Project

General

Profile

Repositories access control with apache mod dav svn and mod perl » History » Version 41

Zack s, 2012-02-10 10:28

1 16 Jean-Philippe Lang
h1. Repositories access control with apache, mod_dav_svn and mod_perl
2 1 Nicolas Chuche
3 2 Nicolas Chuche
{{>TOC}}
4
5 4 Jean-Philippe Lang
h2. Overview
6 1 Nicolas Chuche
7 23 Eric Davis
In this documentation, we will configure apache to delegate authentication to mod_perl. It's tested on apache2 (@apache2-mpm-prefork@) with mysql and postgresql but should work with allmost every databases for which there is a perl DBD module.  Apache2 with the high speed thread model might not load Perl correctly (@apache2-mpm-worker@).
8 1 Nicolas Chuche
9
You need a working apache on your SVN server and you must install some modules at least mod_dav_svn, mod_perl2, DBI and DBD::mysql (or the DBD driver for you database as it should work on allmost all databases).
10 4 Jean-Philippe Lang
11 15 Jean-Philippe Lang
On Debian/ubuntu you can do :
12 11 Shaun Mangelsdorf
13 37 Mischa The Evil
  sudo aptitude install libapache2-svn libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl libdigest-sha1-perl libauthen-simple-ldap-perl
14 1 Nicolas Chuche
15 41 Zack s
On Turnkey Redmine Virtual Appliance you can do :
16 40 Zack s
17
  apt-get install libapache2-svn libapache-dbi-perl libapache2-mod-perl2 libauthen-simple-ldap-perl
18
19 37 Mischa The Evil
If the repositories are not created automatically by reposman.rb, it is important that the repository name is the same as the project identifier in Redmine, otherwise Redmine.pm will fail to authenticate users.  For example, if the path to the repository is @/path/to/repository/foo-bar@, then the project Identifier on the Settings page must be @foo-bar@.
20 1 Nicolas Chuche
21
h2. Enabling apache modules
22
23
On debian/ubuntu :
24
25
<pre>
26 15 Jean-Philippe Lang
sudo a2enmod dav
27 21 Marko Roeder
sudo a2enmod dav_svn # if you want to use svn
28
sudo a2enmod dav_fs  # if you want to use git
29 15 Jean-Philippe Lang
sudo a2enmod perl
30 4 Jean-Philippe Lang
</pre>
31 1 Nicolas Chuche
32 15 Jean-Philippe Lang
h2. Apache configuration for Subversion repositories
33 1 Nicolas Chuche
34
You first need to copy or link @Redmine.pm@ to @/usr/lib/perl5/Apache/Redmine.pm@
35 37 Mischa The Evil
* Redmine.pm can be found in $REDMINE_DIR/extra/svn/Redmine.pm
36
* In the Debian install, it is found /usr/share/redmine/extra/svn/Redmine.pm
37
38 15 Jean-Philippe Lang
Then add the following Location directives to your apache configuration (for example in @/etc/APACHE_DIR/conf.d/@):
39 1 Nicolas Chuche
40 17 Joachim Fritschi
* the old how-to which suggested two separate locations for with @/svn@  and @/svn-private@ can be avoided
41
* with the @Satisfy any@ keyword from Apache you can define different authentication policies
42
* read access from the redmine-server or any validated user
43
* write access only validated users
44 15 Jean-Philippe Lang
45 17 Joachim Fritschi
46 15 Jean-Philippe Lang
<pre>
47 1 Nicolas Chuche
   # /svn location for users
48
   PerlLoadModule Apache::Redmine
49
   <Location /svn>
50
     DAV svn
51 19 Joachim Fritschi
     SVNParentPath "/var/svn"
52 17 Joachim Fritschi
     Order deny,allow
53
     Deny from all
54
     Satisfy any
55 1 Nicolas Chuche
56
     PerlAccessHandler Apache::Authn::Redmine::access_handler
57
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
58 17 Joachim Fritschi
     AuthType Basic
59 18 Joachim Fritschi
     AuthName "Redmine SVN Repository"
60 17 Joachim Fritschi
61
     #read-only access	
62
     <Limit GET PROPFIND OPTIONS REPORT>
63 19 Joachim Fritschi
        Require valid-user
64 17 Joachim Fritschi
        Allow from redmine.server.ip
65
        # Allow from another-ip
66
     	Satisfy any
67
     </Limit>
68
     # write access
69
     <LimitExcept GET PROPFIND OPTIONS REPORT>
70
   	Require valid-user
71
     </LimitExcept>
72
73
74 1 Nicolas Chuche
     ## for mysql
75
     RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
76 4 Jean-Philippe Lang
     ## for postgres
77 1 Nicolas Chuche
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
78 4 Jean-Philippe Lang
     ## for SQLite3
79 1 Nicolas Chuche
     # RedmineDSN "DBI:SQLite:dbname=database.db"
80
81
     RedmineDbUser "redmine"
82
     RedmineDbPass "password"
83
  </Location>
84
85
</pre>
86
87 17 Joachim Fritschi
h3. Testing the configuration:
88 1 Nicolas Chuche
89 17 Joachim Fritschi
After reloading apache conf, you can try to browse some repository with:
90
91 1 Nicolas Chuche
<pre>
92
svn ls http://my.svn.server/svn/myproject
93 4 Jean-Philippe Lang
</pre>
94 1 Nicolas Chuche
95 17 Joachim Fritschi
Any non-public repository should ask for a username and password.
96 4 Jean-Philippe Lang
97 17 Joachim Fritschi
To test the authentication that allows you redmine server to read all repositories:
98 1 Nicolas Chuche
99 17 Joachim Fritschi
Reading a private repository:
100 3 Jean-Philippe Lang
<pre>
101 17 Joachim Fritschi
svn ls http://my.svn.server/svn/myproject
102
</pre>
103
Try writing to the repository:
104
<pre>
105
svn mkdir http://my.svn.server/svn/myproject/testdir
106
</pre>
107
This should fail and ask for a password.
108
109
110
h3. optional LDAP Authentication
111
112
If you want to connect your LDAP authentication to Apache, you can install the Authen::Simple::LDAP perl module. I found that connecting to my LDAP server to authenticate with every request can be quite slow. I added the following to my configuration and had a significant performance increase. If you have configured an encrypted connection to the LDAP server you will need the IO::Socket::SSL module.
113
114 20 Stefan Stefansson
> *NOTE: the above wording is a little confusing. I attempt to clear up the issues I had with this in the following paragraph.*
115
> 
116 1 Nicolas Chuche
> First of all, make sure that you have the Net::LDAP module installed as well. I installed Authen::Simple::LDAP through CPAN and found that nothing worked. Eventually I figured out that this was because the Authen::Simple::LDAP did not require the Net::LDAP module as a dependency but it is needed for our purpose here. I did this on CentOS and it seems that the Net::LDAP module can be installed via yum (@yum install perl-LDAP@) but the Authen::Simple::LDAP had to be installed via CPAN since there's no RPM for it in the CentOS repositories.
117
> 
118 37 Mischa The Evil
119
To install the Authen::Simple::LDAP using CPAN use commands:
120
<pre>
121
cpan
122
cpan> install Authen::Simple::LDAP
123
</pre>
124
if the installation failed due to some dependencies, resolve the dependencies first.
125
126 20 Stefan Stefansson
> My second point is related to the below Apache config. The @PerlLoadModule Authen::Simple::LDAP@ is actually not required for having users authenticated via LDAP. It will happen automatically if both of the above modules are installed. So there really is no difference between the config snippet below and the one above except for the @RedmineCacheCredsMax 50@ line which is probably a good idea although it can result in users that have been deleted or removed in redmine still getting access to the repositories, at least for a little while.
127
128 17 Joachim Fritschi
<pre>
129 8 Nicolas Chuche
   PerlLoadModule Apache::Redmine
130 17 Joachim Fritschi
   PerlLoadModule  Authen::Simple::LDAP
131
   # PerlLoadModule  IO::Socket::SSL
132 12 Todd Nine
   <Location /svn>
133
     DAV svn
134
     SVNParentPath "/var/svn"
135
136
     AuthType Basic
137
     AuthName redmine
138
     Require valid-user
139
140
     PerlAccessHandler Apache::Authn::Redmine::access_handler
141
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
142
  
143
     ## for mysql
144
     RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
145
     ## for postgres
146
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
147
148 1 Nicolas Chuche
     RedmineDbUser "redmine"
149 12 Todd Nine
     RedmineDbPass "password"
150
     #Cache the last 50 auth entries
151
     RedmineCacheCredsMax 50
152 15 Jean-Philippe Lang
  </Location>
153 12 Todd Nine
</pre>
154 36 neil johnson
155 1 Nicolas Chuche
h2. Apache configuration for Git repositories
156 38 Lluís Vilanova
157
*TODO*: This should probably be moved into [[HowTo configure Redmine for advanced git integration]]
158 15 Jean-Philippe Lang
159 1 Nicolas Chuche
Now that reposman.rb can create git repositories, you can use Redmine.pm to access them the same way than subversion. 
160
161
You first need to copy or link Redmine.pm to /usr/lib/perl5/Apache/Redmine.pm, then you add this configuration to apache : 
162
163
<pre>
164
165 37 Mischa The Evil
PerlLoadModule Apache::Authn::Redmine
166 1 Nicolas Chuche
167 37 Mischa The Evil
SetEnv GIT_PROJECT_ROOT /path/to/git/repos
168
SetEnv GIT_HTTP_EXPORT_ALL
169
170
ScriptAlias /git/ /usr/bin/git-http-backend/
171
172
<Location /git>
173 8 Nicolas Chuche
  AuthType Basic
174
  Require valid-user
175 1 Nicolas Chuche
  AuthName "Git"
176 8 Nicolas Chuche
177
  PerlAccessHandler Apache::Authn::Redmine::access_handler
178
  PerlAuthenHandler Apache::Authn::Redmine::authen_handler
179 1 Nicolas Chuche
180 8 Nicolas Chuche
  RedmineDSN "DBI:mysql:database=redmine;host=localhost"
181
  RedmineDbUser "redmine"
182
  RedmineDbPass "password"
183 37 Mischa The Evil
  RedmineGitSmartHttp yes
184 8 Nicolas Chuche
</Location>
185
186
Alias /git-private /var/git
187
188
<Location /git-private>
189
   Order deny,allow
190
   Deny from all
191
   <Limit GET PROPFIND OPTIONS REPORT>
192
      Options Indexes FollowSymLinks MultiViews
193
   Allow from 127.0.0.1
194
   </Limit>
195
</Location>
196
</pre>
197
198
To verify that you can access repository through Redmine.pm, you can use curl :
199
<pre>
200
% curl --netrc --location http://localhost/git/ecookbook/HEAD   
201 13 Thomas Pihl
ref: refs/heads/master
202
</pre>
203
204 22 Diego Oliveira
h2. Apache configuration for Mercurial repositories
205
206 39 Lluís Vilanova
*TODO*: This should probably be moved into [[HowTo configure Redmine for advanced Mercurial integration]]
207
208 22 Diego Oliveira
Create a file caled "hgweb.config" in the same folder as "hgwebdir.cgi". This foder will be the root repository folder. Then edit the "hgweb.config" with something like this:
209
210
<pre>
211
[paths]
212
/=/path/to/root/repository/**
213
214
[web]
215
allow_push = *
216
allowbz2 = yes
217
allowgz = yes
218
allowzip = yes
219
220
</pre>
221
222
Follows the instructions to install Redmine.pm as described and configure your apache like this.
223
224
<pre>
225
    RewriteEngine on
226
    PerlLoadModule Apache2::Redmine
227
    PerlLoadModule Authen::Simple::LDAP
228
    ScriptAliasMatch ^/hg(.*)  /path/to/the/hgwebdir.cgi/$1
229
    <Location /hg>
230
        AuthType Basic
231
        AuthName "Mercurial"
232
        Require valid-user
233 1 Nicolas Chuche
234
        #Redmine auth
235
        PerlAccessHandler Apache::Authn::Redmine::access_handler
236
        PerlAuthenHandler Apache::Authn::Redmine::authen_handler
237
        RedmineDSN "DBI:mysql:database=redmine;host=localhost"
238
        RedmineDbUser "DB_USER"
239
        RedmineDbPass "DB_PASSWD"
240
    </Location>
241 37 Mischa The Evil
242
    # Note: Do not use hg-private as the rewrite rule above will cause strange things to occur.
243
    Alias /private-hg /path/to/hg/repos
244
    
245
    <Location /private-hg>
246
        Order deny, allow
247
        Deny from all
248
        <Limit GET PROPFIND OPTIONS REPORT>
249
            Options Indexes FollowSymLinks MultiViews
250
            Allow from 127.0.0.1
251
        </Limit>
252
    </Location>
253
254 22 Diego Oliveira
255 1 Nicolas Chuche
</pre>
256 22 Diego Oliveira
257
h2. Gotchas
258 13 Thomas Pihl
259
If you run this in Phusion Passenger, make sure you don't turn PassengerHighPerformance on. If you do, the rewrites to catch subversion dav will be bypassed with some interesting dump in the log as a result.
260
Example: 
261 1 Nicolas Chuche
> ActionController::RoutingError (No route matches "/svn/rm-code" with {:method=>:get}):
262
(if your repo are named rm-code)
263 27 Bill Dieter
264 37 Mischa The Evil
When using @Authen::Simple::LDAP@ for authentication, it is not sufficient to have the Administrator role to access a repository.  The user must have a role with that specifically allows the user to browse, read, or write the repository.