Edgewall Software

Changes between Version 11 and Version 12 of TracAuthenticationIntroduction


Ignore:
Timestamp:
Mar 23, 2013, 11:16:40 AM (11 years ago)
Author:
Ciro Duran Santilli <ciro.santilli@…>
Comment:

kept document structure, rephrased/clarified some points, added admin howto

Legend:

Unmodified
Added
Removed
Modified

  • TracAuthenticationIntroduction

    v11 v12  
    33||This is a work in progress document - and is written by someone who has been working this stuff out, rather than an expert.  Please feel free to add clarifications, corrections and additions||
    44
    5 The basic idea is that Trac itself does not do authentication (other than for [wiki:TracStandalone tracd] which I don't intend to cover here).
    6 Authentication is done by the HTTP server environment, and the authentication information passed to trac when it is invoked by the server.
     5When deploying with on a server such as Apache, Trac relies on any of the server's HTTP authentication methods, such as Basic of Digest. This is not the case for the development server [wiki:TracStandalone tracd], which is not covered here. Therefore, if you want to get Trac authentication working, you first need to understand how your server and your browser deal with HTTP authentication.
    76
    87There are 2 basic approaches to Trac authentication:-
     
    1211The following examples are based on an Apache httpd server - further information on authentication on Apache can be found at http://httpd.apache.org/docs-2.0/howto/auth.html
    1312
    14 They use a password file at {{{/var/www/db/passwd}}} - you will need to manipulate this with the {{{htpasswd}}} program or you could look at http://stein.cshl.org/~lstein/user_manage/
    15 As an alternative you could drop in digest authentication - the Apache documentation describes this.
     13They use a password file at {{{/var/www/db/passwd}}}. You can manipulate this file with the {{{htpasswd}}} program or with `user_manage` as described in http://stein.cshl.org/~lstein/user_manage/.
    1614
    17 == Require Authentication To Access The Trac Installation ==
     15== Require Authentication To Access The Entire Trac Installation ==
    1816
    19 This is the simplest method in both concept and implementation.  It also allows you to know that your data is as secure as your web server authentication scheme and that there is a degree of trust in the user information entered on tickets etc.
     17This method simply requires HTTP authentication for the root of the site. Nothing can be accessed without authentication.
    2018
    21 For a trac installation under {{{/var/www/trac}}}, visible as URL {{{http://www.example.com/trac/}}} you can use an authenticaton stanza for Apache similar to:-
     19It has the advantage of being simpler to implement and manage. It also allows you to know that your data is as secure as your web server authentication scheme and that there is a degree of trust in the user information entered on tickets etc.
     20
     21The disadvantage of this method is that you cannot have a finer control over user permissions (Ex: user `abc` can view, but not edit location `/path/to/location` ). 
     22
     23For a trac installation under {{{/var/www/trac}}}, visible as URL {{{http://www.example.com/trac/}}} you can use an authentication stanza for Apache similar to:-
    2224{{{
    2325<Location /trac>
     
    3133}}}
    3234
    33 ''Note that in the current version of Trac, you will still see the '''logout''' link above the navigation bar, even though the link will not work (i.e. do nothing).''
     35''Note that in the current version of Trac, clicking on the '''logout''' link above the navigation bar does not logs user out because the browser still remembers the HTTP authentication and keeps sending it.''
    3436
    3537== Optional Authentication For The Trac Installation ==
    3638
    37 This method of authentication allows unauthenticated users to see and to make (limited) changes to the Trac system.  Authenticated users have a bit more access.  To login you click on the ''Login'' entry on the top menubar; after authentication you are given a cookie which is used for authorization and access control.
     39This method of authentication allows unauthenticated users to control specific user permissions (view, edit, etc.) for different parts of the site.
     40
     41In this method, only the `/login` subpath of each project requires authentication. If users successfully hit this path authenticated, the server returns them a session cookie valid for the project's path, which keeps their section active for the rest of the project.
     42
     43The `/login` login subpath can be accessed by users using the ''Login'' link on the top menu bar.
     44
     45The following examples suppose that `/trac` is the location of your project.
    3846
    3947=== Basic Authentication ===
    40 To do this you need to control access to the {{{login}}} name under the Trac system, so for the example above you would change the configuration to:-
     48
     49To do this you need to control access to the {{{login}}} location under each Trac project, so for the example above you would change the configuration to:-
    4150{{{
    42 <Location /trac>
    43   ... extra directives to invoke trac
    44   ... - ie ScriptAlias or mod_python stuff
    45 </Location>
    4651<Location /trac/login>
    4752  AuthType Basic
     
    5055  Require valid-user
    5156</Location>
     57<Location /trac>
     58  ... extra directives to invoke trac
     59  ... - ie ScriptAlias or mod_python stuff
     60</Location>
    5261}}}
    53 Note that no file or directory named 'login' needs to exist.
     62Note that no file or directory named 'login' needs to exist: it is a virtual location managed by Trac's cgi script.
     63
     64If you have many projects under a single location (Ex: `/trac/proj1`, `/trac/proj2`), and you want to use a single `passwd` file for all of those projects, you could use `<LocationMatch ^/trac/[^/]+/login$>...</LocationMatch>` instead of `Location` to set authentication for all the projects at once.
     65
    5466=== Digest Authentication ===
    5567
     
    7991''Note that optional login requires cookies, and that the chosen authentication schema be active in Apache. (Basic is by default in most installations, digest usually requires changes to http.conf)''
    8092
     93=== Create admin user ===
     94
     95Finally, you probably want to give one of your users admin permissions. This allows that user to control many settings from the admin panel. It is accessible from a link on the top of the page, visible only to admin users.
     96
     97To do so, choose one of the existing users on your `passwd` file, say the user `anadmin`, and use:
     98
     99{{{
     100  trac-admin /path/to/the/trac/project permission add anadmin TRAC_ADMIN
     101}}}
    81102
    82103== Issues ==