Preston's picture
Preston - Tue, 2014/07/08 - 02:17

I realize this has been discussed a fair amount. Unfortunately I haven't been able to get it fully functioning. In essence I want an out of the box solution in which changes to Redmine automatically create SVN repositories for projects and the addition of new users grant access to those repositories. To do this, I have tried to follow the following posts:

Sorry, this one is cached. As of yesterday the post was not available.

http://webcache.googleusercontent.com/search?q=cache:Mpb5vroCKMIJ:www.tu...

This points to this post from Redmine: http://www.redmine.org/projects/redmine/wiki/HowTo_Automate_repository_c...

 

Okay, that works. Now for the user access to those repositories. In other words, the admin shouldn't have to jump to a command line to update passwd or auth. This should come from the database. To that end, I found this post:

http://www.redmine.org/projects/redmine/wiki/Repositories_access_control...

I modified file to reflect my turnkey settings like this (changes are underlined):

 # /svn location for users
   PerlLoadModule Apache::Redmine
   <Location /svn>
     DAV svn
     # modifying original to point to turnkey redmine parent
     #SVNParentPath "/var/svn" 
     SVNParentPath "/srv/repos/svn"
     Order deny,allow
     Deny from all
     Satisfy any
     # If a client tries to svn update which involves updating many files,
     # the update request might result in an error Server sent unexpected
     # return value (413 Request  Entity Too Large) in response to REPORT
     # request,because the size of the update request exceeds the limit
     # allowed by the server. You can avoid this error by disabling the
     # request size limit by adding the line LimitXMLRequestBody 0
     # between the <Location...> and </Location> lines. 
     LimitXMLRequestBody 0

     # Only check Authentication for root path, nor again for recursive
     # folder.
     # Redmine core does only permit access on repository level, so this
     # doesn't hurt security. On the other hand it does boost performance
     # a lot!
     SVNPathAuthz off

     PerlAccessHandler Apache::Authn::Redmine::access_handler
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
     AuthType Basic
     AuthName "Redmine SVN Repository" 

     #read-only access    
     <Limit GET PROPFIND OPTIONS REPORT>
        Require valid-user
        # modifying original to my setup
        # Allow from redmine.server.ip
        Allow from 127.0.0.1
        # Allow from another-ip
         Satisfy any
     </Limit>
     # write access
     <LimitExcept GET PROPFIND OPTIONS REPORT>
       Require valid-user
     </LimitExcept>

     ## for mysql
     # modified original to meet my setup
     #RedmineDSN "DBI:mysql:database=databasename;host=my.db.server" 
     RedmineDSN "DBI:mysql:database=Redmine_production;host=127.0.0.1"
     ## for postgres
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server" 
     ## for SQLite3
     # RedmineDSN "DBI:SQLite:dbname=database.db" 

     # created test users to mysql database with "SELECT" access matching below
     RedmineDbUser "redmine" 
     RedmineDbPass "password" 
  </Location>

Now I need to modify the conf file in the repository to require password read/write access. Unfortunately, whatever I try, I cannot get access to the repo to commit. So I clearly have something configured incorrectly.

Can anyone clear this up for me please? I'm sure it will be helpful to others as well.

As requested by others previously, any way to make this the default behavior of TKL Redmine?

Thanks in advance!

Forum: 
Support
Tags: 
redmine
svn
subversion
user access
Liraz Siri's picture

Liraz Siri - Thu, 2014/07/10 - 01:09

Hi Preston, I opened a new issue on the tracker:

https://github.com/turnkeylinux/tracker/issues/238

If we can figure out how to add this feature and make it play nicely with everything else I think it would be an excellent idea to roll this as the default behavior.

Regarding the issue itself, I took a look to see if I could spot anything obvious that you had missed. No such luck. I wish I could be more helpful but most of my experience is with Git rather than SVN.

Preston's picture

Preston - Thu, 2014/07/10 - 01:35

Do you have any thoughts on what the .conf file within the repos should have to enable this? Should I leave it the way the script left it? Under normal operation, one would specify, for example, the passwd file to be used. That shouldn't be necessary in this setup. Should something else be there?

Liraz Siri's picture

Liraz Siri - Thu, 2014/07/10 - 02:20

Getting these integrations just right can indeed be painful. Often the only way to find something that works is to make the best guesses and just iterate through series of trials and errors. Then you capture the solution into future versions of the integration. It can be dirty work, but on the flip side, gradually eliminating these sort of paper cuts is pretty much one of the main justifications for having a project like TurnKey to begin with. We still need to figure out the integration details though.

jordanthompson's picture

jordanthompson - Mon, 2015/02/16 - 19:01

Has any headway been made on this? I just downloaded the current Turnkey Redmine and I see it does not have this feature... I am interested also.

Jeremy Davis's picture

Jeremy Davis - Tue, 2015/02/17 - 03:44

Unless it's documented elsewhere then it looks like not.

FWIW I just had a quick look at the commits to the Redmine appliance build code (here) and don't see anything relating to this, so I'm guessing not...

Please feel free to continue the work and once we have something that works then we can integrate it into the appliance. It will then be included in the next release.

Brian - Thu, 2015/11/12 - 02:29

I followed the same sequence as Preston (O.P.), but I performed a redmine update to 2.6.7 before hand (I didn't repeat for the original turnkey version, so good luck).

To be clear, this is following the directions for "Using apache/mod_dav_svn/mod_perl method" from 

http://www.redmine.org/projects/redmine/wiki/HowTo_configure_Redmine_for_advanced_Subversion_integration

I followed the directions including using /var/svn/ as the repository location for the method.

Testing reposman.rb

Substitute in the key and run the following to test reposman.rb

ruby /var/www/redmine/extra/svn/reposman.rb --redmine redmine --svn-dir /var/svn --owner www-data --url http://localhost/svn --key=FILLTHISIN --verbose

Access Control

edit /etc/apache2/conf/redmine.conf

append the following (look for the bolded sections for modifications)

# enables connection pooling (very useful for checkouts with many files)
PerlModule Apache::DBI
PerlOptions +GlobalRequest

# /svn location for users
PerlLoadModule Apache::Redmine
<Location /svn>
    DAV svn
    
    ### uncomment the following line when using subversion 1.8 or newer (see http://subversion.apache.org/docs/release-notes/1.8.html#serf-skelta-default)
    # SVNAllowBulkUpdates Prefer
    
    SVNParentPath "/var/svn" 
    Order deny,allow
    Deny from all
    Satisfy any
    # If a client tries to svn update which involves updating many files,
    # the update request might result in an error Server sent unexpected
    # return value (413 Request  Entity Too Large) in response to REPORT
    # request,because the size of the update request exceeds the limit
    # allowed by the server. You can avoid this error by disabling the
    # request size limit by adding the line LimitXMLRequestBody 0
    # between the <Location...> and </Location> lines. 
    LimitXMLRequestBody 0
    
    # Only check Authentication for root path, nor again for recursive
    # folder.
    # Redmine core does only permit access on repository level, so this
    # doesn't hurt security. On the other hand it does boost performance
    # a lot!
    SVNPathAuthz off
    
    PerlAccessHandler Apache::Authn::Redmine::access_handler
    PerlAuthenHandler Apache::Authn::Redmine::authen_handler
    AuthType Basic
    AuthName "Redmine SVN Repository" 
    AuthUserFile /dev/null
    
    #read-only access    
    <Limit GET PROPFIND OPTIONS REPORT>
        Require valid-user
        Allow from FILLTHISIN (IP Address of the server)
        # Allow from another-ip
        Satisfy any
    </Limit>
    # write access
    <LimitExcept GET PROPFIND OPTIONS REPORT>
        Require valid-user
    </LimitExcept>
    
    ## for mysql
    RedmineDSN "DBI:mysql:database=redmine_production;host=localhost" 
    ## for postgres
    # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server" 
    ## for SQLite3
    # RedmineDSN "DBI:SQLite:dbname=database.db" 
    
    RedmineDbUser "root" 
    RedmineDbPass "FILLTHISIN" 
</Location>

Compared to Preston's Configuration

  1. Using /var/svn/ instead of /srv/repos/svn/
  2. Using the external server IP address instead of the localhost (127.0.0.1) for "Allow from"
  3. RedmineDbUser set to "root" instead of "redmine"
Preston's picture

Preston - Wed, 2015/12/30 - 08:31

A year and a half ago this thing worked. Now I've installed a new TKL server with updated packages (as configured out of the box) and it doesn't work. I followed all the instructions as in the previous post (Thanks Brian, I'll ignore my original posting for the moment). I can see that I can talk to the SVN server from the command line (i.e. list contents in the example repos). I can see that the correct conf files are loaded in Apache. The directory ownership and groups look good. The WS API key is generated and enabled. Yet no matter what, when I go to test this thing with the following code:

ruby /var/www/redmine/extra/svn/reposman.rb --redmine rytekredmine  --svn-dir /srv/repos/svn --owner www-data --url http://localhost/svn/ --key=APIKEY --verbose

I get the following error:

querying Redmine for projects...
Request was denied by your Redmine server. Make sure that 'WS for repository management' is enabled in application settings and that you provided the correct API key.
No project found, perhaps you forgot to "Enable WS for repository management"

This happens irrespective of whether I use localhost, the ip address of the box, or the FQDN. I'm stumped and hoping it's a mental tree/forest problem. Any ideas?

 

Here's the apache config file (redmine_webaccess.conf) that is referenced by redmine.conf

PerlModule Apache::DBI
PerlOptions +GlobalRequest

PerlLoadModule Apache::Redmine
<Location /svn>
  DAV svn

  SVNAllowBulkUpdates Prefer

  SVNParentPath "/srv/repos/svn"
  Order deny,allow
  Deny from all
  Satisfy any
  LimitXMLRequestBody 0

  SVNPathAuthz off

  PerlAccessHandler Apache::Authn::Redmine::access_handler
  PerlAuthenHandler Apache::Authn::Redmine::authen_handler
  AuthType Basic
  AuthName "Redmine SVN Repository"
  AuthUserFile /dev/null

  # read access
  <Limit GET PROPFIND OPTIONS REPORT>
     Require valid-user
     Allow from 127.0.0.1
     # allow from the network address though localhost should work
     Allow from 192.168.0.9
     Satisfy any
  </Limit>
  # write access
  <LimitExcept GET PROPFIND OPTIONS REPORT>
    Require valid-user
  </LimitExcept>

  RedmineDSN "DBI:mysql:database=redmine_production;host=localhost"

  RedmineDbUser "root"
  RedmineDbPass "MYSQLROOTPASSWORD"
</Location>

 

 

Brian - Mon, 2016/01/04 - 18:45

If you are running v14, please see the following bug and referenced post issue.

https://github.com/turnkeylinux/tracker/issues/500

Because of this, I'm running the previous version of turnkey with a manually updated redmine version of 2.6.7. I'll reevaluate once the API is functioning again to allow advanced SVN integration.

Jeremy Davis's picture

Jeremy Davis - Tue, 2016/01/05 - 07:43
FWIW I have just been reviewing the code and I'm pretty sure I know how/why this got broken.

The appliance was updated early in the v14.0 development and right at the start we were having issues with the Jessie based Core. So rather than hold up development we started updating on Wheezy. Most of the work was done but we weren't able to complete until Core v14.0rc1 was finished (due to old package versions in Wheezy). But it looks like when we did finish off we missed some important adjustments that broke some of the functionality.

It looks like it should be all good for v14.1 (have a look here if you're interested). If either or both of you would like to help with testing for the v14.1 release you can build a new ISO with TKLDev (have a look at this blog post.

Add new comment