Edgewall Software

Changes between Version 17 and Version 18 of TracAuthenticationIntroduction


Ignore:
Timestamp:
Jun 1, 2020, 8:39:40 AM (4 years ago)
Author:
figaro
Comment:

Cosmetic changes, link update

Legend:

Unmodified
Added
Removed
Modified

  • TracAuthenticationIntroduction

    v17 v18  
    1 = Introduction to Authentication for Trac =
     1= Introduction to Authentication for Trac
    22
    33||This is a work in progress document - and is written by someone who has been working this stuff out, rather than an expert.  Please feel free to add clarifications, corrections and additions||
    44
    5 When deploying with on a server such as Apache, Trac relies on any of the server's HTTP authentication methods, such as Basic and Digest. This is not the case for the development server [wiki:TracStandalone tracd], which is not covered here. Therefore, if you want to get Trac authentication working, you first need to understand how your server and your browser deal with HTTP authentication.
     5When deploying on a server such as Apache, Trac relies on any of the server's HTTP authentication methods, such as Basic and Digest. This is not the case for the development server [wiki:TracStandalone tracd], which is not covered here. Therefore, if you want to get Trac authentication working, you first need to understand how your server and your browser deal with HTTP authentication.
    66
    77There are 2 basic approaches to Trac authentication:-
    8  1. Restrict access to the whole Trac installation, so that none of the trac pages are visible without authentication.
     8 1. Restrict access to the whole Trac installation, so that none of the Trac pages are visible without authentication.
    99 2. Restrict access such that the Trac installation is visible to someone without authentication, but you can login with Trac.
    1010
    11 The following examples are based on an Apache httpd server - further information on authentication on Apache can be found at https://httpd.apache.org/docs/2.4/howto/auth.html
     11The following examples are based on an Apache httpd server. Further information on authentication on Apache can be found at https://httpd.apache.org/docs/2.4/howto/auth.html
    1212
    13 They use a password file at {{{/var/www/db/passwd}}}. You can manipulate this file with the {{{htpasswd}}} program or with `user_manage` as described in http://stein.cshl.org/~lstein/user_manage/.
     13They use a password file at {{{/var/www/db/passwd}}}. You can manipulate this file with the {{{htpasswd}}} program or with `user_manage` as described in https://httpd.apache.org/docs/current/programs/htpasswd.html.
    1414
    15 == Require Authentication To Access The Entire Trac Installation ==
     15== Require Authentication To Access The Entire Trac Installation
    1616
    17 This method simply requires HTTP authentication for the root of the site. Nothing can be accessed without authentication.
     17This method simply requires HTTP authentication for the root of the site. Nothing on the site can be accessed without authentication.
    1818
    1919It has the advantage of being simpler to implement and manage. It also allows you to know that your data is as secure as your web server authentication scheme and that there is a degree of trust in the user information entered on tickets etc.
    2020
    21 The disadvantage of this method is that you cannot have a finer control over user permissions (Ex: user `abc` can view, but not edit location `/path/to/location` ). 
     21The disadvantage of this method is that you cannot have a finer control over user permissions, for example: user `abc` can view, but not edit location `/path/to/location`.
    2222
    23 For a trac installation under {{{/var/www/trac}}}, visible as URL {{{http://www.example.com/trac/}}} you can use an authentication stanza for Apache similar to:-
     23For a Trac installation under {{{/var/www/trac}}}, visible as URL {{{http://www.example.com/trac/}}} you can use an authentication stanza for Apache similar to:
    2424{{{
    2525<Location /trac>
     
    3333}}}
    3434
    35 ''Note that in the current version of Trac, clicking on the '''logout''' link above the navigation bar does not logs user out because the browser still remembers the HTTP authentication and keeps sending it.''
     35Note that in the current version of Trac, clicking on the '''logout''' link above the navigation bar does not logs user out, because the browser still remembers the HTTP authentication and keeps sending it.
    3636
    37 == Optional Authentication For The Trac Installation ==
     37== Optional Authentication For The Trac Installation
    3838
    3939This method of authentication allows unauthenticated users to control specific user permissions (view, edit, etc.) for different parts of the site.
     
    4545The following examples suppose that `/trac` is the location of your project.
    4646
    47 === Basic Authentication ===
     47=== Basic Authentication
    4848
    49 To do this you need to control access to the {{{login}}} location under each Trac project, so for the example above you would change the configuration to:-
     49To do this you need to control access to the {{{login}}} location under each Trac project, so for the example above you would change the configuration to:
    5050{{{
    5151<Location /trac/login>
     
    6060</Location>
    6161}}}
     62
    6263Note that no file or directory named 'login' needs to exist: it is a virtual location managed by Trac's cgi script.
    6364
    6465If you have many projects under a single location (Ex: `/trac/proj1`, `/trac/proj2`), and you want to use a single `passwd` file for all of those projects, you could use `<LocationMatch ^/trac/[^/]+/login$>...</LocationMatch>` instead of `Location` to set authentication for all the projects at once.
    6566
    66 === Digest Authentication ===
     67=== Digest Authentication
    6768
    6869To setup digest authentication, follow the instructions to create the digest password file. https://httpd.apache.org/docs/2.2/programs/htdigest.html. For the '''realm''' set in htdigest you must put a matching !AuthName.
     
    7071For example:
    7172 `htdigest -c /path/to/.htdigest TracRealmName UserName`
     73
     74Sample configuration:
    7275
    7376{{{
     
    8386 </Location>
    8487}}}
    85 Don't forget, if you are using Digest with WSGI you must enable authentication passthrough with:
     88
     89If you are using Digest with WSGI you must enable authentication passthrough with:
     90
    8691{{{
    8792  WSGIPassAuthorization On
     
    8994}}}
    9095
    91 ''Note that optional login requires cookies, and that the chosen authentication schema be active in Apache. (Basic is by default in most installations, digest usually requires changes to http.conf)''
     96Note that optional login requires cookies and that the chosen authentication schema is active in Apache. Basic is the default in most installations, digest usually requires changes to http.conf.
    9297
    93 === Create admin user ===
     98=== Create admin user
    9499
    95 Finally, you probably want to give one of your users admin permissions. This allows that user to control many settings from the admin panel. It is accessible from a link on the top of the page, visible only to admin users.
     100Finally, you probably want to give one of your users admin permissions to maintain control over the settings in the admin panel. It is accessible from the Admin link in the navigation bar on the top of the page, visible only to admin users.
    96101
    97102To do so, choose one of the existing users on your `passwd` file, say the user `anadmin`, and use:
    98103
    99104{{{
    100   trac-admin /path/to/the/trac/project permission add anadmin TRAC_ADMIN
     105 trac-admin /path/to/the/trac/project permission add anadmin TRAC_ADMIN
    101106}}}
    102107
    103 == Issues ==
     108== Issues
    104109
    105 You really do want your subversion repository to be using the same names as the Trac authentication names so that labelling of changesets matches with names assigned to tickets etc. This means there is a great advantage in using DAV access to the subversion database and sharing the authentication (password) files between Trac and the WebDAV areas (maybe using group access to give a subset of the users access to the subversion database), although this can be done in other ways.
     110You really do want your subversion repository to be using the same names as the Trac authentication names so that labeling of changesets matches with names assigned to tickets etc. This means there is a great advantage in using DAV access to the subversion database and sharing the authentication (password) files between Trac and the WebDAV areas (maybe using group access to give a subset of the users access to the subversion database), although this can be done in other ways.
    106111
    107 In the authentication methods shown here the password pretty much travels in clear text over the network. You can use Digest authentication to prevent the clear text password going over the network, but this can still be sniffed and subjected to off-line dictionary search attack.  If you require greater security then you really ''should'' use SSL for encryption, or another means of access control.
     112In the authentication methods shown here the password travels in clear text over the network. You can use Digest authentication to prevent the clear text password going over the network, but this can still be sniffed and subjected to off-line dictionary search attack.  If you require greater security then you really ''should'' use SSL for encryption, or another means of access control.