upstream/kallithea Commit - r7262:2898ea3f

docs: move authentication info to separate file...

Thomas De Schampheleire -

r7262:2898ea3f default

parent child

docs/administrator_guide/auth.rst docs/setup.rst

0 copied +11 -593

This diff has been collapsed as it changes many lines, (604 lines changed) Show them Hide them
			@@ -1,181 +1,16 b''
	1		.. _setup:
	2
	3		=====
	4		Setup
	5		=====
	6
	7
	8		Preparing front-end
	9		-------------------
	10
	11		Temporarily, in the current Kallithea version, some extra steps are required to
	12		build front-end files:
	13
	14		Find the right ``kallithea/public/less`` path with::
	15
	16		python -c "import os, kallithea; print os.path.join(os.path.dirname(os.path.abspath(kallithea.__file__)), 'public', 'less')"
	17
	18		Then run::
	19
	20		npm install
	21		npm run less
	22
	23
	24		Setting up Kallithea
	25		--------------------
	26
	27		First, you will need to create a Kallithea configuration file. Run the
	28		following command to do so::
	29
	30		gearbox make-config my.ini
	31
	32		This will create the file ``my.ini`` in the current directory. This
	33		configuration file contains the various settings for Kallithea, e.g.
	34		proxy port, email settings, usage of static files, cache, Celery
	35		settings, and logging. Extra settings can be specified like::
	36
	37		gearbox make-config my.ini host=8.8.8.8 "[handler_console]" formatter=color_formatter
	38
	39		Next, you need to create the databases used by Kallithea. It is recommended to
	40		use PostgreSQL or SQLite (default). If you choose a database other than the
	41		default, ensure you properly adjust the database URL in your ``my.ini``
	42		configuration file to use this other database. Kallithea currently supports
	43		PostgreSQL, SQLite and MySQL databases. Create the database by running
	44		the following command::
	45
	46		gearbox setup-db -c my.ini
	47
	48		This will prompt you for a "root" path. This "root" path is the location where
	49		Kallithea will store all of its repositories on the current machine. After
	50		entering this "root" path ``setup-db`` will also prompt you for a username
	51		and password for the initial admin account which ``setup-db`` sets
	52		up for you.
	53
	54		The ``setup-db`` values can also be given on the command line.
	55		Example::
	56
	57		gearbox setup-db -c my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
	58
	59		The ``setup-db`` command will create all needed tables and an
	60		admin account. When choosing a root path you can either use a new
	61		empty location, or a location which already contains existing
	62		repositories. If you choose a location which contains existing
	63		repositories Kallithea will add all of the repositories at the chosen
	64		location to its database. (Note: make sure you specify the correct
	65		path to the root).
	66
	67		.. note:: the given path for Mercurial_ repositories must be write
	68		accessible for the application. It's very important since
	69		the Kallithea web interface will work without write access,
	70		but when trying to do a push it will fail with permission
	71		denied errors unless it has write access.
	72
	73		You are now ready to use Kallithea. To run it simply execute::
	74
	75		gearbox serve -c my.ini
	76
	77		- This command runs the Kallithea server. The web app should be available at
	78		http://127.0.0.1:5000. The IP address and port is configurable via the
	79		configuration file created in the previous step.
	80		- Log in to Kallithea using the admin account created when running ``setup-db``.
	81		- The default permissions on each repository is read, and the owner is admin.
	82		Remember to update these if needed.
	83		- In the admin panel you can toggle LDAP, anonymous, and permissions
	84		settings, as well as edit more advanced options on users and
	85		repositories.
		1	.. _authentication:
		2	Authentication setup
		3	====================
	86	4
	87
	88		Internationalization (i18n support)
	89		-----------------------------------
	90
	91		The Kallithea web interface is automatically displayed in the user's preferred
	92		language, as indicated by the browser. Thus, different users may see the
	93		application in different languages. If the requested language is not available
	94		(because the translation file for that language does not yet exist or is
	95		incomplete), the language specified in setting ``i18n.lang`` in the Kallithea
	96		configuration file is used as fallback. If no fallback language is explicitly
	97		specified, English is used.
	98
	99		If you want to disable automatic language detection and instead configure a
	100		fixed language regardless of user preference, set ``i18n.enabled = false`` and
	101		set ``i18n.lang`` to the desired language (or leave empty for English).
	102
	103
	104		Using Kallithea with SSH
	105		------------------------
	106
	107		Kallithea currently only hosts repositories using http and https. (The addition
	108		of ssh hosting is a planned future feature.) However you can easily use ssh in
	109		parallel with Kallithea. (Repository access via ssh is a standard "out of
	110		the box" feature of Mercurial_ and you can use this to access any of the
	111		repositories that Kallithea is hosting. See PublishingRepositories_)
	112
	113		Kallithea repository structures are kept in directories with the same name
	114		as the project. When using repository groups, each group is a subdirectory.
	115		This allows you to easily use ssh for accessing repositories.
	116
	117		In order to use ssh you need to make sure that your web server and the users'
	118		login accounts have the correct permissions set on the appropriate directories.
	119
	120		.. note:: These permissions are independent of any permissions you
	121		have set up using the Kallithea web interface.
	122
	123		If your main directory (the same as set in Kallithea settings) is for
	124		example set to ``/srv/repos`` and the repository you are using is
	125		named ``kallithea``, then to clone via ssh you should run::
	126
	127		hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
	128
	129		Using other external tools such as mercurial-server_ or using ssh key-based
	130		authentication is fully supported.
	131
	132		.. note:: In an advanced setup, in order for your ssh access to use
	133		the same permissions as set up via the Kallithea web
	134		interface, you can create an authentication hook to connect
	135		to the Kallithea db and run check functions for permissions
	136		against that.
	137
	138
	139		Setting up Whoosh full text search
	140		----------------------------------
	141
	142		Kallithea provides full text search of repositories using `Whoosh`__.
	143
	144		.. __: https://whoosh.readthedocs.io/en/latest/
	145
	146		For an incremental index build, run::
	147
	148		gearbox make-index -c my.ini
	149
	150		For a full index rebuild, run::
	151
	152		gearbox make-index -c my.ini -f
	153
	154		The ``--repo-location`` option allows the location of the repositories to be overridden;
	155		usually, the location is retrieved from the Kallithea database.
	156
	157		The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
	158
	159		gearbox make-index -c my.ini --index-only=vcs,kallithea
	160
	161		To keep your index up-to-date it is necessary to do periodic index builds;
	162		for this, it is recommended to use a crontab entry. Example::
	163
	164		0 3 * * * /path/to/virtualenv/bin/gearbox make-index -c /path/to/kallithea/my.ini
	165
	166		When using incremental mode (the default), Whoosh will check the last
	167		modification date of each file and add it to be reindexed if a newer file is
	168		available. The indexing daemon checks for any removed files and removes them
	169		from index.
	170
	171		If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
	172		or in the admin panel you can check the "build from scratch" checkbox.
		5	Users can be authenticated in different ways. By default, Kallithea
		6	uses its internal user database. Alternative authentication
		7	methods include LDAP, PAM, Crowd, and container-based authentication.
	173	8
	174	9	.. _ldap-setup:
	175	10
	176	11
	177		Setting up LDAP support
	178		-------------------~~----~~
		12	LDAP Authentication
		13	-------------------
	179	14
	180	15	Kallithea supports LDAP authentication. In order
	181	16	to use LDAP, you have to install the python-ldap_ package. This package is
			@@ -417,7 +252,7 b' Container-based authentication'
	417	252	In a container-based authentication setup, Kallithea reads the user name from
	418	253	the ``REMOTE_USER`` server variable provided by the WSGI container.
	419	254
	420		After setting up your container (see ~~`Apache with~~ mod_wsgi`_), you'll need
		255	After setting up your container (see :ref:`apache_mod_wsgi`), you'll need
	421	256	to configure it to require authentication on the location configured for
	422	257	Kallithea.
	423	258
			@@ -428,8 +263,8 b' In a proxy pass-through authentication s'
	428	263	from the ``X-Forwarded-User`` request header, which should be configured to be
	429	264	sent by the reverse-proxy server.
	430	265
	431		After setting up your proxy solution (see ~~`Apache virtual host reverse proxy example`_~~,
	432		~~`Apache as~~ subdirectory`_ or ~~`Nginx virtual host example`_~~), you'll need to
		266	After setting up your proxy solution (see :ref:`apache_virtual_host_reverse_proxy`,
		267	:ref:`apache_subdirectory` or :ref:`nginx_virtual_host`), you'll need to
	433	268	configure the authentication and add the username in a request header named
	434	269	``X-Forwarded-User``.
	435	270
			@@ -530,421 +365,4 b' could set the request headers however yo'
	530	365	using any account of their liking.
	531	366
	532	367
	533		Integration with issue trackers
	534		-------------------------------
	535
	536		Kallithea provides a simple integration with issue trackers. It's possible
	537		to define a regular expression that will match an issue ID in commit messages,
	538		and have that replaced with a URL to the issue.
	539
	540		This is achieved with following three variables in the ini file::
	541
	542		issue_pat = #(\d+)
	543		issue_server_link = https://issues.example.com/{repo}/issue/\1
	544		issue_sub =
	545
	546		``issue_pat`` is the regular expression describing which strings in
	547		commit messages will be treated as issue references. The expression can/should
	548		have one or more parenthesized groups that can later be referred to in
	549		``issue_server_link`` and ``issue_sub`` (see below). If you prefer, named groups
	550		can be used instead of simple parenthesized groups.
	551
	552		If the pattern should only match if it is preceded by whitespace, add the
	553		following string before the actual pattern: ``(?:^\|(?<=\s))``.
	554		If the pattern should only match if it is followed by whitespace, add the
	555		following string after the actual pattern: ``(?:$\|(?=\s))``.
	556		These expressions use lookbehind and lookahead assertions of the Python regular
	557		expression module to avoid the whitespace to be part of the actual pattern,
	558		otherwise the link text will also contain that whitespace.
	559
	560		Matched issue references are replaced with the link specified in
	561		``issue_server_link``, in which any backreferences are resolved. Backreferences
	562		can be ``\1``, ``\2``, ... or for named groups ``\g<groupname>``.
	563		The special token ``{repo}`` is replaced with the full repository path
	564		(including repository groups), while token ``{repo_name}`` is replaced with the
	565		repository name (without repository groups).
	566
	567		The link text is determined by ``issue_sub``, which can be a string containing
	568		backreferences to the groups specified in ``issue_pat``. If ``issue_sub`` is
	569		empty, then the text matched by ``issue_pat`` is used verbatim.
	570
	571		The example settings shown above match issues in the format ``#<number>``.
	572		This will cause the text ``#300`` to be transformed into a link:
	573
	574		.. code-block:: html
	575
	576		<a href="https://issues.example.com/example_repo/issue/300">#300</a>
	577
	578		The following example transforms a text starting with either of 'pullrequest',
	579		'pull request' or 'PR', followed by an optional space, then a pound character
	580		(#) and one or more digits, into a link with the text 'PR #' followed by the
	581		digits::
	582
	583		issue_pat = (pullrequest\|pull request\|PR) ?#(\d+)
	584		issue_server_link = https://issues.example.com/\2
	585		issue_sub = PR #\2
	586
	587		The following example demonstrates how to require whitespace before the issue
	588		reference in order for it to be recognized, such that the text ``issue#123`` will
	589		not cause a match, but ``issue #123`` will::
	590
	591		issue_pat = (?:^\|(?<=\s))#(\d+)
	592		issue_server_link = https://issues.example.com/\1
	593		issue_sub =
	594
	595		If needed, more than one pattern can be specified by appending a unique suffix to
	596		the variables. For example, also demonstrating the use of named groups::
	597
	598		issue_pat_wiki = wiki-(?P<pagename>\S+)
	599		issue_server_link_wiki = https://wiki.example.com/\g<pagename>
	600		issue_sub_wiki = WIKI-\g<pagename>
	601
	602		With these settings, wiki pages can be referenced as wiki-some-id, and every
	603		such reference will be transformed into:
	604
	605		.. code-block:: html
	606
	607		<a href="https://wiki.example.com/some-id">WIKI-some-id</a>
	608
	609		Refer to the `Python regular expression documentation`_ for more details about
	610		the supported syntax in ``issue_pat``, ``issue_server_link`` and ``issue_sub``.
	611
	612
	613		Hook management
	614		---------------
	615
	616		Hooks can be managed in similar way to that used in ``.hgrc`` files.
	617		To manage hooks, choose Admin > Settings > Hooks.
	618
	619		The built-in hooks cannot be modified, though they can be enabled or disabled in the VCS section.
	620
	621		To add another custom hook simply fill in the first textbox with
	622		``<name>.<hook_type>`` and the second with the hook path. Example hooks
	623		can be found in ``kallithea.lib.hooks``.
	624
	625
	626		Changing default encoding
	627		-------------------------
	628
	629		By default, Kallithea uses UTF-8 encoding.
	630		This is configurable as ``default_encoding`` in the .ini file.
	631		This affects many parts in Kallithea including user names, filenames, and
	632		encoding of commit messages. In addition Kallithea can detect if the ``chardet``
	633		library is installed. If ``chardet`` is detected Kallithea will fallback to it
	634		when there are encode/decode errors.
	635
	636		The Mercurial encoding is configurable as ``hgencoding``. It is similar to
	637		setting the ``HGENCODING`` environment variable, but will override it.
	638
	639
	640		Celery configuration
	641		--------------------
	642
	643		Kallithea can use the distributed task queue system Celery_ to run tasks like
	644		cloning repositories or sending emails.
	645
	646		Kallithea will in most setups work perfectly fine out of the box (without
	647		Celery), executing all tasks in the web server process. Some tasks can however
	648		take some time to run and it can be better to run such tasks asynchronously in
	649		a separate process so the web server can focus on serving web requests.
	650
	651		For installation and configuration of Celery, see the `Celery documentation`_.
	652		Note that Celery requires a message broker service like RabbitMQ_ (recommended)
	653		or Redis_.
	654
	655		The use of Celery is configured in the Kallithea ini configuration file.
	656		To enable it, simply set::
	657
	658		use_celery = true
	659
	660		and add or change the ``celery.`` and ``broker.`` configuration variables.
	661
	662		Remember that the ini files use the format with '.' and not with '_' like
	663		Celery. So for example setting `BROKER_HOST` in Celery means setting
	664		`broker.host` in the configuration file.
	665
	666		To start the Celery process, run::
	667
	668		gearbox celeryd -c <configfile.ini>
	669
	670		Extra options to the Celery worker can be passed after ``--`` - see ``-- -h``
	671		for more info.
	672
	673		.. note::
	674		Make sure you run this command from the same virtualenv, and with the same
	675		user that Kallithea runs.
	676
	677
	678		HTTPS support
	679		-------------
	680
	681		Kallithea will by default generate URLs based on the WSGI environment.
	682
	683		Alternatively, you can use some special configuration settings to control
	684		directly which scheme/protocol Kallithea will use when generating URLs:
	685
	686		- With ``https_fixup = true``, the scheme will be taken from the
	687		``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
	688		(default ``http``).
	689		- With ``force_https = true`` the default will be ``https``.
	690		- With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
	691
	692
	693		Nginx virtual host example
	694		--------------------------
	695
	696		Sample config for Nginx using proxy:
	697
	698		.. code-block:: nginx
	699
	700		upstream kallithea {
	701		server 127.0.0.1:5000;
	702		# add more instances for load balancing
	703		#server 127.0.0.1:5001;
	704		#server 127.0.0.1:5002;
	705		}
	706
	707		## gist alias
	708		server {
	709		listen 443;
	710		server_name gist.example.com;
	711		access_log /var/log/nginx/gist.access.log;
	712		error_log /var/log/nginx/gist.error.log;
	713
	714		ssl on;
	715		ssl_certificate gist.your.kallithea.server.crt;
	716		ssl_certificate_key gist.your.kallithea.server.key;
	717
	718		ssl_session_timeout 5m;
	719
	720		ssl_protocols SSLv3 TLSv1;
	721		ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
	722		ssl_prefer_server_ciphers on;
	723
	724		rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
	725		rewrite (.*) https://kallithea.example.com/_admin/gists;
	726		}
	727
	728		server {
	729		listen 443;
	730		server_name kallithea.example.com
	731		access_log /var/log/nginx/kallithea.access.log;
	732		error_log /var/log/nginx/kallithea.error.log;
	733
	734		ssl on;
	735		ssl_certificate your.kallithea.server.crt;
	736		ssl_certificate_key your.kallithea.server.key;
	737
	738		ssl_session_timeout 5m;
	739
	740		ssl_protocols SSLv3 TLSv1;
	741		ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
	742		ssl_prefer_server_ciphers on;
	743
	744		## uncomment root directive if you want to serve static files by nginx
	745		## requires static_files = false in .ini file
	746		#root /srv/kallithea/kallithea/kallithea/public;
	747		include /etc/nginx/proxy.conf;
	748		location / {
	749		try_files $uri @kallithea;
	750		}
	751
	752		location @kallithea {
	753		proxy_pass http://127.0.0.1:5000;
	754		}
	755
	756		}
	757
	758		Here's the proxy.conf. It's tuned so it will not timeout on long
	759		pushes or large pushes::
	760
	761		proxy_redirect off;
	762		proxy_set_header Host $host;
	763		## needed for container auth
	764		#proxy_set_header REMOTE_USER $remote_user;
	765		#proxy_set_header X-Forwarded-User $remote_user;
	766		proxy_set_header X-Url-Scheme $scheme;
	767		proxy_set_header X-Host $http_host;
	768		proxy_set_header X-Real-IP $remote_addr;
	769		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	770		proxy_set_header Proxy-host $proxy_host;
	771		proxy_buffering off;
	772		proxy_connect_timeout 7200;
	773		proxy_send_timeout 7200;
	774		proxy_read_timeout 7200;
	775		proxy_buffers 8 32k;
	776		client_max_body_size 1024m;
	777		client_body_buffer_size 128k;
	778		large_client_header_buffers 8 64k;
	779
	780
	781		Apache virtual host reverse proxy example
	782		-----------------------------------------
	783
	784		Here is a sample configuration file for Apache using proxy:
	785
	786		.. code-block:: apache
	787
	788		<VirtualHost *:80>
	789		ServerName kallithea.example.com
	790
	791		<Proxy *>
	792		# For Apache 2.4 and later:
	793		Require all granted
	794
	795		# For Apache 2.2 and earlier, instead use:
	796		# Order allow,deny
	797		# Allow from all
	798		</Proxy>
	799
	800		#important !
	801		#Directive to properly generate url (clone url) for Kallithea
	802		ProxyPreserveHost On
	803
	804		#kallithea instance
	805		ProxyPass / http://127.0.0.1:5000/
	806		ProxyPassReverse / http://127.0.0.1:5000/
	807
	808		#to enable https use line below
	809		#SetEnvIf X-Url-Scheme https HTTPS=1
	810		</VirtualHost>
	811
	812		Additional tutorial
	813		http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
	814
	815
	816		Apache as subdirectory
	817		----------------------
	818
	819		Apache subdirectory part:
	820
	821		.. code-block:: apache
	822
	823		<Location /PREFIX >
	824		ProxyPass http://127.0.0.1:5000/PREFIX
	825		ProxyPassReverse http://127.0.0.1:5000/PREFIX
	826		SetEnvIf X-Url-Scheme https HTTPS=1
	827		</Location>
	828
	829		Besides the regular apache setup you will need to add the following line
	830		into ``[app:main]`` section of your .ini file::
	831
	832		filter-with = proxy-prefix
	833
	834		Add the following at the end of the .ini file::
	835
	836		[filter:proxy-prefix]
	837		use = egg:PasteDeploy#prefix
	838		prefix = /PREFIX
	839
	840		then change ``PREFIX`` into your chosen prefix
	841
	842
	843		Apache with mod_wsgi
	844		--------------------
	845
	846		Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
	847		that, you'll need to:
	848
	849		- Install mod_wsgi. If using a Debian-based distro, you can install
	850		the package libapache2-mod-wsgi::
	851
	852		aptitude install libapache2-mod-wsgi
	853
	854		- Enable mod_wsgi::
	855
	856		a2enmod wsgi
	857
	858		- Add global Apache configuration to tell mod_wsgi that Python only will be
	859		used in the WSGI processes and shouldn't be initialized in the Apache
	860		processes::
	861
	862		WSGIRestrictEmbedded On
	863
	864		- Create a wsgi dispatch script, like the one below. Make sure you
	865		check that the paths correctly point to where you installed Kallithea
	866		and its Python Virtual Environment.
	867		- Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
	868		as in the following example. Once again, check the paths are
	869		correctly specified.
	870
	871		Here is a sample excerpt from an Apache Virtual Host configuration file:
	872
	873		.. code-block:: apache
	874
	875		WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \
	876		python-home=/srv/kallithea/venv
	877		WSGIProcessGroup kallithea
	878		WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
	879		WSGIPassAuthorization On
	880
	881		Or if using a dispatcher WSGI script with proper virtualenv activation:
	882
	883		.. code-block:: apache
	884
	885		WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100
	886		WSGIProcessGroup kallithea
	887		WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
	888		WSGIPassAuthorization On
	889
	890		Apache will by default run as a special Apache user, on Linux systems
	891		usually ``www-data`` or ``apache``. If you need to have the repositories
	892		directory owned by a different user, use the user and group options to
	893		WSGIDaemonProcess to set the name of the user and group.
	894
	895		Example WSGI dispatch script:
	896
	897		.. code-block:: python
	898
	899		import os
	900		os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
	901
	902		# sometimes it's needed to set the current dir
	903		os.chdir('/srv/kallithea/')
	904
	905		import site
	906		site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
	907
	908		ini = '/srv/kallithea/my.ini'
	909		from paste.script.util.logging_config import fileConfig
	910		fileConfig(ini)
	911		from paste.deploy import loadapp
	912		application = loadapp('config:' + ini)
	913
	914		Or using proper virtualenv activation:
	915
	916		.. code-block:: python
	917
	918		activate_this = '/srv/kallithea/venv/bin/activate_this.py'
	919		execfile(activate_this, dict(__file__=activate_this))
	920
	921		import os
	922		os.environ['HOME'] = '/srv/kallithea'
	923
	924		ini = '/srv/kallithea/kallithea.ini'
	925		from paste.script.util.logging_config import fileConfig
	926		fileConfig(ini)
	927		from paste.deploy import loadapp
	928		application = loadapp('config:' + ini)
	929
	930
	931		Other configuration files
	932		-------------------------
	933
	934		A number of `example init.d scripts`__ can be found in
	935		the ``init.d`` directory of the Kallithea source.
	936
	937		.. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
	938
	939
	940		.. _virtualenv: http://pypi.python.org/pypi/virtualenv
	941		.. _python: http://www.python.org/
	942		.. _Python regular expression documentation: https://docs.python.org/2/library/re.html
	943		.. _Mercurial: https://www.mercurial-scm.org/
	944		.. _Celery: http://celeryproject.org/
	945		.. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
	946		.. _RabbitMQ: http://www.rabbitmq.com/
	947		.. _Redis: http://redis.io/
	948	368	.. _python-ldap: http://www.python-ldap.org/
	949		.. _mercurial-server: http://www.lshift.net/mercurial-server.html
	950		.. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories

docs/index.rst

0 +1 0

                 :maxdepth: 1
                 setup
+                administrator_guide/auth
                 administrator_guide/vcs_setup
                 usage/email
                 usage/customization

docs/setup.rst

0 +8 -359

		@@ -171,364 +171,6 b' from index.'
171	171	If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
172	172	or in the admin panel you can check the "build from scratch" checkbox.
173	173
174		.. _ldap-setup:
175
176
177		Setting up LDAP support
178		-----------------------
179
180		Kallithea supports LDAP authentication. In order
181		to use LDAP, you have to install the python-ldap_ package. This package is
182		available via PyPI, so you can install it by running::
183
184		pip install python-ldap
185
186		.. note:: ``python-ldap`` requires some libraries to be installed on
187		your system, so before installing it check that you have at
188		least the ``openldap`` and ``sasl`` libraries.
189
190		Choose Admin > Authentication, click the ``kallithea.lib.auth_modules.auth_ldap`` button
191		and then Save, to enable the LDAP plugin and configure its settings.
192
193		Here's a typical LDAP setup::
194
195		Connection settings
196		Enable LDAP = checked
197		Host = host.example.com
198		Account = <account>
199		Password = <password>
200		Connection Security = LDAPS
201		Certificate Checks = DEMAND
202
203		Search settings
204		Base DN = CN=users,DC=host,DC=example,DC=org
205		LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
206		LDAP Search Scope = SUBTREE
207
208		Attribute mappings
209		Login Attribute = uid
210		First Name Attribute = firstName
211		Last Name Attribute = lastName
212		Email Attribute = mail
213
214		If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
215
216		Search settings
217		Base DN = DC=host,DC=example,DC=org
218		LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
219		LDAP Search Scope = SUBTREE
220
221		.. _enable_ldap:
222
223		Enable LDAP : required
224		Whether to use LDAP for authenticating users.
225
226		.. _ldap_host:
227
228		Host : required
229		LDAP server hostname or IP address. Can be also a comma separated
230		list of servers to support LDAP fail-over.
231
232		.. _Port:
233
234		Port : optional
235		Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS.
236		Defaults to 636 for LDAPS.
237
238		.. _ldap_account:
239
240		Account : optional
241		Only required if the LDAP server does not allow anonymous browsing of
242		records. This should be a special account for record browsing. This
243		will require `LDAP Password`_ below.
244
245		.. _LDAP Password:
246
247		Password : optional
248		Only required if the LDAP server does not allow anonymous browsing of
249		records.
250
251		.. _Enable LDAPS:
252
253		Connection Security : required
254		Defines the connection to LDAP server
255
256		PLAIN
257		Plain unencrypted LDAP connection.
258		This will by default use `Port`_ 389.
259
260		LDAPS
261		Use secure LDAPS connections according to `Certificate
262		Checks`_ configuration.
263		This will by default use `Port`_ 636.
264
265		START_TLS
266		Use START TLS according to `Certificate Checks`_ configuration on an
267		apparently "plain" LDAP connection.
268		This will by default use `Port`_ 389.
269
270		.. _Certificate Checks:
271
272		Certificate Checks : optional
273		How SSL certificates verification is handled -- this is only useful when
274		`Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
275		with mandatory certificate validation, while the other options are
276		susceptible to man-in-the-middle attacks.
277
278		NEVER
279		A serve certificate will never be requested or checked.
280
281		ALLOW
282		A server certificate is requested. Failure to provide a
283		certificate or providing a bad certificate will not terminate the
284		session.
285
286		TRY
287		A server certificate is requested. Failure to provide a
288		certificate does not halt the session; providing a bad certificate
289		halts the session.
290
291		DEMAND
292		A server certificate is requested and must be provided and
293		authenticated for the session to proceed.
294
295		HARD
296		The same as DEMAND.
297
298		.. _Custom CA Certificates:
299
300		Custom CA Certificates : optional
301		Directory used by OpenSSL to find CAs for validating the LDAP server certificate.
302		Python 2.7.10 and later default to using the system certificate store, and
303		this should thus not be necessary when using certificates signed by a CA
304		trusted by the system.
305		It can be set to something like `/etc/openldap/cacerts` on older systems or
306		if using self-signed certificates.
307
308		.. _Base DN:
309
310		Base DN : required
311		The Distinguished Name (DN) where searches for users will be performed.
312		Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
313
314		.. _LDAP Filter:
315
316		LDAP Filter : optional
317		A LDAP filter defined by RFC 2254. This is more useful when `LDAP
318		Search Scope`_ is set to SUBTREE. The filter is useful for limiting
319		which LDAP objects are identified as representing Users for
320		authentication. The filter is augmented by `Login Attribute`_ below.
321		This can commonly be left blank.
322
323		.. _LDAP Search Scope:
324
325		LDAP Search Scope : required
326		This limits how far LDAP will search for a matching object.
327
328		BASE
329		Only allows searching of `Base DN`_ and is usually not what you
330		want.
331
332		ONELEVEL
333		Searches all entries under `Base DN`_, but not Base DN itself.
334
335		SUBTREE
336		Searches all entries below `Base DN`_, but not Base DN itself.
337		When using SUBTREE `LDAP Filter`_ is useful to limit object
338		location.
339
340		.. _Login Attribute:
341
342		Login Attribute : required
343		The LDAP record attribute that will be matched as the USERNAME or
344		ACCOUNT used to connect to Kallithea. This will be added to `LDAP
345		Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
346		"LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
347		connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
348		::
349
350		(&(LDAPFILTER)(uid=jsmith))
351
352		.. _ldap_attr_firstname:
353
354		First Name Attribute : required
355		The LDAP record attribute which represents the user's first name.
356
357		.. _ldap_attr_lastname:
358
359		Last Name Attribute : required
360		The LDAP record attribute which represents the user's last name.
361
362		.. _ldap_attr_email:
363
364		Email Attribute : required
365		The LDAP record attribute which represents the user's email address.
366
367		If all data are entered correctly, and python-ldap_ is properly installed
368		users should be granted access to Kallithea with LDAP accounts. At this
369		time user information is copied from LDAP into the Kallithea user database.
370		This means that updates of an LDAP user object may not be reflected as a
371		user update in Kallithea.
372
373		If You have problems with LDAP access and believe You entered correct
374		information check out the Kallithea logs, any error messages sent from LDAP
375		will be saved there.
376
377		Active Directory
378		^^^^^^^^^^^^^^^^
379
380		Kallithea can use Microsoft Active Directory for user authentication. This
381		is done through an LDAP or LDAPS connection to Active Directory. The
382		following LDAP configuration settings are typical for using Active
383		Directory ::
384
385		Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
386		Login Attribute = sAMAccountName
387		First Name Attribute = givenName
388		Last Name Attribute = sn
389		Email Attribute = mail
390
391		All other LDAP settings will likely be site-specific and should be
392		appropriately configured.
393
394
395		Authentication by container or reverse-proxy
396		--------------------------------------------
397
398		Kallithea supports delegating the authentication
399		of users to its WSGI container, or to a reverse-proxy server through which all
400		clients access the application.
401
402		When these authentication methods are enabled in Kallithea, it uses the
403		username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
404		perform the authentication itself. The authorization, however, is still done by
405		Kallithea according to its settings.
406
407		When a user logs in for the first time using these authentication methods,
408		a matching user account is created in Kallithea with default permissions. An
409		administrator can then modify it using Kallithea's admin interface.
410
411		It's also possible for an administrator to create accounts and configure their
412		permissions before the user logs in for the first time, using the :ref:`create-user` API.
413
414		Container-based authentication
415		^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
416
417		In a container-based authentication setup, Kallithea reads the user name from
418		the ``REMOTE_USER`` server variable provided by the WSGI container.
419
420		After setting up your container (see `Apache with mod_wsgi`_), you'll need
421		to configure it to require authentication on the location configured for
422		Kallithea.
423
424		Proxy pass-through authentication
425		^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
426
427		In a proxy pass-through authentication setup, Kallithea reads the user name
428		from the ``X-Forwarded-User`` request header, which should be configured to be
429		sent by the reverse-proxy server.
430
431		After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
432		`Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
433		configure the authentication and add the username in a request header named
434		``X-Forwarded-User``.
435
436		For example, the following config section for Apache sets a subdirectory in a
437		reverse-proxy setup with basic auth:
438
439		.. code-block:: apache
440
441		<Location /someprefix>
442		ProxyPass http://127.0.0.1:5000/someprefix
443		ProxyPassReverse http://127.0.0.1:5000/someprefix
444		SetEnvIf X-Url-Scheme https HTTPS=1
445
446		AuthType Basic
447		AuthName "Kallithea authentication"
448		AuthUserFile /srv/kallithea/.htpasswd
449		Require valid-user
450
451		RequestHeader unset X-Forwarded-User
452
453		RewriteEngine On
454		RewriteCond %{LA-U:REMOTE_USER} (.+)
455		RewriteRule .* - [E=RU:%1]
456		RequestHeader set X-Forwarded-User %{RU}e
457		</Location>
458
459		Setting metadata in container/reverse-proxy
460		"""""""""""""""""""""""""""""""""""""""""""
461		When a new user account is created on the first login, Kallithea has no information about
462		the user's email and full name. So you can set some additional request headers like in the
463		example below. In this example the user is authenticated via Kerberos and an Apache
464		mod_python fixup handler is used to get the user information from a LDAP server. But you
465		could set the request headers however you want.
466
467		.. code-block:: apache
468
469		<Location /someprefix>
470		ProxyPass http://127.0.0.1:5000/someprefix
471		ProxyPassReverse http://127.0.0.1:5000/someprefix
472		SetEnvIf X-Url-Scheme https HTTPS=1
473
474		AuthName "Kerberos Login"
475		AuthType Kerberos
476		Krb5Keytab /etc/apache2/http.keytab
477		KrbMethodK5Passwd off
478		KrbVerifyKDC on
479		Require valid-user
480
481		PythonFixupHandler ldapmetadata
482
483		RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
484		RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
485		RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
486		RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
487		</Location>
488
489		.. code-block:: python
490
491		from mod_python import apache
492		import ldap
493
494		LDAP_SERVER = "ldaps://server.mydomain.com:636"
495		LDAP_USER = ""
496		LDAP_PASS = ""
497		LDAP_ROOT = "dc=mydomain,dc=com"
498		LDAP_FILTER = "sAMAccountName=%s"
499		LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']
500
501		def fixuphandler(req):
502		if req.user is None:
503		# no user to search for
504		return apache.OK
505		else:
506		try:
507		if('\\' in req.user):
508		username = req.user.split('\\')[1]
509		elif('@' in req.user):
510		username = req.user.split('@')[0]
511		else:
512		username = req.user
513		l = ldap.initialize(LDAP_SERVER)
514		l.simple_bind_s(LDAP_USER, LDAP_PASS)
515		r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)
516
517		req.subprocess_env['X_REMOTE_USER'] = username
518		req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()
519		req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]
520		req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]
521		except Exception, e:
522		apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)
523
524		return apache.OK
525
526		.. note::
527		If you enable proxy pass-through authentication, make sure your server is
528		only accessible through the proxy. Otherwise, any client would be able to
529		forge the authentication header and could effectively become authenticated
530		using any account of their liking.
531
532	174
533	175	Integration with issue trackers
534	176	-------------------------------
		@@ -689,6 +331,8 b' directly which scheme/protocol Kallithea'
689	331	- With ``force_https = true`` the default will be ``https``.
690	332	- With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
691	333
	334	.. _nginx_virtual_host:
	335
692	336
693	337	Nginx virtual host example
694	338	--------------------------
		@@ -777,6 +421,8 b' pushes or large pushes::'
777	421	client_body_buffer_size 128k;
778	422	large_client_header_buffers 8 64k;
779	423
	424	.. _apache_virtual_host_reverse_proxy:
	425
780	426
781	427	Apache virtual host reverse proxy example
782	428	-----------------------------------------
		@@ -812,6 +458,8 b' Here is a sample configuration file for '
812	458	Additional tutorial
813	459	http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
814	460
	461	.. _apache_subdirectory:
	462
815	463
816	464	Apache as subdirectory
817	465	----------------------
		@@ -839,6 +487,8 b' Add the following at the end of the .ini'
839	487
840	488	then change ``PREFIX`` into your chosen prefix
841	489
	490	.. _apache_mod_wsgi:
	491
842	492
843	493	Apache with mod_wsgi
844	494	--------------------
		@@ -945,6 +595,5 b' the ``init.d`` directory of the Kallithe'
945	595	.. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
946	596	.. _RabbitMQ: http://www.rabbitmq.com/
947	597	.. _Redis: http://redis.io/
948		.. _python-ldap: http://www.python-ldap.org/
949	598	.. _mercurial-server: http://www.lshift.net/mercurial-server.html
950	599	.. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages