Subversion Account Authorization from Trac WebAdmin

[axton.grams@…]

My trac/svn environment is set up such that both trac and the svn repository use the same authentication realm (htdigest). It would be nice if the WebAdmin plugin (pre Trac 0.11) or Trac (0.11+) would allow management of the svn.conf for each project to control authorization (read/write access) for the svn repository when the realm auth realm is shared.

Some sample config info:

• svn.conf:

  [groups]
  project1-developers = user1, tracuser2, tracuser3
  project2-developers = user2, tracuser2
  
  [/]
  * = r
  
  [project1:/]
  @project1-developers = rw
  
  [project1:/branches/]
  user2 = rw
  
  [project2:/]
  @project2-developers = rw
  

• httpd.conf:

      <Location /project1>
          DAV svn
          SVNPath /var/trac/projects/project1
          AuthzSVNAccessFile /var/svn/conf/svn.conf
          Satisfy Any
          Require valid-user
          AuthType Digest
          AuthName "project1"
          AuthUserFile /etc/conf/.htdigest
      </Location>
      <Location /project1>
          DAV svn
          SVNPath /var/trac/projects/project2
          AuthzSVNAccessFile /var/svn/conf/svn.conf
          Satisfy Any
          Require valid-user
          AuthType Digest
          AuthName "project2"
          AuthUserFile /etc/conf/.htdigest
      </Location>
  

The interface would need to provide facilities to control the following in svn.conf:

• create/alter groups
• define paths for authorization (project/base would be implied)
• select from registered users to give access
• map users/groups to svn

The following backend processes need to be addressed:

• cleanup when user accounts are deleted from trac

I am sure there are some things that need to be addressed that I am missing, but I think this is a good start to spark some interest and conversation on the topic.

[osimons <simon-code@…>]

First aspect of this proposal: Your need is so specialised that I doubt very much it would be interesting to add it to Trac core seeing Trac supports a wide variety of version control systems, web server and authentication setups. Likely this ticket will be closed by someone as 'wontfix' in not too long, as it is much more suitable as a contribution to Trac-Hacks as a standalone plugin.

That said, however: I have already written such a plugin, and it works much in the same way as you propose - also solving some of the issues you have left open. My code essentially:

• Traps Permission Web Admin page updates, and any Trac group staring with '@' is also a Subversion group. So a user 'simon' added to Trac group '@developers' will also be written to [groups] section as the-project~developers = simon. Users added or deleted from groups will automatically update the groups section. It will not work from trac-admin commandline, only through web admin - which is what all our project admins use anyway as they do not have local commandline access.
• A 'Subversion' admin page lets you write the authorization directives as free text according to the single-project rules, and the code expands the directives to support multi-project behind the scenes. That means that this directive:

  [/trunk]
  @developers = rw
  

  will be expanded to this in the actual file:

  [the-project:/trunk]
  @the-project~developers = rw
  

• It stores all project access and group information in a common 'admin.db' sqlite database, and I have a method that writes all the information out to the svn.access file (replacing all content) on demand - usually automatically in code after every update.

It works fine for our 40+ project hosting setup at ​http://www.coderesort.com, and has been in production for about a year and a half, currently using Trac 0.10.4. Problem is that my code is tied into one large plugin that provides a number of components/services at our site, and also depends on various utility methods and generalised classes I have written. It would require a bit of effort to refactor it into a standalone plugin, and review/alter/clean it up to be used in other contexts than the hosted service we provide - it makes assumptions and depend on 'rules' that I have enforced for my whole codebase, but that I know would not be valid in all circumstances. It would also need a way to setup the table for storage (i have a general setup script), and also be modified to support UTF-8 file content and international characters (I enforce ASCII only).

So, all in all: It works, I would be happy to see it on Trac-Hacks some day, but at the moment I do not have the time or 'mindset' to start rewriting working code - and test it in all kinds of settings that are not relevant to my setup.

However, If any developers out there want to take a 'project lead' for this conversion to standalone plugin, I'd be happy to make the code available and help out as best I can. Just contact me.

[daniele@…]

hi.

i don't think that this is really specialistic… as trac is simple, this can be required by a lot of little projects. and the host will be not-so-heavy-loaded.

So, in my mind, you will need a lot of trac istance, one per repository.

i will be glad to have this feature in webadmin too, as long as i have more than one site and i will be happy to have only one config.

bye d.

[Christian Boos]

Agreeing with osimons.

[hef+trac@…]

I could really use this feature as well. If anyone does make a plugin out of it, I would be thrilled.