Changes between Version 11 and Version 12 of TracAuthenticationIntroduction
- Timestamp:
- Mar 23, 2013, 11:16:40 AM (11 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TracAuthenticationIntroduction
v11 v12 3 3 ||This is a work in progress document - and is written by someone who has been working this stuff out, rather than an expert. Please feel free to add clarifications, corrections and additions|| 4 4 5 The basic idea is that Trac itself does not do authentication (other than for [wiki:TracStandalone tracd] which I don't intend to cover here). 6 Authentication is done by the HTTP server environment, and the authentication information passed to trac when it is invoked by the server. 5 When deploying with on a server such as Apache, Trac relies on any of the server's HTTP authentication methods, such as Basic of Digest. This is not the case for the development server [wiki:TracStandalone tracd], which is not covered here. Therefore, if you want to get Trac authentication working, you first need to understand how your server and your browser deal with HTTP authentication. 7 6 8 7 There are 2 basic approaches to Trac authentication:- … … 12 11 The following examples are based on an Apache httpd server - further information on authentication on Apache can be found at http://httpd.apache.org/docs-2.0/howto/auth.html 13 12 14 They use a password file at {{{/var/www/db/passwd}}} - you will need to manipulate this with the {{{htpasswd}}} program or you could look at http://stein.cshl.org/~lstein/user_manage/ 15 As an alternative you could drop in digest authentication - the Apache documentation describes this. 13 They use a password file at {{{/var/www/db/passwd}}}. You can manipulate this file with the {{{htpasswd}}} program or with `user_manage` as described in http://stein.cshl.org/~lstein/user_manage/. 16 14 17 == Require Authentication To Access The Trac Installation ==15 == Require Authentication To Access The Entire Trac Installation == 18 16 19 This is the simplest method in both concept and implementation. It also allows you to know that your data is as secure as your web server authentication scheme and that there is a degree of trust in the user information entered on tickets etc.17 This method simply requires HTTP authentication for the root of the site. Nothing can be accessed without authentication. 20 18 21 For a trac installation under {{{/var/www/trac}}}, visible as URL {{{http://www.example.com/trac/}}} you can use an authenticaton stanza for Apache similar to:- 19 It has the advantage of being simpler to implement and manage. It also allows you to know that your data is as secure as your web server authentication scheme and that there is a degree of trust in the user information entered on tickets etc. 20 21 The disadvantage of this method is that you cannot have a finer control over user permissions (Ex: user `abc` can view, but not edit location `/path/to/location` ). 22 23 For a trac installation under {{{/var/www/trac}}}, visible as URL {{{http://www.example.com/trac/}}} you can use an authentication stanza for Apache similar to:- 22 24 {{{ 23 25 <Location /trac> … … 31 33 }}} 32 34 33 ''Note that in the current version of Trac, you will still see the '''logout''' link above the navigation bar, even though the link will not work (i.e. do nothing).''35 ''Note that in the current version of Trac, clicking on the '''logout''' link above the navigation bar does not logs user out because the browser still remembers the HTTP authentication and keeps sending it.'' 34 36 35 37 == Optional Authentication For The Trac Installation == 36 38 37 This method of authentication allows unauthenticated users to see and to make (limited) changes to the Trac system. Authenticated users have a bit more access. To login you click on the ''Login'' entry on the top menubar; after authentication you are given a cookie which is used for authorization and access control. 39 This method of authentication allows unauthenticated users to control specific user permissions (view, edit, etc.) for different parts of the site. 40 41 In this method, only the `/login` subpath of each project requires authentication. If users successfully hit this path authenticated, the server returns them a session cookie valid for the project's path, which keeps their section active for the rest of the project. 42 43 The `/login` login subpath can be accessed by users using the ''Login'' link on the top menu bar. 44 45 The following examples suppose that `/trac` is the location of your project. 38 46 39 47 === Basic Authentication === 40 To do this you need to control access to the {{{login}}} name under the Trac system, so for the example above you would change the configuration to:- 48 49 To do this you need to control access to the {{{login}}} location under each Trac project, so for the example above you would change the configuration to:- 41 50 {{{ 42 <Location /trac>43 ... extra directives to invoke trac44 ... - ie ScriptAlias or mod_python stuff45 </Location>46 51 <Location /trac/login> 47 52 AuthType Basic … … 50 55 Require valid-user 51 56 </Location> 57 <Location /trac> 58 ... extra directives to invoke trac 59 ... - ie ScriptAlias or mod_python stuff 60 </Location> 52 61 }}} 53 Note that no file or directory named 'login' needs to exist. 62 Note that no file or directory named 'login' needs to exist: it is a virtual location managed by Trac's cgi script. 63 64 If you have many projects under a single location (Ex: `/trac/proj1`, `/trac/proj2`), and you want to use a single `passwd` file for all of those projects, you could use `<LocationMatch ^/trac/[^/]+/login$>...</LocationMatch>` instead of `Location` to set authentication for all the projects at once. 65 54 66 === Digest Authentication === 55 67 … … 79 91 ''Note that optional login requires cookies, and that the chosen authentication schema be active in Apache. (Basic is by default in most installations, digest usually requires changes to http.conf)'' 80 92 93 === Create admin user === 94 95 Finally, you probably want to give one of your users admin permissions. This allows that user to control many settings from the admin panel. It is accessible from a link on the top of the page, visible only to admin users. 96 97 To do so, choose one of the existing users on your `passwd` file, say the user `anadmin`, and use: 98 99 {{{ 100 trac-admin /path/to/the/trac/project permission add anadmin TRAC_ADMIN 101 }}} 81 102 82 103 == Issues ==