setup.rst
893 lines
| 30.5 KiB
| text/x-rst
|
RstLexer
/ docs / setup.rst
r568 | .. _setup: | |||
r2095 | ===== | |||
r568 | Setup | |||
===== | ||||
Bradley M. Kuhn
|
r4192 | Setting up Kallithea | ||
r1448 | -------------------- | |||
r572 | ||||
Bradley M. Kuhn
|
r4192 | First, you will need to create a Kallithea configuration file. Run the | ||
Michael V. DePalatis
|
r4955 | following command to do so:: | ||
r3224 | ||||
Mads Kiilerich
|
r6510 | gearbox make-config my.ini | ||
r572 | ||||
Michael V. DePalatis
|
r4955 | This will create the file ``my.ini`` in the current directory. This | ||
Søren Løvborg
|
r5425 | configuration file contains the various settings for Kallithea, e.g. | ||
Michael V. DePalatis
|
r4955 | proxy port, email settings, usage of static files, cache, Celery | ||
settings, and logging. | ||||
r845 | ||||
Mads Kiilerich
|
r4902 | Next, you need to create the databases used by Kallithea. It is recommended to | ||
Andrew Shadura
|
r4914 | use PostgreSQL or SQLite (default). If you choose a database other than the | ||
Michael V. DePalatis
|
r4955 | default, ensure you properly adjust the database URL in your ``my.ini`` | ||
Bradley M. Kuhn
|
r4192 | configuration file to use this other database. Kallithea currently supports | ||
Andrew Shadura
|
r4914 | PostgreSQL, SQLite and MySQL databases. Create the database by running | ||
r1092 | the following command:: | |||
r572 | ||||
Mads Kiilerich
|
r6509 | gearbox setup-db -c my.ini | ||
r572 | ||||
r1092 | This will prompt you for a "root" path. This "root" path is the location where | |||
Bradley M. Kuhn
|
r4192 | Kallithea will store all of its repositories on the current machine. After | ||
Bradley M. Kuhn
|
r4185 | entering this "root" path ``setup-db`` will also prompt you for a username | ||
and password for the initial admin account which ``setup-db`` sets | ||||
r2284 | up for you. | |||
r845 | ||||
Søren Løvborg
|
r5425 | The ``setup-db`` values can also be given on the command line. | ||
Example:: | ||||
r2358 | ||||
Mads Kiilerich
|
r6509 | gearbox setup-db -c my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos | ||
r3224 | ||||
Søren Løvborg
|
r5425 | The ``setup-db`` command will create all needed tables and an | ||
Michael V. DePalatis
|
r4955 | admin account. When choosing a root path you can either use a new | ||
empty location, or a location which already contains existing | ||||
repositories. If you choose a location which contains existing | ||||
repositories Kallithea will add all of the repositories at the chosen | ||||
location to its database. (Note: make sure you specify the correct | ||||
path to the root). | ||||
r572 | ||||
Michael V. DePalatis
|
r4955 | .. note:: the given path for Mercurial_ repositories **must** be write | ||
accessible for the application. It's very important since | ||||
the Kallithea web interface will work without write access, | ||||
but when trying to do a push it will fail with permission | ||||
denied errors unless it has write access. | ||||
You are now ready to use Kallithea. To run it simply execute:: | ||||
r3224 | ||||
Mads Kiilerich
|
r6509 | gearbox serve -c my.ini | ||
r3224 | ||||
Michael V. DePalatis
|
r4955 | - This command runs the Kallithea server. The web app should be available at | ||
Søren Løvborg
|
r5425 | http://127.0.0.1:5000. The IP address and port is configurable via the | ||
configuration file created in the previous step. | ||||
- Log in to Kallithea using the admin account created when running ``setup-db``. | ||||
r3224 | - The default permissions on each repository is read, and the owner is admin. | |||
r1092 | Remember to update these if needed. | |||
Michael V. DePalatis
|
r4955 | - In the admin panel you can toggle LDAP, anonymous, and permissions | ||
settings, as well as edit more advanced options on users and | ||||
Søren Løvborg
|
r5425 | repositories. | ||
r1092 | ||||
Mads Kiilerich
|
r5077 | |||
Thomas De Schampheleire
|
r6630 | Internationalization (i18n support) | ||
----------------------------------- | ||||
Thomas De Schampheleire
|
r6687 | |||
Thomas De Schampheleire
|
r6630 | The Kallithea web interface is automatically displayed in the user's preferred | ||
language, as indicated by the browser. Thus, different users may see the | ||||
application in different languages. If the requested language is not available | ||||
(because the translation file for that language does not yet exist or is | ||||
incomplete), the language specified in setting ``i18n.lang`` in the Kallithea | ||||
configuration file is used as fallback. If no fallback language is explicitly | ||||
specified, English is used. | ||||
If you want to disable automatic language detection and instead configure a | ||||
fixed language regardless of user preference, set ``i18n.enabled = false`` and | ||||
set ``i18n.lang`` to the desired language (or leave empty for English). | ||||
Bradley M. Kuhn
|
r4192 | Using Kallithea with SSH | ||
r912 | ------------------------ | |||
Bradley M. Kuhn
|
r4192 | Kallithea currently only hosts repositories using http and https. (The addition | ||
r1309 | of ssh hosting is a planned future feature.) However you can easily use ssh in | |||
Bradley M. Kuhn
|
r4192 | parallel with Kallithea. (Repository access via ssh is a standard "out of | ||
Andrew Shadura
|
r4914 | the box" feature of Mercurial_ and you can use this to access any of the | ||
Bradley M. Kuhn
|
r4192 | repositories that Kallithea is hosting. See PublishingRepositories_) | ||
r1092 | ||||
Bradley M. Kuhn
|
r4192 | Kallithea repository structures are kept in directories with the same name | ||
r1092 | as the project. When using repository groups, each group is a subdirectory. | |||
This allows you to easily use ssh for accessing repositories. | ||||
r912 | ||||
Michael V. DePalatis
|
r4955 | In order to use ssh you need to make sure that your web server and the users' | ||
r1309 | login accounts have the correct permissions set on the appropriate directories. | |||
Michael V. DePalatis
|
r4955 | |||
.. note:: These permissions are independent of any permissions you | ||||
have set up using the Kallithea web interface. | ||||
r912 | ||||
Michael V. DePalatis
|
r4955 | If your main directory (the same as set in Kallithea settings) is for | ||
example set to ``/srv/repos`` and the repository you are using is | ||||
named ``kallithea``, then to clone via ssh you should run:: | ||||
r912 | ||||
Søren Løvborg
|
r5497 | hg clone ssh://user@kallithea.example.com/srv/repos/kallithea | ||
r1092 | ||||
Michael V. DePalatis
|
r4955 | Using other external tools such as mercurial-server_ or using ssh key-based | ||
r1092 | authentication is fully supported. | |||
r912 | ||||
Michael V. DePalatis
|
r4955 | .. note:: In an advanced setup, in order for your ssh access to use | ||
the same permissions as set up via the Kallithea web | ||||
interface, you can create an authentication hook to connect | ||||
to the Kallithea db and run check functions for permissions | ||||
against that. | ||||
r3224 | ||||
Mads Kiilerich
|
r5433 | |||
r683 | Setting up Whoosh full text search | |||
---------------------------------- | ||||
Søren Løvborg
|
r5425 | Kallithea provides full text search of repositories using `Whoosh`__. | ||
r894 | ||||
Søren Løvborg
|
r5425 | .. __: https://pythonhosted.org/Whoosh/ | ||
r683 | ||||
Søren Løvborg
|
r5425 | For an incremental index build, run:: | ||
r707 | ||||
Mads Kiilerich
|
r6509 | gearbox make-index -c my.ini | ||
r683 | ||||
Søren Løvborg
|
r5425 | For a full index rebuild, run:: | ||
r707 | ||||
Mads Kiilerich
|
r6509 | gearbox make-index -c my.ini -f | ||
r572 | ||||
timeless@gmail.com
|
r5818 | The ``--repo-location`` option allows the location of the repositories to be overridden; | ||
Søren Løvborg
|
r5425 | usually, the location is retrieved from the Kallithea database. | ||
r894 | ||||
Søren Løvborg
|
r5425 | The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list:: | ||
r3224 | ||||
Mads Kiilerich
|
r6509 | gearbox make-index -c my.ini --index-only=vcs,kallithea | ||
r572 | ||||
Søren Løvborg
|
r5425 | To keep your index up-to-date it is necessary to do periodic index builds; | ||
for this, it is recommended to use a crontab entry. Example:: | ||||
r3224 | ||||
Mads Kiilerich
|
r6509 | 0 3 * * * /path/to/virtualenv/bin/gearbox make-index -c /path/to/kallithea/my.ini | ||
r3224 | ||||
Søren Løvborg
|
r5425 | When using incremental mode (the default), Whoosh will check the last | ||
r1092 | modification date of each file and add it to be reindexed if a newer file is | |||
available. The indexing daemon checks for any removed files and removes them | ||||
from index. | ||||
r683 | ||||
Michael V. DePalatis
|
r4955 | If you want to rebuild the index from scratch, you can use the ``-f`` flag as above, | ||
Søren Løvborg
|
r5425 | or in the admin panel you can check the "build from scratch" checkbox. | ||
r572 | ||||
Konstantin Veretennicov
|
r5751 | .. _ldap-setup: | ||
r707 | ||||
Mads Kiilerich
|
r5778 | |||
r707 | Setting up LDAP support | |||
----------------------- | ||||
Mads Kiilerich
|
r4902 | Kallithea supports LDAP authentication. In order | ||
r3224 | to use LDAP, you have to install the python-ldap_ package. This package is | |||
Søren Løvborg
|
r5425 | available via PyPI, so you can install it by running:: | ||
r707 | ||||
r1123 | pip install python-ldap | |||
r707 | ||||
Michael V. DePalatis
|
r4955 | .. note:: ``python-ldap`` requires some libraries to be installed on | ||
your system, so before installing it check that you have at | ||||
least the ``openldap`` and ``sasl`` libraries. | ||||
r707 | ||||
Søren Løvborg
|
r5426 | Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button | ||
and then *Save*, to enable the LDAP plugin and configure its settings. | ||||
Thayne Harbaugh
|
r992 | |||
Mads Kiilerich
|
r4902 | Here's a typical LDAP setup:: | ||
Thayne Harbaugh
|
r992 | |||
Connection settings | ||||
Enable LDAP = checked | ||||
Søren Løvborg
|
r5497 | Host = host.example.com | ||
Thayne Harbaugh
|
r992 | Account = <account> | ||
Password = <password> | ||||
Mads Kiilerich
|
r6417 | Connection Security = LDAPS | ||
Thayne Harbaugh
|
r992 | Certificate Checks = DEMAND | ||
Search settings | ||||
Base DN = CN=users,DC=host,DC=example,DC=org | ||||
LDAP Filter = (&(objectClass=user)(!(objectClass=computer))) | ||||
LDAP Search Scope = SUBTREE | ||||
r707 | ||||
Thayne Harbaugh
|
r992 | Attribute mappings | ||
Login Attribute = uid | ||||
First Name Attribute = firstName | ||||
Last Name Attribute = lastName | ||||
Søren Løvborg
|
r5412 | Email Attribute = mail | ||
Thayne Harbaugh
|
r992 | |||
Michael V. DePalatis
|
r4955 | If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs:: | ||
Magnus Ericmats
|
r3801 | |||
Search settings | ||||
Base DN = DC=host,DC=example,DC=org | ||||
LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user)) | ||||
LDAP Search Scope = SUBTREE | ||||
Thayne Harbaugh
|
r992 | .. _enable_ldap: | ||
Enable LDAP : required | ||||
Whether to use LDAP for authenticating users. | ||||
.. _ldap_host: | ||||
Host : required | ||||
r2916 | LDAP server hostname or IP address. Can be also a comma separated | |||
list of servers to support LDAP fail-over. | ||||
Thayne Harbaugh
|
r992 | |||
.. _Port: | ||||
Mads Kiilerich
|
r6294 | Port : optional | ||
Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS. | ||||
Defaults to 636 for LDAPS. | ||||
Thayne Harbaugh
|
r992 | |||
.. _ldap_account: | ||||
r707 | ||||
Thayne Harbaugh
|
r992 | Account : optional | ||
Only required if the LDAP server does not allow anonymous browsing of | ||||
records. This should be a special account for record browsing. This | ||||
will require `LDAP Password`_ below. | ||||
.. _LDAP Password: | ||||
Password : optional | ||||
Only required if the LDAP server does not allow anonymous browsing of | ||||
records. | ||||
.. _Enable LDAPS: | ||||
r1292 | Connection Security : required | |||
Defines the connection to LDAP server | ||||
Mads Kiilerich
|
r6294 | PLAIN | ||
Plain unencrypted LDAP connection. | ||||
This will by default use `Port`_ 389. | ||||
r3224 | ||||
Mads Kiilerich
|
r6294 | LDAPS | ||
Use secure LDAPS connections according to `Certificate | ||||
Checks`_ configuration. | ||||
This will by default use `Port`_ 636. | ||||
r3224 | ||||
Mads Kiilerich
|
r6294 | START_TLS | ||
Use START TLS according to `Certificate Checks`_ configuration on an | ||||
apparently "plain" LDAP connection. | ||||
This will by default use `Port`_ 389. | ||||
Thayne Harbaugh
|
r992 | |||
.. _Certificate Checks: | ||||
r707 | ||||
Thayne Harbaugh
|
r992 | Certificate Checks : optional | ||
Mads Kiilerich
|
r5435 | How SSL certificates verification is handled -- this is only useful when | ||
r3224 | `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security | |||
Mads Kiilerich
|
r6293 | with mandatory certificate validation, while the other options are | ||
susceptible to man-in-the-middle attacks. | ||||
Thayne Harbaugh
|
r992 | |||
NEVER | ||||
A serve certificate will never be requested or checked. | ||||
ALLOW | ||||
A server certificate is requested. Failure to provide a | ||||
certificate or providing a bad certificate will not terminate the | ||||
session. | ||||
TRY | ||||
A server certificate is requested. Failure to provide a | ||||
certificate does not halt the session; providing a bad certificate | ||||
halts the session. | ||||
DEMAND | ||||
A server certificate is requested and must be provided and | ||||
authenticated for the session to proceed. | ||||
r775 | ||||
Thayne Harbaugh
|
r992 | HARD | ||
The same as DEMAND. | ||||
Mads Kiilerich
|
r6293 | .. _Custom CA Certificates: | ||
Custom CA Certificates : optional | ||||
Directory used by OpenSSL to find CAs for validating the LDAP server certificate. | ||||
Python 2.7.10 and later default to using the system certificate store, and | ||||
this should thus not be necessary when using certificates signed by a CA | ||||
trusted by the system. | ||||
It can be set to something like `/etc/openldap/cacerts` on older systems or | ||||
if using self-signed certificates. | ||||
Thayne Harbaugh
|
r992 | .. _Base DN: | ||
Base DN : required | ||||
The Distinguished Name (DN) where searches for users will be performed. | ||||
Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_. | ||||
.. _LDAP Filter: | ||||
LDAP Filter : optional | ||||
A LDAP filter defined by RFC 2254. This is more useful when `LDAP | ||||
Search Scope`_ is set to SUBTREE. The filter is useful for limiting | ||||
which LDAP objects are identified as representing Users for | ||||
authentication. The filter is augmented by `Login Attribute`_ below. | ||||
This can commonly be left blank. | ||||
.. _LDAP Search Scope: | ||||
LDAP Search Scope : required | ||||
This limits how far LDAP will search for a matching object. | ||||
BASE | ||||
Only allows searching of `Base DN`_ and is usually not what you | ||||
want. | ||||
ONELEVEL | ||||
Searches all entries under `Base DN`_, but not Base DN itself. | ||||
SUBTREE | ||||
Searches all entries below `Base DN`_, but not Base DN itself. | ||||
When using SUBTREE `LDAP Filter`_ is useful to limit object | ||||
location. | ||||
.. _Login Attribute: | ||||
r707 | ||||
r3224 | Login Attribute : required | |||
Thayne Harbaugh
|
r992 | The LDAP record attribute that will be matched as the USERNAME or | ||
Bradley M. Kuhn
|
r4192 | ACCOUNT used to connect to Kallithea. This will be added to `LDAP | ||
Thayne Harbaugh
|
r992 | Filter`_ for locating the User object. If `LDAP Filter`_ is specified as | ||
"LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has | ||||
connected as "jsmith" then the `LDAP Filter`_ will be augmented as below | ||||
:: | ||||
(&(LDAPFILTER)(uid=jsmith)) | ||||
.. _ldap_attr_firstname: | ||||
First Name Attribute : required | ||||
The LDAP record attribute which represents the user's first name. | ||||
.. _ldap_attr_lastname: | ||||
Last Name Attribute : required | ||||
The LDAP record attribute which represents the user's last name. | ||||
.. _ldap_attr_email: | ||||
Email Attribute : required | ||||
The LDAP record attribute which represents the user's email address. | ||||
r707 | ||||
Thayne Harbaugh
|
r992 | If all data are entered correctly, and python-ldap_ is properly installed | ||
Mads Kiilerich
|
r4902 | users should be granted access to Kallithea with LDAP accounts. At this | ||
Bradley M. Kuhn
|
r4192 | time user information is copied from LDAP into the Kallithea user database. | ||
Thayne Harbaugh
|
r992 | This means that updates of an LDAP user object may not be reflected as a | ||
Bradley M. Kuhn
|
r4192 | user update in Kallithea. | ||
Thayne Harbaugh
|
r992 | |||
If You have problems with LDAP access and believe You entered correct | ||||
Bradley M. Kuhn
|
r4192 | information check out the Kallithea logs, any error messages sent from LDAP | ||
Thayne Harbaugh
|
r992 | will be saved there. | ||
Active Directory | ||||
Mads Kiilerich
|
r5568 | ^^^^^^^^^^^^^^^^ | ||
r707 | ||||
Bradley M. Kuhn
|
r4192 | Kallithea can use Microsoft Active Directory for user authentication. This | ||
Thayne Harbaugh
|
r992 | is done through an LDAP or LDAPS connection to Active Directory. The | ||
following LDAP configuration settings are typical for using Active | ||||
Directory :: | ||||
r707 | ||||
Thayne Harbaugh
|
r992 | Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local | ||
Login Attribute = sAMAccountName | ||||
First Name Attribute = givenName | ||||
Last Name Attribute = sn | ||||
Søren Løvborg
|
r5412 | Email Attribute = mail | ||
Thayne Harbaugh
|
r992 | |||
All other LDAP settings will likely be site-specific and should be | ||||
appropriately configured. | ||||
r777 | ||||
r1467 | ||||
Liad Shani
|
r1657 | Authentication by container or reverse-proxy | ||
-------------------------------------------- | ||||
domruf
|
r4501 | Kallithea supports delegating the authentication | ||
Liad Shani
|
r1657 | of users to its WSGI container, or to a reverse-proxy server through which all | ||
clients access the application. | ||||
Bradley M. Kuhn
|
r4192 | When these authentication methods are enabled in Kallithea, it uses the | ||
Søren Løvborg
|
r5425 | username that the container/proxy (Apache or Nginx, etc.) provides and doesn't | ||
Liad Shani
|
r1657 | perform the authentication itself. The authorization, however, is still done by | ||
Bradley M. Kuhn
|
r4192 | Kallithea according to its settings. | ||
Liad Shani
|
r1657 | |||
When a user logs in for the first time using these authentication methods, | ||||
Bradley M. Kuhn
|
r4192 | a matching user account is created in Kallithea with default permissions. An | ||
administrator can then modify it using Kallithea's admin interface. | ||||
Søren Løvborg
|
r5425 | |||
Liad Shani
|
r1657 | It's also possible for an administrator to create accounts and configure their | ||
Søren Løvborg
|
r5425 | permissions before the user logs in for the first time, using the :ref:`create-user` API. | ||
Liad Shani
|
r1657 | |||
Container-based authentication | ||||
Mads Kiilerich
|
r5568 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
Liad Shani
|
r1657 | |||
Bradley M. Kuhn
|
r4192 | In a container-based authentication setup, Kallithea reads the user name from | ||
Liad Shani
|
r1657 | the ``REMOTE_USER`` server variable provided by the WSGI container. | ||
Søren Løvborg
|
r5425 | After setting up your container (see `Apache with mod_wsgi`_), you'll need | ||
Liad Shani
|
r1657 | to configure it to require authentication on the location configured for | ||
Bradley M. Kuhn
|
r4192 | Kallithea. | ||
Liad Shani
|
r1657 | |||
Proxy pass-through authentication | ||||
Mads Kiilerich
|
r5568 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
Liad Shani
|
r1657 | |||
Bradley M. Kuhn
|
r4192 | In a proxy pass-through authentication setup, Kallithea reads the user name | ||
Liad Shani
|
r1657 | from the ``X-Forwarded-User`` request header, which should be configured to be | ||
sent by the reverse-proxy server. | ||||
After setting up your proxy solution (see `Apache virtual host reverse proxy example`_, | ||||
Søren Løvborg
|
r5425 | `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to | ||
Liad Shani
|
r1657 | configure the authentication and add the username in a request header named | ||
``X-Forwarded-User``. | ||||
For example, the following config section for Apache sets a subdirectory in a | ||||
Søren Løvborg
|
r5425 | reverse-proxy setup with basic auth: | ||
.. code-block:: apache | ||||
Liad Shani
|
r1657 | |||
Søren Løvborg
|
r5425 | <Location /someprefix> | ||
ProxyPass http://127.0.0.1:5000/someprefix | ||||
ProxyPassReverse http://127.0.0.1:5000/someprefix | ||||
Liad Shani
|
r1657 | SetEnvIf X-Url-Scheme https HTTPS=1 | ||
AuthType Basic | ||||
Bradley M. Kuhn
|
r4192 | AuthName "Kallithea authentication" | ||
Mads Kiilerich
|
r4902 | AuthUserFile /srv/kallithea/.htpasswd | ||
Søren Løvborg
|
r5425 | Require valid-user | ||
Liad Shani
|
r1657 | |||
RequestHeader unset X-Forwarded-User | ||||
RewriteEngine On | ||||
RewriteCond %{LA-U:REMOTE_USER} (.+) | ||||
RewriteRule .* - [E=RU:%1] | ||||
RequestHeader set X-Forwarded-User %{RU}e | ||||
r3224 | </Location> | |||
Liad Shani
|
r1657 | |||
domruf
|
r5593 | Setting metadata in container/reverse-proxy | ||
Mads Kiilerich
|
r5778 | """"""""""""""""""""""""""""""""""""""""""" | ||
domruf
|
r5593 | When a new user account is created on the first login, Kallithea has no information about | ||
the user's email and full name. So you can set some additional request headers like in the | ||||
example below. In this example the user is authenticated via Kerberos and an Apache | ||||
mod_python fixup handler is used to get the user information from a LDAP server. But you | ||||
could set the request headers however you want. | ||||
.. code-block:: apache | ||||
<Location /someprefix> | ||||
ProxyPass http://127.0.0.1:5000/someprefix | ||||
ProxyPassReverse http://127.0.0.1:5000/someprefix | ||||
SetEnvIf X-Url-Scheme https HTTPS=1 | ||||
AuthName "Kerberos Login" | ||||
AuthType Kerberos | ||||
Krb5Keytab /etc/apache2/http.keytab | ||||
KrbMethodK5Passwd off | ||||
KrbVerifyKDC on | ||||
Require valid-user | ||||
PythonFixupHandler ldapmetadata | ||||
RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e | ||||
RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e | ||||
RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e | ||||
RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e | ||||
</Location> | ||||
.. code-block:: python | ||||
from mod_python import apache | ||||
import ldap | ||||
Mads Kiilerich
|
r6417 | LDAP_SERVER = "ldaps://server.mydomain.com:636" | ||
domruf
|
r5593 | LDAP_USER = "" | ||
LDAP_PASS = "" | ||||
LDAP_ROOT = "dc=mydomain,dc=com" | ||||
timeless@gmail.com
|
r5780 | LDAP_FILTER = "sAMAccountName=%s" | ||
LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail'] | ||||
domruf
|
r5593 | |||
def fixuphandler(req): | ||||
if req.user is None: | ||||
# no user to search for | ||||
return apache.OK | ||||
else: | ||||
try: | ||||
if('\\' in req.user): | ||||
username = req.user.split('\\')[1] | ||||
elif('@' in req.user): | ||||
username = req.user.split('@')[0] | ||||
else: | ||||
username = req.user | ||||
l = ldap.initialize(LDAP_SERVER) | ||||
l.simple_bind_s(LDAP_USER, LDAP_PASS) | ||||
r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST) | ||||
req.subprocess_env['X_REMOTE_USER'] = username | ||||
req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower() | ||||
req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0] | ||||
req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0] | ||||
except Exception, e: | ||||
apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR) | ||||
return apache.OK | ||||
Liad Shani
|
r1657 | .. note:: | ||
If you enable proxy pass-through authentication, make sure your server is | ||||
only accessible through the proxy. Otherwise, any client would be able to | ||||
forge the authentication header and could effectively become authenticated | ||||
using any account of their liking. | ||||
Mads Kiilerich
|
r5413 | |||
Integration with issue trackers | ||||
r1838 | ------------------------------- | |||
Liad Shani
|
r1657 | |||
Bradley M. Kuhn
|
r4192 | Kallithea provides a simple integration with issue trackers. It's possible | ||
Søren Løvborg
|
r5425 | to define a regular expression that will match an issue ID in commit messages, | ||
and have that replaced with a URL to the issue. To enable this simply | ||||
Michael V. DePalatis
|
r4955 | uncomment the following variables in the ini file:: | ||
r1838 | ||||
r3943 | issue_pat = (?:^#|\s#)(\w+) | |||
Søren Løvborg
|
r5497 | issue_server_link = https://issues.example.com/{repo}/issue/{id} | ||
r1838 | issue_prefix = # | |||
Michael V. DePalatis
|
r4955 | ``issue_pat`` is the regular expression describing which strings in | ||
Andrew Shadura
|
r4848 | commit messages will be treated as issue references. A match group in | ||
parentheses should be used to specify the actual issue id. | ||||
Michael V. DePalatis
|
r4955 | The default expression matches issues in the format ``#<number>``, e.g., ``#300``. | ||
r3224 | ||||
Søren Løvborg
|
r5425 | Matched issue references are replaced with the link specified in | ||
``issue_server_link``. ``{id}`` is replaced with the issue ID, and | ||||
Michael V. DePalatis
|
r4955 | ``{repo}`` with the repository name. Since the # is stripped away, | ||
``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't | ||||
necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will | ||||
Søren Løvborg
|
r5425 | generate a URL in the format: | ||
.. code-block:: html | ||||
r3224 | ||||
Søren Løvborg
|
r5497 | <a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a> | ||
Liad Shani
|
r1657 | |||
Andrew Shadura
|
r4848 | If needed, more than one pattern can be specified by appending a unique suffix to | ||
the variables. For example:: | ||||
issue_pat_wiki = (?:wiki-)(.+) | ||||
Søren Løvborg
|
r5497 | issue_server_link_wiki = https://wiki.example.com/{id} | ||
Andrew Shadura
|
r4848 | issue_prefix_wiki = WIKI- | ||
With these settings, wiki pages can be referenced as wiki-some-id, and every | ||||
Søren Løvborg
|
r5425 | such reference will be transformed into: | ||
.. code-block:: html | ||||
Andrew Shadura
|
r4848 | |||
Søren Løvborg
|
r5497 | <a href="https://wiki.example.com/some-id">WIKI-some-id</a> | ||
Andrew Shadura
|
r4848 | |||
r1467 | Hook management | |||
--------------- | ||||
Michael V. DePalatis
|
r4955 | Hooks can be managed in similar way to that used in ``.hgrc`` files. | ||
Søren Løvborg
|
r5426 | To manage hooks, choose *Admin > Settings > Hooks*. | ||
r1467 | ||||
Søren Løvborg
|
r5425 | The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section. | ||
To add another custom hook simply fill in the first textbox with | ||||
``<name>.<hook_type>`` and the second with the hook path. Example hooks | ||||
Michael V. DePalatis
|
r4955 | can be found in ``kallithea.lib.hooks``. | ||
r1467 | ||||
r2017 | Changing default encoding | |||
------------------------- | ||||
Andrew Shadura
|
r4914 | By default, Kallithea uses UTF-8 encoding. | ||
Michael V. DePalatis
|
r4955 | This is configurable as ``default_encoding`` in the .ini file. | ||
Mads Kiilerich
|
r4902 | This affects many parts in Kallithea including user names, filenames, and | ||
Michael V. DePalatis
|
r4955 | encoding of commit messages. In addition Kallithea can detect if the ``chardet`` | ||
library is installed. If ``chardet`` is detected Kallithea will fallback to it | ||||
r2017 | when there are encode/decode errors. | |||
Mads Kiilerich
|
r4902 | Celery configuration | ||
-------------------- | ||||
r777 | ||||
Thomas De Schampheleire
|
r4925 | Kallithea can use the distributed task queue system Celery_ to run tasks like | ||
Søren Løvborg
|
r5412 | cloning repositories or sending emails. | ||
Thomas De Schampheleire
|
r4925 | |||
Kallithea will in most setups work perfectly fine out of the box (without | ||||
Celery), executing all tasks in the web server process. Some tasks can however | ||||
take some time to run and it can be better to run such tasks asynchronously in | ||||
a separate process so the web server can focus on serving web requests. | ||||
For installation and configuration of Celery, see the `Celery documentation`_. | ||||
Note that Celery requires a message broker service like RabbitMQ_ (recommended) | ||||
or Redis_. | ||||
r777 | ||||
Thomas De Schampheleire
|
r4925 | The use of Celery is configured in the Kallithea ini configuration file. | ||
To enable it, simply set:: | ||||
Michael V. DePalatis
|
r4955 | use_celery = true | ||
r777 | ||||
Michael V. DePalatis
|
r4955 | and add or change the ``celery.*`` and ``broker.*`` configuration variables. | ||
Thomas De Schampheleire
|
r4925 | |||
Remember that the ini files use the format with '.' and not with '_' like | ||||
Celery. So for example setting `BROKER_HOST` in Celery means setting | ||||
`broker.host` in the configuration file. | ||||
To start the Celery process, run:: | ||||
r938 | ||||
Mads Kiilerich
|
r6509 | gearbox celeryd -c <configfile.ini> | ||
Extra options to the Celery worker can be passed after ``--`` - see ``-- -h`` | ||||
for more info. | ||||
r777 | ||||
r871 | .. note:: | |||
r3224 | Make sure you run this command from the same virtualenv, and with the same | |||
Bradley M. Kuhn
|
r4192 | user that Kallithea runs. | ||
r3224 | ||||
Søren Løvborg
|
r5425 | |||
r1062 | HTTPS support | |||
------------- | ||||
Mads Kiilerich
|
r4448 | Kallithea will by default generate URLs based on the WSGI environment. | ||
Alternatively, you can use some special configuration settings to control | ||||
directly which scheme/protocol Kallithea will use when generating URLs: | ||||
r1092 | ||||
Søren Løvborg
|
r5425 | - With ``https_fixup = true``, the scheme will be taken from the | ||
``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header | ||||
(default ``http``). | ||||
Michael V. DePalatis
|
r4955 | - With ``force_https = true`` the default will be ``https``. | ||
Søren Løvborg
|
r5425 | - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https. | ||
r871 | ||||
r572 | Nginx virtual host example | |||
-------------------------- | ||||
Søren Løvborg
|
r5425 | Sample config for Nginx using proxy: | ||
.. code-block:: nginx | ||||
r572 | ||||
Mads Kiilerich
|
r4902 | upstream kallithea { | ||
r1745 | server 127.0.0.1:5000; | |||
# add more instances for load balancing | ||||
#server 127.0.0.1:5001; | ||||
#server 127.0.0.1:5002; | ||||
} | ||||
r3224 | ||||
r3850 | ## gist alias | |||
server { | ||||
listen 443; | ||||
Søren Løvborg
|
r5497 | server_name gist.example.com; | ||
r3850 | access_log /var/log/nginx/gist.access.log; | |||
error_log /var/log/nginx/gist.error.log; | ||||
ssl on; | ||||
Bradley M. Kuhn
|
r4182 | ssl_certificate gist.your.kallithea.server.crt; | ||
ssl_certificate_key gist.your.kallithea.server.key; | ||||
r3850 | ||||
ssl_session_timeout 5m; | ||||
ssl_protocols SSLv3 TLSv1; | ||||
ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5; | ||||
ssl_prefer_server_ciphers on; | ||||
Søren Løvborg
|
r5497 | rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1; | ||
rewrite (.*) https://kallithea.example.com/_admin/gists; | ||||
r3850 | } | |||
r1092 | server { | |||
r3243 | listen 443; | |||
Søren Løvborg
|
r5497 | server_name kallithea.example.com | ||
Bradley M. Kuhn
|
r4192 | access_log /var/log/nginx/kallithea.access.log; | ||
error_log /var/log/nginx/kallithea.error.log; | ||||
r1745 | ||||
r3243 | ssl on; | |||
Bradley M. Kuhn
|
r4182 | ssl_certificate your.kallithea.server.crt; | ||
ssl_certificate_key your.kallithea.server.key; | ||||
r3243 | ||||
ssl_session_timeout 5m; | ||||
ssl_protocols SSLv3 TLSv1; | ||||
ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5; | ||||
ssl_prefer_server_ciphers on; | ||||
r3850 | ## uncomment root directive if you want to serve static files by nginx | |||
## requires static_files = false in .ini file | ||||
Mads Kiilerich
|
r5843 | #root /srv/kallithea/kallithea/kallithea/public; | ||
r3917 | include /etc/nginx/proxy.conf; | |||
r1092 | location / { | |||
Mads Kiilerich
|
r4902 | try_files $uri @kallithea; | ||
r1092 | } | |||
r3224 | ||||
Mads Kiilerich
|
r4902 | location @kallithea { | ||
Søren Løvborg
|
r5496 | proxy_pass http://127.0.0.1:5000; | ||
r1745 | } | |||
r3224 | } | |||
r1092 | Here's the proxy.conf. It's tuned so it will not timeout on long | |||
pushes or large pushes:: | ||||
r3224 | ||||
r572 | proxy_redirect off; | |||
proxy_set_header Host $host; | ||||
r4073 | ## needed for container auth | |||
#proxy_set_header REMOTE_USER $remote_user; | ||||
#proxy_set_header X-Forwarded-User $remote_user; | ||||
r1745 | proxy_set_header X-Url-Scheme $scheme; | |||
r572 | proxy_set_header X-Host $http_host; | |||
proxy_set_header X-Real-IP $remote_addr; | ||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||||
proxy_set_header Proxy-host $proxy_host; | ||||
proxy_buffering off; | ||||
r1420 | proxy_connect_timeout 7200; | |||
proxy_send_timeout 7200; | ||||
proxy_read_timeout 7200; | ||||
proxy_buffers 8 32k; | ||||
r3919 | client_max_body_size 1024m; | |||
client_body_buffer_size 128k; | ||||
large_client_header_buffers 8 64k; | ||||
r3224 | ||||
r881 | ||||
Augusto Herrmann
|
r1558 | Apache virtual host reverse proxy example | ||
----------------------------------------- | ||||
r881 | ||||
Søren Løvborg
|
r5425 | Here is a sample configuration file for Apache using proxy: | ||
.. code-block:: apache | ||||
r881 | ||||
r929 | <VirtualHost *:80> | |||
Søren Løvborg
|
r5497 | ServerName kallithea.example.com | ||
r3224 | ||||
r929 | <Proxy *> | |||
Søren Løvborg
|
r5425 | # For Apache 2.4 and later: | ||
Require all granted | ||||
# For Apache 2.2 and earlier, instead use: | ||||
# Order allow,deny | ||||
# Allow from all | ||||
r929 | </Proxy> | |||
r3224 | ||||
r929 | #important ! | |||
Thomas De Schampheleire
|
r6302 | #Directive to properly generate url (clone url) for Kallithea | ||
r929 | ProxyPreserveHost On | |||
r3224 | ||||
Bradley M. Kuhn
|
r4192 | #kallithea instance | ||
r929 | ProxyPass / http://127.0.0.1:5000/ | |||
ProxyPassReverse / http://127.0.0.1:5000/ | ||||
r3224 | ||||
r929 | #to enable https use line below | |||
#SetEnvIf X-Url-Scheme https HTTPS=1 | ||||
r3224 | </VirtualHost> | |||
r881 | ||||
Additional tutorial | ||||
Andrew Shadura
|
r4915 | http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons | ||
r572 | ||||
r707 | ||||
r1062 | Apache as subdirectory | |||
---------------------- | ||||
Søren Løvborg
|
r5425 | Apache subdirectory part: | ||
.. code-block:: apache | ||||
r1062 | ||||
r1226 | <Location /<someprefix> > | |||
ProxyPass http://127.0.0.1:5000/<someprefix> | ||||
ProxyPassReverse http://127.0.0.1:5000/<someprefix> | ||||
r1062 | SetEnvIf X-Url-Scheme https HTTPS=1 | |||
r3224 | </Location> | |||
r1062 | ||||
r1392 | Besides the regular apache setup you will need to add the following line | |||
Michael V. DePalatis
|
r4955 | into ``[app:main]`` section of your .ini file:: | ||
r1062 | ||||
filter-with = proxy-prefix | ||||
Add the following at the end of the .ini file:: | ||||
[filter:proxy-prefix] | ||||
use = egg:PasteDeploy#prefix | ||||
r3224 | prefix = /<someprefix> | |||
r1062 | ||||
Michael V. DePalatis
|
r4955 | then change ``<someprefix>`` into your chosen prefix | ||
r1226 | ||||
Mads Kiilerich
|
r5433 | |||
Søren Løvborg
|
r5425 | Apache with mod_wsgi | ||
r1386 | -------------------- | |||
Bradley M. Kuhn
|
r4192 | Alternatively, Kallithea can be set up with Apache under mod_wsgi. For | ||
Augusto Herrmann
|
r1558 | that, you'll need to: | ||
- Install mod_wsgi. If using a Debian-based distro, you can install | ||||
the package libapache2-mod-wsgi:: | ||||
Augusto Herrmann
|
r1559 | |||
Augusto Herrmann
|
r1558 | aptitude install libapache2-mod-wsgi | ||
Augusto Herrmann
|
r1559 | |||
Augusto Herrmann
|
r1558 | - Enable mod_wsgi:: | ||
Augusto Herrmann
|
r1559 | |||
Augusto Herrmann
|
r1558 | a2enmod wsgi | ||
Augusto Herrmann
|
r1559 | |||
Mads Kiilerich
|
r5752 | - Add global Apache configuration to tell mod_wsgi that Python only will be | ||
used in the WSGI processes and shouldn't be initialized in the Apache | ||||
processes:: | ||||
WSGIRestrictEmbedded On | ||||
Augusto Herrmann
|
r1558 | - Create a wsgi dispatch script, like the one below. Make sure you | ||
Michael V. DePalatis
|
r4955 | check that the paths correctly point to where you installed Kallithea | ||
Augusto Herrmann
|
r1558 | and its Python Virtual Environment. | ||
Michael V. DePalatis
|
r4955 | - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script, | ||
Augusto Herrmann
|
r1558 | as in the following example. Once again, check the paths are | ||
correctly specified. | ||||
Søren Løvborg
|
r5425 | Here is a sample excerpt from an Apache Virtual Host configuration file: | ||
.. code-block:: apache | ||||
Augusto Herrmann
|
r1558 | |||
Mads Kiilerich
|
r6116 | WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \ | ||
Mads Kiilerich
|
r5752 | python-home=/srv/kallithea/venv | ||
WSGIProcessGroup kallithea | ||||
Mads Kiilerich
|
r4902 | WSGIScriptAlias / /srv/kallithea/dispatch.wsgi | ||
r2076 | WSGIPassAuthorization On | |||
r1386 | ||||
Søren Løvborg
|
r5425 | Or if using a dispatcher WSGI script with proper virtualenv activation: | ||
.. code-block:: apache | ||||
Mads Kiilerich
|
r4902 | |||
Mads Kiilerich
|
r6116 | WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 | ||
Mads Kiilerich
|
r5752 | WSGIProcessGroup kallithea | ||
Mads Kiilerich
|
r4902 | WSGIScriptAlias / /srv/kallithea/dispatch.wsgi | ||
WSGIPassAuthorization On | ||||
Mads Kiilerich
|
r5752 | Apache will by default run as a special Apache user, on Linux systems | ||
usually ``www-data`` or ``apache``. If you need to have the repositories | ||||
directory owned by a different user, use the user and group options to | ||||
Mads Kiilerich
|
r5754 | WSGIDaemonProcess to set the name of the user and group. | ||
r2800 | ||||
Søren Løvborg
|
r5425 | Example WSGI dispatch script: | ||
.. code-block:: python | ||||
r707 | ||||
r1386 | import os | |||
os.environ["HGENCODING"] = "UTF-8" | ||||
Mads Kiilerich
|
r4902 | os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache' | ||
r3224 | ||||
timeless@gmail.com
|
r5795 | # sometimes it's needed to set the current dir | ||
Mads Kiilerich
|
r4902 | os.chdir('/srv/kallithea/') | ||
Augusto Herrmann
|
r1558 | |||
import site | ||||
Mads Kiilerich
|
r5579 | site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages") | ||
r3224 | ||||
Mads Kiilerich
|
r5752 | ini = '/srv/kallithea/my.ini' | ||
r1386 | from paste.script.util.logging_config import fileConfig | |||
Mads Kiilerich
|
r5752 | fileConfig(ini) | ||
from paste.deploy import loadapp | ||||
application = loadapp('config:' + ini) | ||||
Mads Kiilerich
|
r4902 | |||
Søren Løvborg
|
r5425 | Or using proper virtualenv activation: | ||
.. code-block:: python | ||||
Mads Kiilerich
|
r4902 | |||
activate_this = '/srv/kallithea/venv/bin/activate_this.py' | ||||
Søren Løvborg
|
r5425 | execfile(activate_this, dict(__file__=activate_this)) | ||
r1386 | ||||
Mads Kiilerich
|
r4902 | import os | ||
os.environ['HOME'] = '/srv/kallithea' | ||||
ini = '/srv/kallithea/kallithea.ini' | ||||
from paste.script.util.logging_config import fileConfig | ||||
fileConfig(ini) | ||||
from paste.deploy import loadapp | ||||
application = loadapp('config:' + ini) | ||||
Augusto Herrmann
|
r1558 | |||
r707 | ||||
r591 | Other configuration files | |||
------------------------- | ||||
Søren Løvborg
|
r5425 | A number of `example init.d scripts`__ can be found in | ||
the ``init.d`` directory of the Kallithea source. | ||||
.. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ . | ||||
r591 | ||||
Mads Kiilerich
|
r5433 | |||
r572 | .. _virtualenv: http://pypi.python.org/pypi/virtualenv | |||
.. _python: http://www.python.org/ | ||||
r6297 | .. _Mercurial: https://www.mercurial-scm.org/ | |||
Thomas De Schampheleire
|
r4925 | .. _Celery: http://celeryproject.org/ | ||
.. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html | ||||
.. _RabbitMQ: http://www.rabbitmq.com/ | ||||
.. _Redis: http://redis.io/ | ||||
Thayne Harbaugh
|
r992 | .. _python-ldap: http://www.python-ldap.org/ | ||
r1092 | .. _mercurial-server: http://www.lshift.net/mercurial-server.html | |||
r6297 | .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories | |||