to access both the Redmine database and HTTP server(s). In many cases, they will all be located on the same host. |
37 | 1 | Jean-Philippe Lang | |
38 | h2. Setup |
||
39 | |||
40 | 5 | Jean-Philippe Lang | h3. Installing requires packages |
41 | |||
42 | Get nss_mysql and other necessary packages: |
||
43 | |||
44 | apt-get install build-essential libnss-mysql libpam0g-dev libssl-dev |
||
45 | |||
46 | Get and build @pam_mysql@: |
||
47 | |||
48 | <pre> |
||
49 | $ cd /usr/src |
||
50 | $ wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz |
||
51 | $ tar xzf pam_mysql-0.7RC1.tar.gz |
||
52 | $ cd pam_mysql-0.7RC1 |
||
53 | $ ./configure --with-openssl |
||
54 | $ make && make install |
||
55 | </pre> |
||
56 | |||
57 | 1 | Jean-Philippe Lang | h3. Preparing the Redmine database |
58 | |||
59 | Some views need to be added to the Redmine database. These views are used to authenticate users and retrieve their permissions. |
||
60 | |||
61 | 3 | Jean-Philippe Lang | 1. Create the different views in your Redmine database : |
62 | 1 | Jean-Philippe Lang | |
63 | 7 | Jean-Philippe Lang | mysql --user=root redmine -p < create_views.sql |
64 | 1 | Jean-Philippe Lang | |
65 | 7 | Jean-Philippe Lang | 2. Create and grant privileges to 2 new mysql users (@redmine_nss@ and @redmine_pam@): |
66 | 1 | Jean-Philippe Lang | |
67 | <pre> |
||
68 | 7 | Jean-Philippe Lang | mysql --user=root -p |
69 | 1 | Jean-Philippe Lang | mysql> create user redmine_nss@localhost identified by 'averylongpassword'; |
70 | mysql> grant SELECT on redmine.nss_groups to redmine_nss@localhost; |
||
71 | mysql> grant SELECT on redmine.nss_users to redmine_nss@localhost; |
||
72 | mysql> grant SELECT on redmine.nss_grouplist to redmine_nss@localhost; |
||
73 | 4 | Jean-Philippe Lang | mysql> create user redmine_pam@localhost identified by 'averylongpassword'; |
74 | mysql> grant SELECT on redmine.ssh_users to redmine_pam@localhost; |
||
75 | 1 | Jean-Philippe Lang | </pre> |
76 | |||
77 | 8 | Jean-Philippe Lang | h3. Configuring nss-mysql |
78 | 1 | Jean-Philippe Lang | |
79 | 3. Create the /etc/nss-mysql.conf as follows: |
||
80 | |||
81 | <pre> |
||
82 | conf.version = 2; |
||
83 | users.host = inet:localhost:3306; |
||
84 | users.database = redmine; |
||
85 | users.db_user = redmine_nss; |
||
86 | 4 | Jean-Philippe Lang | users.db_password = averylongpassword; |
87 | 1 | Jean-Philippe Lang | users.backup_database = nss_mysql_backup; |
88 | users.table = nss_users; |
||
89 | users.user_column = nss_users.username; |
||
90 | users.userid_column = nss_users.uid; |
||
91 | users.uid_column = nss_users.uid; |
||
92 | users.gid_column = 100; |
||
93 | users.realname_column = nss_users.realname; |
||
94 | users.homedir_column = "/false/path"; |
||
95 | users.shell_column = "/usr/local/bin/svnserve.wrapper"; |
||
96 | groups.group_info_table = nss_groups; |
||
97 | groups.group_name_column = nss_groups.name; |
||
98 | groups.groupid_column = nss_groups.gid; |
||
99 | groups.gid_column = nss_groups.gid; |
||
100 | groups.password_column = "x"; |
||
101 | groups.members_table = nss_grouplist; |
||
102 | groups.member_userid_column = nss_grouplist.username; |
||
103 | groups.member_groupid_column = nss_grouplist.gid; |
||
104 | </pre> |
||
105 | |||
106 | 4. Install the svnserve wrapper |
||
107 | |||
108 | sudo install svnserve.wrapper /usr/local/bin |
||
109 | |||
110 | 4 | Jean-Philippe Lang | 5. Change /etc/nsswitch.conf |
111 | 1 | Jean-Philippe Lang | |
112 | Add “mysql” at the end of the two lines passwd and group like that : |
||
113 | |||
114 | <pre> |
||
115 | passwd: compat mysql |
||
116 | group: compat mysql |
||
117 | </pre> |
||
118 | |||
119 | 6. Test that all this stuff works : |
||
120 | |||
121 | You must have users in some project to verify. |
||
122 | |||
123 | <pre> |
||
124 | % getent passwd |
||
125 | [...] |
||
126 | user1:x:5002:100:user1 user1:/false/path:/usr/local/bin/svnserve.wrapper |
||
127 | user2:x:5003:100:user2 user2:/false/path:/usr/local/bin/svnserve.wrapper |
||
128 | |||
129 | % getent group |
||
130 | [...] |
||
131 | 5 | Jean-Philippe Lang | project1:x:5001: |
132 | project2:x:5002: |
||
133 | 1 | Jean-Philippe Lang | </pre> |
134 | |||
135 | h3. Authorize ssh pam to use mysql |
||
136 | |||
137 | 4 | Jean-Philippe Lang | 7. Add these lines in @/etc/pam.d/ssh@ : |
138 | 1 | Jean-Philippe Lang | |
139 | 4 | Jean-Philippe Lang | <pre> |
140 | auth sufficient pam_mysql.so \ |
||
141 | verbose=1 \ |
||
142 | user=redmine_pam \ |
||
143 | passwd=averylongpassword \ |
||
144 | host=localhost \ |
||
145 | db=redmine \ |
||
146 | table=ssh_users \ |
||
147 | usercolumn=username \ |
||
148 | passwdcolumn=password crypt=4 |
||
149 | 1 | Jean-Philippe Lang | |
150 | 4 | Jean-Philippe Lang | account sufficient pam_mysql.so \ |
151 | verbose=1 \ |
||
152 | user=redmine_pam \ |
||
153 | passwd=averylongpassword \ |
||
154 | host=localhost \ |
||
155 | db=redmine \ |
||
156 | table=ssh_users \ |
||
157 | usercolumn=username \ |
||
158 | passwdcolumn=password crypt=4 |
||
159 | |||
160 | password sufficient pam_mysql.so \ |
||
161 | verbose=1 \ |
||
162 | user=redmine_pam \ |
||
163 | passwd=averylongpassword \ |
||
164 | host=localhost \ |
||
165 | db=redmine \ |
||
166 | table=ssh_users \ |
||
167 | 1 | Jean-Philippe Lang | usercolumn=username \ |
168 | passwdcolumn=password crypt=4 |
||
169 | </pre> |
||
170 | |||
171 | Juste before |
||
172 | |||
173 | @include common-auth |
||
174 | |||
175 | 8. Test this against an existing Redmine user |
||
176 | |||
177 | 6 | Jean-Philippe Lang | Try to connect to the SVN host using a Redmine username (eg. jsmith): |
178 | 1 | Jean-Philippe Lang | |
179 | 6 | Jean-Philippe Lang | <pre> |
180 | $ ssh jsmith@localhost |
||
181 | jsmith@localhost's password: |
||
182 | Could not chdir to home directory /false/path: No such file or directory |
||
183 | ( success ( 1 2 ( ANONYMOUS EXTERNAL ) ( edit-pipeline ) ) ) |
||
184 | </pre> |
||
185 | |||
186 | The chdir error is the expected result. |
||
187 | 1 | Jean-Philippe Lang | |
188 | h3. Automating repository creation |
||
189 | |||
190 | 8 | Jean-Philippe Lang | Repository creation can be automated by running periodically the reposman script. |
191 | 1 | Jean-Philippe Lang | |
192 | 5 | Jean-Philippe Lang | It takes 2 arguments: |
193 | 1 | Jean-Philippe Lang | |
194 | 5 | Jean-Philippe Lang | * @svn-dir@: path to the directory where your svn repositories are located |
195 | 1 | Jean-Philippe Lang | * @redmine-host@: host name of your Redmine install |
196 | |||
197 | 8 | Jean-Philippe Lang | Perl and Ruby versions of this script are provided. The Perl version requires @libsoap-lite-perl@. |
198 | 1 | Jean-Philippe Lang | |
199 | 8 | Jean-Philippe Lang | Example using the Ruby version: |
200 | |||
201 | 1 | Jean-Philippe Lang | <pre> |
202 | 8 | Jean-Philippe Lang | $ sudo ./reposman.rb --svn-dir=/var/svn --redmine-host=localhost |
203 | 1 | Jean-Philippe Lang | repository /var/svn/project2 created |
204 | repository /var/svn/project1 created |
||
205 | mode change on /var/svn/project3 |
||
206 | </pre> |
||
207 | |||
208 | Projects are retrieved from Redmine using a SOAP web service. This web service is disabled by default in Redmine. |
||
209 | 4 | Jean-Philippe Lang | To enable it, go to “Administration -> Settings” and check “Enable WS for repository management”. |
210 | 1 | Jean-Philippe Lang | |
211 | 5 | Jean-Philippe Lang | Make sure this option is checked if you get this error when running reposman: |
212 | @Service description 'http://localhost/sys/service.wsdl' can't be loaded: 404 Not Found@ |
||
213 | 1 | Jean-Philippe Lang | |
214 | 5 | Jean-Philippe Lang | h3. Accessing the repositories |
215 | |||
216 | Members of project1 are now able to access the repository using this url: |
||
217 | |||
218 | svn+ssh://svnhost/project1 |
||
219 | |||
220 | |||
221 | fn1. Other databases can’t be used because of various problems: no pam module, no sha1 handling,... |