Project

General

Profile

Repositories access control with apache mod dav svn and mod perl » History » Version 47

Jim McAleer, 2019-06-12 06:20

1 16 Jean-Philippe Lang
h1. Repositories access control with apache, mod_dav_svn and mod_perl
2 1 Nicolas Chuche
3 2 Nicolas Chuche
{{>TOC}}
4
5 4 Jean-Philippe Lang
h2. Overview
6 1 Nicolas Chuche
7 23 Eric Davis
In this documentation, we will configure apache to delegate authentication to mod_perl. It's tested on apache2 (@apache2-mpm-prefork@) with mysql and postgresql but should work with allmost every databases for which there is a perl DBD module.  Apache2 with the high speed thread model might not load Perl correctly (@apache2-mpm-worker@).
8 1 Nicolas Chuche
9
You need a working apache on your SVN server and you must install some modules at least mod_dav_svn, mod_perl2, DBI and DBD::mysql (or the DBD driver for you database as it should work on allmost all databases).
10 4 Jean-Philippe Lang
11 15 Jean-Philippe Lang
On Debian/ubuntu you can do :
12 11 Shaun Mangelsdorf
13 43 James Ang
<pre>sudo aptitude install libapache2-svn libapache-dbi-perl \
14
libapache2-mod-perl2 libdbd-mysql-perl libdigest-sha1-perl \
15
libauthen-simple-ldap-perl</pre>
16 41 Zack s
17 1 Nicolas Chuche
On Turnkey Redmine Virtual Appliance you can do :
18
19 43 James Ang
<pre>apt-get install libapache2-svn libapache-dbi-perl \
20
libapache2-mod-perl2 libauthen-simple-ldap-perl</pre>
21 40 Zack s
22 47 Jim McAleer
On Turnkey Redmine Virtual Appliance v 15.0 and greater you can do :
23
24
<pre>
25
apt-get install libapache2-mod-svn libapache-dbi-perl libapache2-mod-perl2 libauthen-simple-ldap-perl
26
</pre>
27
28 37 Mischa The Evil
If the repositories are not created automatically by reposman.rb, it is important that the repository name is the same as the project identifier in Redmine, otherwise Redmine.pm will fail to authenticate users.  For example, if the path to the repository is @/path/to/repository/foo-bar@, then the project Identifier on the Settings page must be @foo-bar@.
29 1 Nicolas Chuche
30
h2. Enabling apache modules
31
32
On debian/ubuntu :
33
34
<pre>
35 15 Jean-Philippe Lang
sudo a2enmod dav
36 21 Marko Roeder
sudo a2enmod dav_svn # if you want to use svn
37
sudo a2enmod dav_fs  # if you want to use git
38 15 Jean-Philippe Lang
sudo a2enmod perl
39 4 Jean-Philippe Lang
</pre>
40 1 Nicolas Chuche
41 15 Jean-Philippe Lang
h2. Apache configuration for Subversion repositories
42 1 Nicolas Chuche
43
You first need to copy or link @Redmine.pm@ to @/usr/lib/perl5/Apache/Redmine.pm@
44 37 Mischa The Evil
* Redmine.pm can be found in $REDMINE_DIR/extra/svn/Redmine.pm
45
* In the Debian install, it is found /usr/share/redmine/extra/svn/Redmine.pm
46
47 15 Jean-Philippe Lang
Then add the following Location directives to your apache configuration (for example in @/etc/APACHE_DIR/conf.d/@):
48 1 Nicolas Chuche
49 17 Joachim Fritschi
* the old how-to which suggested two separate locations for with @/svn@  and @/svn-private@ can be avoided
50
* with the @Satisfy any@ keyword from Apache you can define different authentication policies
51
* read access from the redmine-server or any validated user
52
* write access only validated users
53 15 Jean-Philippe Lang
54 17 Joachim Fritschi
55 15 Jean-Philippe Lang
<pre>
56 46 Antonio García-Domínguez
   # enables connection pooling (very useful for checkouts with many files)
57
   PerlModule Apache::DBI
58
   PerlOptions +GlobalRequest
59
60 1 Nicolas Chuche
   # /svn location for users
61
   PerlLoadModule Apache::Redmine
62
   <Location /svn>
63
     DAV svn
64 45 Friedrich Schiller
65
     ### uncomment the following line when using subversion 1.8 or newer (see http://subversion.apache.org/docs/release-notes/1.8.html#serf-skelta-default)
66
     # SVNAllowBulkUpdates Prefer
67
68 1 Nicolas Chuche
     SVNParentPath "/var/svn"
69
     Order deny,allow
70
     Deny from all
71
     Satisfy any
72 43 James Ang
     # If a client tries to svn update which involves updating many files,
73
     # the update request might result in an error Server sent unexpected
74
     # return value (413 Request  Entity Too Large) in response to REPORT
75
     # request,because the size of the update request exceeds the limit
76
     # allowed by the server. You can avoid this error by disabling the
77
     # request size limit by adding the line LimitXMLRequestBody 0
78
     # between the <Location...> and </Location> lines. 
79 42 Terence Mill
     LimitXMLRequestBody 0
80
     
81 43 James Ang
     # Only check Authentication for root path, nor again for recursive
82
     # folder.
83
     # Redmine core does only permit access on repository level, so this
84
     # doesn't hurt security. On the other hand it does boost performance
85
     # a lot!
86 42 Terence Mill
     SVNPathAuthz off
87 1 Nicolas Chuche
88
     PerlAccessHandler Apache::Authn::Redmine::access_handler
89
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
90 17 Joachim Fritschi
     AuthType Basic
91 18 Joachim Fritschi
     AuthName "Redmine SVN Repository"
92 44 F Abu-Nimeh
     AuthUserFile /dev/null
93 17 Joachim Fritschi
94
     #read-only access	
95
     <Limit GET PROPFIND OPTIONS REPORT>
96 19 Joachim Fritschi
        Require valid-user
97 17 Joachim Fritschi
        Allow from redmine.server.ip
98
        # Allow from another-ip
99
     	Satisfy any
100
     </Limit>
101
     # write access
102
     <LimitExcept GET PROPFIND OPTIONS REPORT>
103
   	Require valid-user
104
     </LimitExcept>
105
106
107 1 Nicolas Chuche
     ## for mysql
108
     RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
109 4 Jean-Philippe Lang
     ## for postgres
110 1 Nicolas Chuche
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
111 4 Jean-Philippe Lang
     ## for SQLite3
112 1 Nicolas Chuche
     # RedmineDSN "DBI:SQLite:dbname=database.db"
113
114
     RedmineDbUser "redmine"
115
     RedmineDbPass "password"
116
  </Location>
117
118
</pre>
119
120 17 Joachim Fritschi
h3. Testing the configuration:
121 1 Nicolas Chuche
122 17 Joachim Fritschi
After reloading apache conf, you can try to browse some repository with:
123
124 1 Nicolas Chuche
<pre>
125
svn ls http://my.svn.server/svn/myproject
126 4 Jean-Philippe Lang
</pre>
127 1 Nicolas Chuche
128 17 Joachim Fritschi
Any non-public repository should ask for a username and password.
129 4 Jean-Philippe Lang
130 17 Joachim Fritschi
To test the authentication that allows you redmine server to read all repositories:
131 1 Nicolas Chuche
132 17 Joachim Fritschi
Reading a private repository:
133 3 Jean-Philippe Lang
<pre>
134 17 Joachim Fritschi
svn ls http://my.svn.server/svn/myproject
135
</pre>
136
Try writing to the repository:
137
<pre>
138
svn mkdir http://my.svn.server/svn/myproject/testdir
139
</pre>
140
This should fail and ask for a password.
141
142
143
h3. optional LDAP Authentication
144
145
If you want to connect your LDAP authentication to Apache, you can install the Authen::Simple::LDAP perl module. I found that connecting to my LDAP server to authenticate with every request can be quite slow. I added the following to my configuration and had a significant performance increase. If you have configured an encrypted connection to the LDAP server you will need the IO::Socket::SSL module.
146
147 20 Stefan Stefansson
> *NOTE: the above wording is a little confusing. I attempt to clear up the issues I had with this in the following paragraph.*
148
> 
149 1 Nicolas Chuche
> First of all, make sure that you have the Net::LDAP module installed as well. I installed Authen::Simple::LDAP through CPAN and found that nothing worked. Eventually I figured out that this was because the Authen::Simple::LDAP did not require the Net::LDAP module as a dependency but it is needed for our purpose here. I did this on CentOS and it seems that the Net::LDAP module can be installed via yum (@yum install perl-LDAP@) but the Authen::Simple::LDAP had to be installed via CPAN since there's no RPM for it in the CentOS repositories.
150 37 Mischa The Evil
> 
151
152
To install the Authen::Simple::LDAP using CPAN use commands:
153
<pre>
154 20 Stefan Stefansson
cpan
155 1 Nicolas Chuche
cpan> install Authen::Simple::LDAP
156
</pre>
157
if the installation failed due to some dependencies, resolve the dependencies first.
158
159
> My second point is related to the below Apache config. The @PerlLoadModule Authen::Simple::LDAP@ is actually not required for having users authenticated via LDAP. It will happen automatically if both of the above modules are installed. So there really is no difference between the config snippet below and the one above except for the @RedmineCacheCredsMax 50@ line which is probably a good idea although it can result in users that have been deleted or removed in redmine still getting access to the repositories, at least for a little while.
160
161
<pre>
162 20 Stefan Stefansson
   PerlLoadModule Apache::Redmine
163 17 Joachim Fritschi
   PerlLoadModule  Authen::Simple::LDAP
164 1 Nicolas Chuche
   # PerlLoadModule  IO::Socket::SSL
165
   <Location /svn>
166 8 Nicolas Chuche
     DAV svn
167 43 James Ang
     # If a client tries to svn update which involves updating many files, the
168
     # update request might result in an error Server sent unexpected return
169
     # value (413 Request  Entity Too Large) in response to REPORT request,
170
     # because the size of the update request exceeds the limit allowed by the
171
     # server. You can avoid this error by disabling the request size limit by
172
     # adding the line LimitXMLRequestBody 0 between the <Location...> and
173
     # </Location> lines. 
174 42 Terence Mill
     LimitXMLRequestBody 0
175
     
176
     # Only check Authentification for root path, nor again for recursive folder
177 43 James Ang
     # Redmine core does only permit acces on repository level, so this doesn't
178
     # hurt security. On the other hand it does boost performance a lot!
179 42 Terence Mill
     SVNPathAuthz off
180
181 12 Todd Nine
     SVNParentPath "/var/svn"
182
183
     AuthType Basic
184
     AuthName redmine
185
     Require valid-user
186
187
     PerlAccessHandler Apache::Authn::Redmine::access_handler
188
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
189
  
190
     ## for mysql
191
     RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
192
     ## for postgres
193
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
194
195 1 Nicolas Chuche
     RedmineDbUser "redmine"
196 12 Todd Nine
     RedmineDbPass "password"
197
     #Cache the last 50 auth entries
198
     RedmineCacheCredsMax 50
199 15 Jean-Philippe Lang
  </Location>
200 12 Todd Nine
</pre>
201 36 neil johnson
202 1 Nicolas Chuche
h2. Apache configuration for Git repositories
203 38 Lluís Vilanova
204
*TODO*: This should probably be moved into [[HowTo configure Redmine for advanced git integration]]
205 15 Jean-Philippe Lang
206 1 Nicolas Chuche
Now that reposman.rb can create git repositories, you can use Redmine.pm to access them the same way than subversion. 
207
208
You first need to copy or link Redmine.pm to /usr/lib/perl5/Apache/Redmine.pm, then you add this configuration to apache : 
209
210
<pre>
211
212 37 Mischa The Evil
PerlLoadModule Apache::Authn::Redmine
213 1 Nicolas Chuche
214 37 Mischa The Evil
SetEnv GIT_PROJECT_ROOT /path/to/git/repos
215
SetEnv GIT_HTTP_EXPORT_ALL
216
217
ScriptAlias /git/ /usr/bin/git-http-backend/
218
219
<Location /git>
220 8 Nicolas Chuche
  AuthType Basic
221
  Require valid-user
222 1 Nicolas Chuche
  AuthName "Git"
223 8 Nicolas Chuche
224
  PerlAccessHandler Apache::Authn::Redmine::access_handler
225
  PerlAuthenHandler Apache::Authn::Redmine::authen_handler
226 1 Nicolas Chuche
227 8 Nicolas Chuche
  RedmineDSN "DBI:mysql:database=redmine;host=localhost"
228
  RedmineDbUser "redmine"
229
  RedmineDbPass "password"
230 37 Mischa The Evil
  RedmineGitSmartHttp yes
231 8 Nicolas Chuche
</Location>
232
233
Alias /git-private /var/git
234
235
<Location /git-private>
236
   Order deny,allow
237
   Deny from all
238
   <Limit GET PROPFIND OPTIONS REPORT>
239
      Options Indexes FollowSymLinks MultiViews
240
   Allow from 127.0.0.1
241
   </Limit>
242
</Location>
243
</pre>
244
245
To verify that you can access repository through Redmine.pm, you can use curl :
246
<pre>
247
% curl --netrc --location http://localhost/git/ecookbook/HEAD   
248 13 Thomas Pihl
ref: refs/heads/master
249
</pre>
250
251 22 Diego Oliveira
h2. Apache configuration for Mercurial repositories
252
253 39 Lluís Vilanova
*TODO*: This should probably be moved into [[HowTo configure Redmine for advanced Mercurial integration]]
254
255 22 Diego Oliveira
Create a file caled "hgweb.config" in the same folder as "hgwebdir.cgi". This foder will be the root repository folder. Then edit the "hgweb.config" with something like this:
256
257
<pre>
258
[paths]
259
/=/path/to/root/repository/**
260
261
[web]
262
allow_push = *
263
allowbz2 = yes
264
allowgz = yes
265
allowzip = yes
266
267
</pre>
268
269
Follows the instructions to install Redmine.pm as described and configure your apache like this.
270
271
<pre>
272
    RewriteEngine on
273
    PerlLoadModule Apache2::Redmine
274
    PerlLoadModule Authen::Simple::LDAP
275
    ScriptAliasMatch ^/hg(.*)  /path/to/the/hgwebdir.cgi/$1
276
    <Location /hg>
277
        AuthType Basic
278
        AuthName "Mercurial"
279
        Require valid-user
280 1 Nicolas Chuche
281
        #Redmine auth
282
        PerlAccessHandler Apache::Authn::Redmine::access_handler
283
        PerlAuthenHandler Apache::Authn::Redmine::authen_handler
284
        RedmineDSN "DBI:mysql:database=redmine;host=localhost"
285
        RedmineDbUser "DB_USER"
286
        RedmineDbPass "DB_PASSWD"
287
    </Location>
288 37 Mischa The Evil
289
    # Note: Do not use hg-private as the rewrite rule above will cause strange things to occur.
290
    Alias /private-hg /path/to/hg/repos
291
    
292
    <Location /private-hg>
293
        Order deny, allow
294
        Deny from all
295
        <Limit GET PROPFIND OPTIONS REPORT>
296
            Options Indexes FollowSymLinks MultiViews
297
            Allow from 127.0.0.1
298
        </Limit>
299
    </Location>
300
301 22 Diego Oliveira
302 1 Nicolas Chuche
</pre>
303 22 Diego Oliveira
304
h2. Gotchas
305 13 Thomas Pihl
306
If you run this in Phusion Passenger, make sure you don't turn PassengerHighPerformance on. If you do, the rewrites to catch subversion dav will be bypassed with some interesting dump in the log as a result.
307
Example: 
308 1 Nicolas Chuche
> ActionController::RoutingError (No route matches "/svn/rm-code" with {:method=>:get}):
309
(if your repo are named rm-code)
310 27 Bill Dieter
311 37 Mischa The Evil
When using @Authen::Simple::LDAP@ for authentication, it is not sufficient to have the Administrator role to access a repository.  The user must have a role with that specifically allows the user to browse, read, or write the repository.