[Nexus-developers] CVS -> Subversion

Peterson, Peter F. petersonpf at ornl.gov
Wed Oct 18 20:10:35 BST 2006


My sysadmin responded. See below. Please recall when reading this that
we have a fairly closed system.

 

P^2

 

<quote>

Re: passwords: CVS stored your password in a ".cvspass" file in your
home directory when you first did a "cvs login" and may well send it
every time (or maybe once and use a token; not sure). Subversion uses
whatever method you set on the web server . If you use https with
subversion you are using a public key to encrypt the data, but in our
case you would still be sending a password (stored somewhere on your
computer) as we are using http basic auth. We could issue certificates
and use them instead of "basic auth", but I'm not sure we need to.  

 

----

We use basic authentication sent over HTTPS. The password is stored
somehere in the user's ~/.svn directory, but is reasonabely well
protected by file permissions. This page has some information about
using certificates, but we have not tried it.

 

http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html

----

 

 

 

What do you do about accounts and password for your TRAC - are they
loaded from some central area? I'm sort of conscious of the possibility
of being spammed and so ideally would require an account for submitting
issues as well, hence the idea of linking to mediawiki as that has an
account creation, verification and "send me a new password" system
already in place. Your roles sound reasonable . if you have a script
that creates the roles and adds permissions it will save me a load of
trac-admin commands. I guess we need to decide how we will use it Re:
definitions and also what is the status of the TRAK WIKI (like do we
disable it totally or use it as a developer whiteboard?)

 

 

-----

We use basic authentication for access to trac as well, and set
permissions using the script that Pete sent. Our apache configuration
for trac looks like this:

 

#Alias for trac site

Alias /trac/ "/var/trac"

 

 

#Main trac directives

<Location /trac>

  AllowOverride None

  Options None

  SetHandler mod_python

  PythonHandler trac.web.modpython_frontend

  PythonOption TracUriRoot "/trac"

  PythonOption TracEnvParentDir "/var/trac"

 

 

  #Require Authentication

    AuthType Basic

    AuthName "Authentication Required"

    AuthGroupFile /etc/httpd/auth/www_group

    Require group sns-subversion

    #LDAP

    LDAP_Port 389

    LDAP_Server ldap1.example.com

    LDAP_StartTLS On

    #Where to look

    Base_DN "ou=People,dc=example,dc=com"

    UID_Attr uid

    Require group sns-subversion

    #Authenticate on bind - important!

    AuthOnBind On

    #Debugging

    LDAP_Debug Off

 

  #Require SSL

  SSLRequireSSL

  SSLRequire (%{HTTP_HOST} == "trac.example.com")

  ErrorDocument 403 https://trac.example.com/trac/

</Location>

 

 

#For Authentication into trac (shouldn't be needed because we require
auth above )

<LocationMatch "/[^/]+/login">

  AllowOverride None

  Options None

 

  #Require Authentication

    AuthType Basic

    AuthName "Authentication Required"

    AuthGroupFile /etc/httpd/auth/www_group

    Require group sns-subversion

    #LDAP

    LDAP_Port 389

    LDAP_Server ldap1.example.com

    LDAP_StartTLS On

    #Where to look

    Base_DN "ou=People,dc=example,dc=com"

    UID_Attr uid

    Require group sns-subversion

    #Authenticate on bind - important!

    AuthOnBind On

    #Debugging

    LDAP_Debug Off

 

  #Require SSL

  SSLRequireSSL

</LocationMatch>

 

----

</quote>

________________________________

From: nexus-developers-bounces at anl.gov
[mailto:nexus-developers-bounces at anl.gov] On Behalf Of Peterson, Peter
F.
Sent: Wednesday, October 18, 2006 2:39 PM
To: Akeroyd, FA (Freddie); nexus-developers at anl.gov
Subject: RE: [Nexus-developers] CVS -> Subversion

 

Freddie,

 

For setting permissions we do it through a bunch of bash scripts (long
live bash) that have in the base one the setting of roles. Here is the
code cut and pasted (note that we have /var/trac as our root):

<code>

### Set up roles

 

#Remove anonymous permissions

trac-admin /var/trac/$1 permission remove authenticated TRAC_ADMIN

trac-admin /var/trac/$1 permission remove anonymous TRAC_ADMIN

trac-admin /var/trac/$1 permission remove anonymous  BROWSER_VIEW
CHANGESET_VIEW

 CONFIG_VIEW FILE_VIEW LOG_VIEW  MILESTONE_ADMIN MILESTONE_CREATE
MILESTONE_DELE

TE MILESTONE_MODIFY MILESTONE_VIEW REPORT_ADMIN REPORT_CREATE
REPORT_DELETE REPO

RT_MODIFY  REPORT_SQL_VIEW REPORT_VIEW ROADMAP_ADMIN ROADMAP_VIEW
SEARCH_VIEW TI

CKET_ADMIN TICKET_APPEND TICKET_CHGPROP TICKET_CREATE TICKET_MODIFY
TICKET_VIEW

TIMELINE_VIEW TRAC_ADMIN WIKI_ADMIN WIKI_CREATE WIKI_DELETE WIKI_MODIFY
WIKI_VIE

W

 

#Grant admin privileges to Admins

trac-admin /var/trac/$1 permission add full-admin TRAC_ADMIN

 

#Grant privileges to everybody

trac-admin /var/trac/$1 permission add everybody CONFIG_VIEW

trac-admin /var/trac/$1 permission add everybody MILESTONE_VIEW

trac-admin /var/trac/$1 permission add everybody REPORT_VIEW

trac-admin /var/trac/$1 permission add everybody ROADMAP_VIEW

trac-admin /var/trac/$1 permission add everybody SEARCH_VIEW

trac-admin /var/trac/$1 permission add everybody TICKET_VIEW

trac-admin /var/trac/$1 permission add everybody TIMELINE_VIEW

trac-admin /var/trac/$1 permission add everybody WIKI_VIEW

 

#Grant privileges to authenticated

trac-admin /var/trac/$1 permission add authenticated BROWSER_VIEW

trac-admin /var/trac/$1 permission add authenticated CHANGESET_VIEW

trac-admin /var/trac/$1 permission add authenticated FILE_VIEW

trac-admin /var/trac/$1 permission add authenticated LOG_VIEW

trac-admin /var/trac/$1 permission add authenticated TICKET_CREATE

trac-admin /var/trac/$1 permission add authenticated TICKET_APPEND

trac-admin /var/trac/$1 permission add authenticated everybody

 

#Grant privileges to developer

trac-admin /var/trac/$1 permission add developer TICKET_MODIFY

trac-admin /var/trac/$1 permission add developer WIKI_CREATE

trac-admin /var/trac/$1 permission add developer WIKI_MODIFY

trac-admin /var/trac/$1 permission add developer authenticated

 

#Grant privileges to editor

trac-admin /var/trac/$1 permission add editor MILESTONE_MODIFY

trac-admin /var/trac/$1 permission add editor ROADMAP_ADMIN

trac-admin /var/trac/$1 permission add editor TICKET_ADMIN

trac-admin /var/trac/$1 permission add editor developer

 

########## COMPONENTS ##########

 

#Remove all existing components

trac-admin /var/trac/$1 component remove component1

trac-admin /var/trac/$1 component remove component2

 

########## MILESTONES ##########

 

#Remove all existing milestones

trac-admin /var/trac/$1 milestone remove milestone1

trac-admin /var/trac/$1 milestone remove milestone2

trac-admin /var/trac/$1 milestone remove milestone3

trac-admin /var/trac/$1 milestone remove milestone4

 

########## PRIORITIES ##########

 

#Change some

trac-admin /var/trac/$1 priority change major high

trac-admin /var/trac/$1 priority change minor medium

trac-admin /var/trac/$1 priority change trivial low

 

#Remove the others

trac-admin /var/trac/$1 priority remove blocker

trac-admin /var/trac/$1 priority remove critical

 

########## VERSIONS ##########

 

#Remove all existing versions

trac-admin /var/trac/$1 version remove 1.0

trac-admin /var/trac/$1 version remove 2.0

</code>

 

I then have a bunch of "one off" scripts for dealing with single users
which are just added to the various roles. You can guess how those look
as well. 

 

I've contacted our sysadmin about your password/authentication
questions. I can say that we have a system where people need a password
just to see our trac site. Then they get upgraded through a separate
channel up the list of priveledges. I don't think that this will work
for NeXus since we want to have more open access for people looking at
the projects. 

 

About the wiki portion of trac: we use it partially as a developer
whiteboard, partially as a document repository, and partially to chart
things that span across multiple milestones. To get a real idea of what
it can be used for I suggest looking at the trac project page more. Some
of my favorite pages are http://trac.edgewall.org/wiki/NewWorkflow and
http://trac.edgewall.org/wiki/InterTrac. The second is more along the
lines of documentation for the public. I suggest we keep that sort of
information on the media-wiki.

 

I'll let you know when I have more information.

 

P^2

________________________________

From: Akeroyd, FA (Freddie) [mailto:F.A.Akeroyd at rl.ac.uk] 
Sent: Wednesday, October 18, 2006 2:08 PM
To: Peterson, Peter F.; nexus-developers at anl.gov
Subject: RE: [Nexus-developers] CVS -> Subversion

 

Peter,

 

Re: passwords: CVS stored your password in a ".cvspass" file in your
home directory when you first did a "cvs login" and may well send it
every time (or maybe once and use a token; not sure). Subversion uses
whatever method you set on the web server ... If you use https with
subversion you are using a public key to encrypt the data, but in our
case you would still be sending a password (stored somewhere on your
computer) as we are using http basic auth. We could issue certificates
and use them instead of "basic auth", but I'm not sure we need to.  

 

What do you do about accounts and password for your TRAC - are they
loaded from some central area? I'm sort of conscious of the possibility
of being spammed and so ideally would require an account for submitting
issues as well, hence the idea of linking to mediawiki as that has an
account creation, verification and "send me a new password" system
already in place. Your roles sound reasonable ... if you have a script
that creates the roles and adds permissions it will save me a load of
trac-admin commands. I guess we need to decide how we will use it Re:
definitions and also what is the status of the TRAK WIKI (like do we
disable it totally or use it as a developer whiteboard?)

 

Freddie

 

________________________________

From: Peterson, Peter F. [mailto:petersonpf at ornl.gov] 
Sent: 17 October 2006 20:55
To: Akeroyd, FA (Freddie); nexus-developers at anl.gov
Subject: RE: [Nexus-developers] CVS -> Subversion

 

Freddie,

 

It is useful to have a trac site for the definitions as well. We've set
up "roles" to promote "appropriate use of trac. The roles are named
(from least to most able): [everybody, authenticated, developer, editor,
admin]. What happens is that "everybody" can create tickets and view
most of the site, "authenticated" can annotate tickets, "developer" can
change ticket state, "editor" can work with milestones. I don't think it
is necessary to say what "admin" can do. I can send you a list of
information for setting this up.

 

The other statement is that I am curious about passwords since I thought
that I was using a public key to authenticate. Is this true?

 

P^2

 

________________________________

From: nexus-developers-bounces at anl.gov
[mailto:nexus-developers-bounces at anl.gov] On Behalf Of Akeroyd, FA
(Freddie)
Sent: Tuesday, October 17, 2006 2:40 PM
To: nexus-developers at anl.gov
Subject: [Nexus-developers] CVS -> Subversion

 

I've set up two repositories:  http://svn.nexusformat.org/code
<http://svn.nexusformat.org/code>  and
http://svn.nexusformat.org/definitions/
<http://svn.nexusformat.org/definitions/>  usernames and passwords are
currently the same as your old CVS ones. You should add "/trunk" to the
URL when you check it out e.g. http://svn.nexusformat.org/code/trunk
<http://svn.nexusformat.org/code/trunk>  Post commit hooks, such as
emailing you on changes, are not currently set up but you should be able
to check out and commit files.

http://trac.nexusformat.org/ <http://trac.nexusformat.org/>  points at
just the code repository ... do we see any need to use trac for
definitions? If so, I will create separate
http://trac.nexusformat.org/code/ <http://trac.nexusformat.org/code/>
and http://trac.nexusformat.org/definitions/
<http://trac.nexusformat.org/definitions/>  areas. To login to trac you
can use your subversion username and password, though login is not
currently required to submit issues.

With regard to usernames and passwords, I believe I can make the
trac/subversion ones the same as those in MediaWiki (either by using
mod_auth_mysql or making both use ldap for username/password); either
way will require a one-off reset of everybody's passwords. Do you want
me to go ahead and investigate this further?

With regard to moving the nexus mailing lists, I am awaiting some
changes on our site central mail gateway so that it will accept incoming
mail to user at nexusformat.org <mailto:user at nexusformat.org>  and not
think it is an illegal attempt to relay spam through us

Cheers,

Freddie

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.nexusformat.org/pipermail/nexus-developers/attachments/20061018/455d6d24/attachment.html 


More information about the NeXus-developers mailing list