[Nexus-developers] CVS -> Subversion
Peterson, Peter F.
petersonpf at ornl.gov
Wed Oct 18 20:10:35 BST 2006
My sysadmin responded. See below. Please recall when reading this that
we have a fairly closed system.
P^2
<quote>
Re: passwords: CVS stored your password in a ".cvspass" file in your
home directory when you first did a "cvs login" and may well send it
every time (or maybe once and use a token; not sure). Subversion uses
whatever method you set on the web server . If you use https with
subversion you are using a public key to encrypt the data, but in our
case you would still be sending a password (stored somewhere on your
computer) as we are using http basic auth. We could issue certificates
and use them instead of "basic auth", but I'm not sure we need to.
----
We use basic authentication sent over HTTPS. The password is stored
somehere in the user's ~/.svn directory, but is reasonabely well
protected by file permissions. This page has some information about
using certificates, but we have not tried it.
http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html
----
What do you do about accounts and password for your TRAC - are they
loaded from some central area? I'm sort of conscious of the possibility
of being spammed and so ideally would require an account for submitting
issues as well, hence the idea of linking to mediawiki as that has an
account creation, verification and "send me a new password" system
already in place. Your roles sound reasonable . if you have a script
that creates the roles and adds permissions it will save me a load of
trac-admin commands. I guess we need to decide how we will use it Re:
definitions and also what is the status of the TRAK WIKI (like do we
disable it totally or use it as a developer whiteboard?)
-----
We use basic authentication for access to trac as well, and set
permissions using the script that Pete sent. Our apache configuration
for trac looks like this:
#Alias for trac site
Alias /trac/ "/var/trac"
#Main trac directives
<Location /trac>
AllowOverride None
Options None
SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonOption TracUriRoot "/trac"
PythonOption TracEnvParentDir "/var/trac"
#Require Authentication
AuthType Basic
AuthName "Authentication Required"
AuthGroupFile /etc/httpd/auth/www_group
Require group sns-subversion
#LDAP
LDAP_Port 389
LDAP_Server ldap1.example.com
LDAP_StartTLS On
#Where to look
Base_DN "ou=People,dc=example,dc=com"
UID_Attr uid
Require group sns-subversion
#Authenticate on bind - important!
AuthOnBind On
#Debugging
LDAP_Debug Off
#Require SSL
SSLRequireSSL
SSLRequire (%{HTTP_HOST} == "trac.example.com")
ErrorDocument 403 https://trac.example.com/trac/
</Location>
#For Authentication into trac (shouldn't be needed because we require
auth above )
<LocationMatch "/[^/]+/login">
AllowOverride None
Options None
#Require Authentication
AuthType Basic
AuthName "Authentication Required"
AuthGroupFile /etc/httpd/auth/www_group
Require group sns-subversion
#LDAP
LDAP_Port 389
LDAP_Server ldap1.example.com
LDAP_StartTLS On
#Where to look
Base_DN "ou=People,dc=example,dc=com"
UID_Attr uid
Require group sns-subversion
#Authenticate on bind - important!
AuthOnBind On
#Debugging
LDAP_Debug Off
#Require SSL
SSLRequireSSL
</LocationMatch>
----
</quote>
________________________________
From: nexus-developers-bounces at anl.gov
[mailto:nexus-developers-bounces at anl.gov] On Behalf Of Peterson, Peter
F.
Sent: Wednesday, October 18, 2006 2:39 PM
To: Akeroyd, FA (Freddie); nexus-developers at anl.gov
Subject: RE: [Nexus-developers] CVS -> Subversion
Freddie,
For setting permissions we do it through a bunch of bash scripts (long
live bash) that have in the base one the setting of roles. Here is the
code cut and pasted (note that we have /var/trac as our root):
<code>
### Set up roles
#Remove anonymous permissions
trac-admin /var/trac/$1 permission remove authenticated TRAC_ADMIN
trac-admin /var/trac/$1 permission remove anonymous TRAC_ADMIN
trac-admin /var/trac/$1 permission remove anonymous BROWSER_VIEW
CHANGESET_VIEW
CONFIG_VIEW FILE_VIEW LOG_VIEW MILESTONE_ADMIN MILESTONE_CREATE
MILESTONE_DELE
TE MILESTONE_MODIFY MILESTONE_VIEW REPORT_ADMIN REPORT_CREATE
REPORT_DELETE REPO
RT_MODIFY REPORT_SQL_VIEW REPORT_VIEW ROADMAP_ADMIN ROADMAP_VIEW
SEARCH_VIEW TI
CKET_ADMIN TICKET_APPEND TICKET_CHGPROP TICKET_CREATE TICKET_MODIFY
TICKET_VIEW
TIMELINE_VIEW TRAC_ADMIN WIKI_ADMIN WIKI_CREATE WIKI_DELETE WIKI_MODIFY
WIKI_VIE
W
#Grant admin privileges to Admins
trac-admin /var/trac/$1 permission add full-admin TRAC_ADMIN
#Grant privileges to everybody
trac-admin /var/trac/$1 permission add everybody CONFIG_VIEW
trac-admin /var/trac/$1 permission add everybody MILESTONE_VIEW
trac-admin /var/trac/$1 permission add everybody REPORT_VIEW
trac-admin /var/trac/$1 permission add everybody ROADMAP_VIEW
trac-admin /var/trac/$1 permission add everybody SEARCH_VIEW
trac-admin /var/trac/$1 permission add everybody TICKET_VIEW
trac-admin /var/trac/$1 permission add everybody TIMELINE_VIEW
trac-admin /var/trac/$1 permission add everybody WIKI_VIEW
#Grant privileges to authenticated
trac-admin /var/trac/$1 permission add authenticated BROWSER_VIEW
trac-admin /var/trac/$1 permission add authenticated CHANGESET_VIEW
trac-admin /var/trac/$1 permission add authenticated FILE_VIEW
trac-admin /var/trac/$1 permission add authenticated LOG_VIEW
trac-admin /var/trac/$1 permission add authenticated TICKET_CREATE
trac-admin /var/trac/$1 permission add authenticated TICKET_APPEND
trac-admin /var/trac/$1 permission add authenticated everybody
#Grant privileges to developer
trac-admin /var/trac/$1 permission add developer TICKET_MODIFY
trac-admin /var/trac/$1 permission add developer WIKI_CREATE
trac-admin /var/trac/$1 permission add developer WIKI_MODIFY
trac-admin /var/trac/$1 permission add developer authenticated
#Grant privileges to editor
trac-admin /var/trac/$1 permission add editor MILESTONE_MODIFY
trac-admin /var/trac/$1 permission add editor ROADMAP_ADMIN
trac-admin /var/trac/$1 permission add editor TICKET_ADMIN
trac-admin /var/trac/$1 permission add editor developer
########## COMPONENTS ##########
#Remove all existing components
trac-admin /var/trac/$1 component remove component1
trac-admin /var/trac/$1 component remove component2
########## MILESTONES ##########
#Remove all existing milestones
trac-admin /var/trac/$1 milestone remove milestone1
trac-admin /var/trac/$1 milestone remove milestone2
trac-admin /var/trac/$1 milestone remove milestone3
trac-admin /var/trac/$1 milestone remove milestone4
########## PRIORITIES ##########
#Change some
trac-admin /var/trac/$1 priority change major high
trac-admin /var/trac/$1 priority change minor medium
trac-admin /var/trac/$1 priority change trivial low
#Remove the others
trac-admin /var/trac/$1 priority remove blocker
trac-admin /var/trac/$1 priority remove critical
########## VERSIONS ##########
#Remove all existing versions
trac-admin /var/trac/$1 version remove 1.0
trac-admin /var/trac/$1 version remove 2.0
</code>
I then have a bunch of "one off" scripts for dealing with single users
which are just added to the various roles. You can guess how those look
as well.
I've contacted our sysadmin about your password/authentication
questions. I can say that we have a system where people need a password
just to see our trac site. Then they get upgraded through a separate
channel up the list of priveledges. I don't think that this will work
for NeXus since we want to have more open access for people looking at
the projects.
About the wiki portion of trac: we use it partially as a developer
whiteboard, partially as a document repository, and partially to chart
things that span across multiple milestones. To get a real idea of what
it can be used for I suggest looking at the trac project page more. Some
of my favorite pages are http://trac.edgewall.org/wiki/NewWorkflow and
http://trac.edgewall.org/wiki/InterTrac. The second is more along the
lines of documentation for the public. I suggest we keep that sort of
information on the media-wiki.
I'll let you know when I have more information.
P^2
________________________________
From: Akeroyd, FA (Freddie) [mailto:F.A.Akeroyd at rl.ac.uk]
Sent: Wednesday, October 18, 2006 2:08 PM
To: Peterson, Peter F.; nexus-developers at anl.gov
Subject: RE: [Nexus-developers] CVS -> Subversion
Peter,
Re: passwords: CVS stored your password in a ".cvspass" file in your
home directory when you first did a "cvs login" and may well send it
every time (or maybe once and use a token; not sure). Subversion uses
whatever method you set on the web server ... If you use https with
subversion you are using a public key to encrypt the data, but in our
case you would still be sending a password (stored somewhere on your
computer) as we are using http basic auth. We could issue certificates
and use them instead of "basic auth", but I'm not sure we need to.
What do you do about accounts and password for your TRAC - are they
loaded from some central area? I'm sort of conscious of the possibility
of being spammed and so ideally would require an account for submitting
issues as well, hence the idea of linking to mediawiki as that has an
account creation, verification and "send me a new password" system
already in place. Your roles sound reasonable ... if you have a script
that creates the roles and adds permissions it will save me a load of
trac-admin commands. I guess we need to decide how we will use it Re:
definitions and also what is the status of the TRAK WIKI (like do we
disable it totally or use it as a developer whiteboard?)
Freddie
________________________________
From: Peterson, Peter F. [mailto:petersonpf at ornl.gov]
Sent: 17 October 2006 20:55
To: Akeroyd, FA (Freddie); nexus-developers at anl.gov
Subject: RE: [Nexus-developers] CVS -> Subversion
Freddie,
It is useful to have a trac site for the definitions as well. We've set
up "roles" to promote "appropriate use of trac. The roles are named
(from least to most able): [everybody, authenticated, developer, editor,
admin]. What happens is that "everybody" can create tickets and view
most of the site, "authenticated" can annotate tickets, "developer" can
change ticket state, "editor" can work with milestones. I don't think it
is necessary to say what "admin" can do. I can send you a list of
information for setting this up.
The other statement is that I am curious about passwords since I thought
that I was using a public key to authenticate. Is this true?
P^2
________________________________
From: nexus-developers-bounces at anl.gov
[mailto:nexus-developers-bounces at anl.gov] On Behalf Of Akeroyd, FA
(Freddie)
Sent: Tuesday, October 17, 2006 2:40 PM
To: nexus-developers at anl.gov
Subject: [Nexus-developers] CVS -> Subversion
I've set up two repositories: http://svn.nexusformat.org/code
<http://svn.nexusformat.org/code> and
http://svn.nexusformat.org/definitions/
<http://svn.nexusformat.org/definitions/> usernames and passwords are
currently the same as your old CVS ones. You should add "/trunk" to the
URL when you check it out e.g. http://svn.nexusformat.org/code/trunk
<http://svn.nexusformat.org/code/trunk> Post commit hooks, such as
emailing you on changes, are not currently set up but you should be able
to check out and commit files.
http://trac.nexusformat.org/ <http://trac.nexusformat.org/> points at
just the code repository ... do we see any need to use trac for
definitions? If so, I will create separate
http://trac.nexusformat.org/code/ <http://trac.nexusformat.org/code/>
and http://trac.nexusformat.org/definitions/
<http://trac.nexusformat.org/definitions/> areas. To login to trac you
can use your subversion username and password, though login is not
currently required to submit issues.
With regard to usernames and passwords, I believe I can make the
trac/subversion ones the same as those in MediaWiki (either by using
mod_auth_mysql or making both use ldap for username/password); either
way will require a one-off reset of everybody's passwords. Do you want
me to go ahead and investigate this further?
With regard to moving the nexus mailing lists, I am awaiting some
changes on our site central mail gateway so that it will accept incoming
mail to user at nexusformat.org <mailto:user at nexusformat.org> and not
think it is an illegal attempt to relay spam through us
Cheers,
Freddie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.nexusformat.org/pipermail/nexus-developers/attachments/20061018/455d6d24/attachment.html
More information about the NeXus-developers
mailing list