Edgewall Software

Changes between Version 18 and Version 19 of TracAuthenticationIntroduction


Ignore:
Timestamp:
Jun 1, 2020, 10:27:49 PM (4 months ago)
Author:
Ryan J Ollos
Comment:

Fix links, review and format.

Legend:

Unmodified
Added
Removed
Modified
  • TracAuthenticationIntroduction

    v18 v19  
    11= Introduction to Authentication for Trac
    22
    3 ||This is a work in progress document - and is written by someone who has been working this stuff out, rather than an expert.  Please feel free to add clarifications, corrections and additions||
     3{{{#!box note
     4This is a work in progress document, written by someone who has been working this stuff out, rather than an expert.  Please feel free to add clarifications, corrections, and additions.
     5}}}
    46
    5 When deploying on a server such as Apache, Trac relies on any of the server's HTTP authentication methods, such as Basic and Digest. This is not the case for the development server [wiki:TracStandalone tracd], which is not covered here. Therefore, if you want to get Trac authentication working, you first need to understand how your server and your browser deal with HTTP authentication.
     7When deploying on a server such as Apache, Trac relies on any of the server's HTTP authentication methods, such as Basic and Digest. Therefore, if you want to get Trac authentication working, you first need to understand how your server and your browser deal with HTTP authentication.
    68
    79There are 2 basic approaches to Trac authentication:-
     
    911 2. Restrict access such that the Trac installation is visible to someone without authentication, but you can login with Trac.
    1012
    11 The following examples are based on an Apache httpd server. Further information on authentication on Apache can be found at https://httpd.apache.org/docs/2.4/howto/auth.html
     13The following examples are based on an Apache httpd server. Further information on authentication on Apache can be found in the [https://httpd.apache.org/docs/2.4/howto/auth.html Apache Auth documentation].
    1214
    13 They use a password file at {{{/var/www/db/passwd}}}. You can manipulate this file with the {{{htpasswd}}} program or with `user_manage` as described in https://httpd.apache.org/docs/current/programs/htpasswd.html.
     15They use a password file at `/var/www/db/passwd`. You can manipulate this file with the [https://httpd.apache.org/docs/current/programs/htpasswd.html htpasswd].
    1416
    1517== Require Authentication To Access The Entire Trac Installation
     
    1921It has the advantage of being simpler to implement and manage. It also allows you to know that your data is as secure as your web server authentication scheme and that there is a degree of trust in the user information entered on tickets etc.
    2022
    21 The disadvantage of this method is that you cannot have a finer control over user permissions, for example: user `abc` can view, but not edit location `/path/to/location`.
     23The disadvantage of this method is that anonymous access, typically with view-only permissions, is not allowed.
    2224
    23 For a Trac installation under {{{/var/www/trac}}}, visible as URL {{{http://www.example.com/trac/}}} you can use an authentication stanza for Apache similar to:
    24 {{{
     25For a Trac installation under `/var/www/trac`, visible as URL `http://www.example.com/trac/` you can use an authentication stanza for Apache similar to:
     26{{{#!apache
    2527<Location /trac>
    2628  AuthType Basic
     
    2830  AuthUserFile /var/www/db/passwd
    2931  Require valid-user
    30   ... extra directives to invoke trac
    31   ... - ie ScriptAlias or mod_python stuff
     32  # ... extra directives to invoke trac
     33  # ... - ie ScriptAlias or mod_python stuff
    3234</Location>
    3335}}}
     
    4749=== Basic Authentication
    4850
    49 To do this you need to control access to the {{{login}}} location under each Trac project, so for the example above you would change the configuration to:
    50 {{{
     51To do this you need to control access to the `login` location under each Trac project, so for the example above you would change the configuration to:
     52{{{#!apache
    5153<Location /trac/login>
    5254  AuthType Basic
     
    5658</Location>
    5759<Location /trac>
    58   ... extra directives to invoke trac
    59   ... - ie ScriptAlias or mod_python stuff
     60  # ... extra directives to invoke trac
     61  # ... - ie ScriptAlias or mod_python stuff
    6062</Location>
    6163}}}
     
    6769=== Digest Authentication
    6870
    69 To setup digest authentication, follow the instructions to create the digest password file. https://httpd.apache.org/docs/2.2/programs/htdigest.html. For the '''realm''' set in htdigest you must put a matching !AuthName.
     71To setup digest authentication, follow [https://httpd.apache.org/docs/2.2/programs/htdigest.html the instructions] to create the digest password file. For the '''realm''' set in htdigest you must put a matching !AuthName.
    7072
    7173For example:
    72  `htdigest -c /path/to/.htdigest TracRealmName UserName`
     74{{{#!sh
     75$ htdigest -c /path/to/.htdigest TracRealmName UserName
     76}}}
    7377
    7478Sample configuration:
    7579
    76 {{{
    77  ...WSGI config if using WSGI
     80{{{#!apache
     81 # ... WSGI config if using WSGI
    7882 <Location /trac>
    79    ...mod_python config if using mod_python
     83   # ...mod_python config if using mod_python
    8084   AuthType Digest
    8185   AuthName "TracRealmName"
     
    8993If you are using Digest with WSGI you must enable authentication passthrough with:
    9094
    91 {{{
     95{{{#!apache
    9296  WSGIPassAuthorization On
    9397  WSGIScriptAlias /trac /path/to/trac/config.wsgi
     
    102106To do so, choose one of the existing users on your `passwd` file, say the user `anadmin`, and use:
    103107
    104 {{{
    105  trac-admin /path/to/the/trac/project permission add anadmin TRAC_ADMIN
     108{{{#!sh
     109$ trac-admin /path/to/the/trac/project permission add anadmin TRAC_ADMIN
    106110}}}
    107111