Project

General

Profile

Repositories access control with apache mod dav svn and mod perl » History » Version 33

neil johnson, 2011-11-13 06:59

1 16 Jean-Philippe Lang
h1. Repositories access control with apache, mod_dav_svn and mod_perl
2 1 Nicolas Chuche
3 2 Nicolas Chuche
{{>TOC}}
4
5 4 Jean-Philippe Lang
h2. Overview
6 1 Nicolas Chuche
7 23 Eric Davis
In this documentation, we will configure apache to delegate authentication to mod_perl. It's tested on apache2 (@apache2-mpm-prefork@) with mysql and postgresql but should work with allmost every databases for which there is a perl DBD module.  Apache2 with the high speed thread model might not load Perl correctly (@apache2-mpm-worker@).
8 1 Nicolas Chuche
9
You need a working apache on your SVN server and you must install some modules at least mod_dav_svn, mod_perl2, DBI and DBD::mysql (or the DBD driver for you database as it should work on allmost all databases).
10 4 Jean-Philippe Lang
11 15 Jean-Philippe Lang
On Debian/ubuntu you can do :
12 11 Shaun Mangelsdorf
13 33 neil johnson
  sudo aptitude install libapache2-svn libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl libdigest-sha1-perl
14 1 Nicolas Chuche
15 33 neil johnson
If the repositories are not created automatically by reposman.rb, it is important that the repository name is the same as the project identifier in Redmine, otherwise Redmine.pm will fail to authenticate users.
16 1 Nicolas Chuche
17
h2. Enabling apache modules
18
19
On debian/ubuntu :
20
21
<pre>
22 15 Jean-Philippe Lang
sudo a2enmod dav
23 21 Marko Roeder
sudo a2enmod dav_svn # if you want to use svn
24
sudo a2enmod dav_fs  # if you want to use git
25 15 Jean-Philippe Lang
sudo a2enmod perl
26 4 Jean-Philippe Lang
</pre>
27 1 Nicolas Chuche
28 15 Jean-Philippe Lang
h2. Apache configuration for Subversion repositories
29 30 Steven Lu
30 31 Steven Lu
You first need to copy or link @Redmine.pm@ to @/usr/lib/perl5/Apache/Redmine.pm@
31 15 Jean-Philippe Lang
Then add the following Location directives to your apache configuration (for example in @/etc/APACHE_DIR/conf.d/@):
32 1 Nicolas Chuche
33 17 Joachim Fritschi
* the old how-to which suggested two separate locations for with @/svn@  and @/svn-private@ can be avoided
34
* with the @Satisfy any@ keyword from Apache you can define different authentication policies
35
* read access from the redmine-server or any validated user
36
* write access only validated users
37 15 Jean-Philippe Lang
38 17 Joachim Fritschi
39 15 Jean-Philippe Lang
<pre>
40 1 Nicolas Chuche
   # /svn location for users
41
   PerlLoadModule Apache::Redmine
42
   <Location /svn>
43
     DAV svn
44 19 Joachim Fritschi
     SVNParentPath "/var/svn"
45 17 Joachim Fritschi
     Order deny,allow
46
     Deny from all
47
     Satisfy any
48 1 Nicolas Chuche
49
     PerlAccessHandler Apache::Authn::Redmine::access_handler
50
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
51 17 Joachim Fritschi
     AuthType Basic
52 18 Joachim Fritschi
     AuthName "Redmine SVN Repository"
53 17 Joachim Fritschi
54
     #read-only access	
55
     <Limit GET PROPFIND OPTIONS REPORT>
56 19 Joachim Fritschi
        Require valid-user
57 17 Joachim Fritschi
        Allow from redmine.server.ip
58
        # Allow from another-ip
59
     	Satisfy any
60
     </Limit>
61
     # write access
62
     <LimitExcept GET PROPFIND OPTIONS REPORT>
63
   	Require valid-user
64
     </LimitExcept>
65
66
67 1 Nicolas Chuche
     ## for mysql
68
     RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
69 4 Jean-Philippe Lang
     ## for postgres
70 1 Nicolas Chuche
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
71 4 Jean-Philippe Lang
     ## for SQLite3
72 1 Nicolas Chuche
     # RedmineDSN "DBI:SQLite:dbname=database.db"
73
74
     RedmineDbUser "redmine"
75
     RedmineDbPass "password"
76
  </Location>
77
78
</pre>
79
80 17 Joachim Fritschi
h3. Testing the configuration:
81 1 Nicolas Chuche
82 17 Joachim Fritschi
After reloading apache conf, you can try to browse some repository with:
83
84 1 Nicolas Chuche
<pre>
85
svn ls http://my.svn.server/svn/myproject
86 4 Jean-Philippe Lang
</pre>
87 1 Nicolas Chuche
88 17 Joachim Fritschi
Any non-public repository should ask for a username and password.
89 4 Jean-Philippe Lang
90 17 Joachim Fritschi
To test the authentication that allows you redmine server to read all repositories:
91 1 Nicolas Chuche
92 17 Joachim Fritschi
Reading a private repository:
93 3 Jean-Philippe Lang
<pre>
94 17 Joachim Fritschi
svn ls http://my.svn.server/svn/myproject
95
</pre>
96
Try writing to the repository:
97
<pre>
98
svn mkdir http://my.svn.server/svn/myproject/testdir
99
</pre>
100
This should fail and ask for a password.
101
102
103
h3. optional LDAP Authentication
104
105
If you want to connect your LDAP authentication to Apache, you can install the Authen::Simple::LDAP perl module. I found that connecting to my LDAP server to authenticate with every request can be quite slow. I added the following to my configuration and had a significant performance increase. If you have configured an encrypted connection to the LDAP server you will need the IO::Socket::SSL module.
106
107 20 Stefan Stefansson
> *NOTE: the above wording is a little confusing. I attempt to clear up the issues I had with this in the following paragraph.*
108
> 
109 28 Rahul Panwar
> First of all, make sure that you have the Net::LDAP module installed as well. I installed Authen::Simple::LDAP through CPAN and found that nothing worked. Eventually I figured out that this was because the Authen::Simple::LDAP did not require the Net::LDAP module as a dependency but it is needed for our purpose here. I did this on CentOS and it seems that the Net::LDAP module can be installed via yum (@yum install perl-LDAP@) but the Authen::Simple::LDAP had to be installed via CPAN since there's no RPM for it in the CentOS repositories.
110
> 
111 20 Stefan Stefansson
> My second point is related to the below Apache config. The @PerlLoadModule Authen::Simple::LDAP@ is actually not required for having users authenticated via LDAP. It will happen automatically if both of the above modules are installed. So there really is no difference between the config snippet below and the one above except for the @RedmineCacheCredsMax 50@ line which is probably a good idea although it can result in users that have been deleted or removed in redmine still getting access to the repositories, at least for a little while.
112
113 17 Joachim Fritschi
<pre>
114 8 Nicolas Chuche
   PerlLoadModule Apache::Redmine
115 17 Joachim Fritschi
   PerlLoadModule  Authen::Simple::LDAP
116
   # PerlLoadModule  IO::Socket::SSL
117 12 Todd Nine
   <Location /svn>
118
     DAV svn
119
     SVNParentPath "/var/svn"
120
121
     AuthType Basic
122
     AuthName redmine
123
     Require valid-user
124
125
     PerlAccessHandler Apache::Authn::Redmine::access_handler
126
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
127
  
128
     ## for mysql
129
     RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
130
     ## for postgres
131
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
132
133
     RedmineDbUser "redmine"
134
     RedmineDbPass "password"
135 1 Nicolas Chuche
     #Cache the last 50 auth entries
136 12 Todd Nine
     RedmineCacheCredsMax 50
137 1 Nicolas Chuche
  </Location>
138 12 Todd Nine
</pre>
139 1 Nicolas Chuche
140
141 12 Todd Nine
h2. Apache configuration for Git repositories
142
143 15 Jean-Philippe Lang
Now that reposman.rb can create git repositories, you can use Redmine.pm to access them the same way than subversion. 
144 12 Todd Nine
145 15 Jean-Philippe Lang
You first need to copy or link Redmine.pm to /usr/lib/perl5/Apache/Redmine.pm, then you add this configuration to apache : 
146
147 1 Nicolas Chuche
<pre>
148 33 neil johnson
Alias /git /var/git
149 32 Spenser Gilliland
150 33 neil johnson
PerlLoadModule Apache::Redmine
151 32 Spenser Gilliland
<Location /git>
152 33 neil johnson
  DAV on
153
154 8 Nicolas Chuche
  AuthType Basic
155
  Require valid-user
156
  AuthName "Git"
157
158
  PerlAccessHandler Apache::Authn::Redmine::access_handler
159 1 Nicolas Chuche
  PerlAuthenHandler Apache::Authn::Redmine::authen_handler
160 8 Nicolas Chuche
161
  RedmineDSN "DBI:mysql:database=redmine;host=localhost"
162
  RedmineDbUser "redmine"
163 32 Spenser Gilliland
  RedmineDbPass "password"
164 8 Nicolas Chuche
</Location>
165
166
Alias /git-private /var/git
167
168
<Location /git-private>
169
   Order deny,allow
170
   Deny from all
171
   <Limit GET PROPFIND OPTIONS REPORT>
172
      Options Indexes FollowSymLinks MultiViews
173
   Allow from 127.0.0.1
174
   </Limit>
175
</Location>
176
</pre>
177
178
To verify that you can access repository through Redmine.pm, you can use curl :
179
<pre>
180
% curl --netrc --location http://localhost/git/ecookbook/HEAD   
181 13 Thomas Pihl
ref: refs/heads/master
182
</pre>
183
184 22 Diego Oliveira
h2. Apache configuration for Mercurial repositories
185
186
Create a file caled "hgweb.config" in the same folder as "hgwebdir.cgi". This foder will be the root repository folder. Then edit the "hgweb.config" with something like this:
187
188
<pre>
189
[paths]
190
/=/path/to/root/repository/**
191
192
[web]
193
allow_push = *
194
allowbz2 = yes
195
allowgz = yes
196
allowzip = yes
197
198
</pre>
199
200
Follows the instructions to install Redmine.pm as described and configure your apache like this.
201
202
<pre>
203
    RewriteEngine on
204
    PerlLoadModule Apache2::Redmine
205
    PerlLoadModule Authen::Simple::LDAP
206
    ScriptAliasMatch ^/hg(.*)  /path/to/the/hgwebdir.cgi/$1
207
    <Location /hg>
208 1 Nicolas Chuche
        AuthType Basic
209 22 Diego Oliveira
        AuthName "Mercurial"
210
        Require valid-user
211
212
        #Redmine auth
213 32 Spenser Gilliland
        PerlAccessHandler Apache::Authn::Redmine::access_handler
214
        PerlAuthenHandler Apache::Authn::Redmine::authen_handler
215
        RedmineDSN "DBI:mysql:database=redmine;host=localhost"
216
        RedmineDbUser "DB_USER"
217
        RedmineDbPass "DB_PASSWD"
218
    </Location>
219
</pre>
220 22 Diego Oliveira
221
222
h2. Gotchas
223 13 Thomas Pihl
224
If you run this in Phusion Passenger, make sure you don't turn PassengerHighPerformance on. If you do, the rewrites to catch subversion dav will be bypassed with some interesting dump in the log as a result.
225
Example: 
226 1 Nicolas Chuche
> ActionController::RoutingError (No route matches "/svn/rm-code" with {:method=>:get}):
227
(if your repo are named rm-code)
228 27 Bill Dieter
229 33 neil johnson
* [url=http://www.junoblinds.co.uk Blinds]