HowTo to handle SVN repositories creation and access control with Redmine » History » Version 9

Version 8 (Jean-Philippe Lang, 2007-10-14 19:16) → Version 9/26 (Jean-Philippe Lang, 2007-10-14 19:33)

h1. HowTo to handle SVN repositories creation and access control with Redmine

{{>TOC}}

h2. Overview

*This setup is not required if you just need to browse your repositories and changesets from Redmine.*

As of version 0.5.0, Redmine is able to handle Subversion repositories creation and access control.

Once you’ve done this extra setup, Redmine will create the repository for each of your projects. Users will be allowed to access the repositories using ssh+svn, according to their permissions defined in Redmine :

* for public projects : read access to the repository for any user, write access for project members only,
* for private projects : read/write access allowed to project members only.

User authentication is done using the same login/password as for Redmine access.

h2. Requirements

h3. Software

You need Redmine 0.5.0 or higher, running with MySQL[1].

Your SVN repositories must be hosted on a *nix system with the following packages:
* nss_mysql
* pam_mysql 0.7pre2 or higher, compiled with SHA1 support

Scripts used in this HowTo can be found in the /extra/svn directory of Redmine.

In this HowTo, we assume that:
* the redmine database is called @redmine@ and hosted on @localhost@
* the Subversion repositories are located in @/var/svn@

h3. Network considerations

The SVN host must be able to access both the Redmine database and HTTP server(s). In many cases, they will all be located on the same host.

h2. Setup

h3. Installing requires packages

Get nss_mysql and other necessary packages:

apt-get install build-essential libnss-mysql libpam0g-dev libssl-dev

Get and build @pam_mysql@:

<pre>
$ cd /usr/src
$ wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
$ tar xzf pam_mysql-0.7RC1.tar.gz
$ cd pam_mysql-0.7RC1
$ ./configure --with-openssl
$ make && make install
</pre>

h3. Preparing the Redmine database

Some views need to be added to the Redmine database. These views are used to authenticate users and retrieve their permissions.

1. Create the different views in your Redmine database :

mysql --user=root redmine -p < create_views.sql

2. Create and grant privileges to 2 new mysql users (@redmine_nss@ and @redmine_pam@):

<pre>
mysql --user=root -p
mysql> create user redmine_nss@localhost identified by 'averylongpassword';
mysql> grant SELECT on redmine.nss_groups to redmine_nss@localhost;
mysql> grant SELECT on redmine.nss_users to redmine_nss@localhost;
mysql> grant SELECT on redmine.nss_grouplist to redmine_nss@localhost;
mysql> create user redmine_pam@localhost identified by 'averylongpassword';
mysql> grant SELECT on redmine.ssh_users to redmine_pam@localhost;
</pre>

h3. Configuring nss-mysql

3. Create the /etc/nss-mysql.conf as follows:

<pre>
conf.version = 2;
users.host = inet:localhost:3306;
users.database = redmine;
users.db_user = redmine_nss;
users.db_password = averylongpassword;
users.backup_database = nss_mysql_backup;
users.table = nss_users;
users.user_column = nss_users.username;
users.userid_column = nss_users.username; nss_users.uid;
users.uid_column = nss_users.uid;
users.gid_column = 100;
users.realname_column = nss_users.realname;
users.homedir_column = "/false/path";
users.shell_column = "/usr/local/bin/svnserve.wrapper";
groups.group_info_table = nss_groups;
groups.group_name_column = nss_groups.name;
groups.groupid_column = nss_groups.gid;
groups.gid_column = nss_groups.gid;
groups.password_column = "x";
groups.members_table = nss_grouplist;
groups.member_userid_column = nss_grouplist.username;
groups.member_groupid_column = nss_grouplist.gid;
</pre>

4. Install the svnserve wrapper

sudo install svnserve.wrapper /usr/local/bin

5. Change /etc/nsswitch.conf

Add “mysql” at the end of the two lines passwd and group like that :

<pre>
passwd: compat mysql
group: compat mysql
</pre>

6. Test that all this stuff works :

You must have users in some project to verify.

<pre>
% getent passwd
[...]
user1:x:5002:100:user1 user1:/false/path:/usr/local/bin/svnserve.wrapper
user2:x:5003:100:user2 user2:/false/path:/usr/local/bin/svnserve.wrapper

% getent group
[...]
project1:x:5001:
project2:x:5002:
</pre>

h3. Authorize ssh pam to use mysql

7. Add these lines in @/etc/pam.d/ssh@ :

<pre>
auth sufficient pam_mysql.so \
verbose=1 \
user=redmine_pam \
passwd=averylongpassword \
host=localhost \
db=redmine \
table=ssh_users \
usercolumn=username \
passwdcolumn=password crypt=4

account sufficient pam_mysql.so \
verbose=1 \
user=redmine_pam \
passwd=averylongpassword \
host=localhost \
db=redmine \
table=ssh_users \
usercolumn=username \
passwdcolumn=password crypt=4

password sufficient pam_mysql.so \
verbose=1 \
user=redmine_pam \
passwd=averylongpassword \
host=localhost \
db=redmine \
table=ssh_users \
usercolumn=username \
passwdcolumn=password crypt=4
</pre>

Juste before

@include common-auth

8. Test this against an existing Redmine user

Try to connect to the SVN host using a Redmine username (eg. jsmith):

<pre>
$ ssh jsmith@localhost
jsmith@localhost's password:
Could not chdir to home directory /false/path: No such file or directory
( success ( 1 2 ( ANONYMOUS EXTERNAL ) ( edit-pipeline ) ) )
</pre>

The chdir error is the expected result.

h3. Automating repository creation

Repository creation can be automated by running periodically the reposman script.

It takes 2 arguments:

* @svn-dir@: path to the directory where your svn repositories are located
* @redmine-host@: host name of your Redmine install

Perl and Ruby versions of this script are provided. The Perl version requires @libsoap-lite-perl@.

Example using the Ruby version:

<pre>
$ sudo ./reposman.rb --svn-dir=/var/svn --redmine-host=localhost
repository /var/svn/project2 created
repository /var/svn/project1 created
mode change on /var/svn/project3
</pre>

Projects are retrieved from Redmine using a SOAP web service. This web service is disabled by default in Redmine.
To enable it, go to “Administration -> Settings” and check “Enable WS for repository management”.

Make sure this option is checked if you get this error when running reposman:
@Service description 'http://localhost/sys/service.wsdl' can't be loaded: 404 Not Found@

h3. Accessing the repositories

Members of project1 are now able to access the repository using this url:

svn+ssh://svnhost/project1

fn1. Other databases can’t be used because of various problems: no pam module, no sha1 handling,...