##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

Added documentation for container-based and proxy pass-through authentication
Liad Shani -
r1657:d2a10836 beta
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,417 +1,417 b''
1 1 .. _changelog:
2 2
3 3 Changelog
4 4 =========
5 5
6 6
7 7 1.3.0 (**XXXX-XX-XX**)
8 8 ======================
9 9
10 10 :status: in-progress
11 11 :branch: beta
12 12
13 13 news
14 14 ----
15 15
16 16 - #215 rst and markdown README files support
17 - #252 pass-through user identity
17 - Container-based and proxy pass-through authentication support (#252)
18 18 - hover top menu
19 19 - configurable clone url posibility to specify ssh:// manually as
20 20 alternative clone url.
21 21
22 22 fixes
23 23 -----
24 24
25 25 1.2.3 (**2011-11-02**)
26 26 ======================
27 27
28 28 news
29 29 ----
30 30
31 31 - added option to manage repos group for non admin users
32 32 - added following API methods for get_users, create_user, get_users_groups,
33 33 get_users_group, create_users_group, add_user_to_users_groups, get_repos,
34 34 get_repo, create_repo, add_user_to_repo
35 35 - implements #237 added password confirmation for my account
36 36 and admin edit user.
37 37 - implements #291 email notification for global events are now sent to all
38 38 administrator users, and global config email.
39 39
40 40 fixes
41 41 -----
42 42
43 43 - added option for passing auth method for smtp mailer
44 44 - #276 issue with adding a single user with id>10 to usergroups
45 45 - #277 fixes windows LDAP settings in which missing values breaks the ldap auth
46 46 - #288 fixes managing of repos in a group for non admin user
47 47
48 48 1.2.2 (**2011-10-17**)
49 49 ======================
50 50
51 51 news
52 52 ----
53 53
54 54 - #226 repo groups are available by path instead of numerical id
55 55
56 56 fixes
57 57 -----
58 58
59 59 - #259 Groups with the same name but with different parent group
60 60 - #260 Put repo in group, then move group to another group -> repo becomes unavailable
61 61 - #258 RhodeCode 1.2 assumes egg folder is writable (lockfiles problems)
62 62 - #265 ldap save fails sometimes on converting attributes to booleans,
63 63 added getter and setter into model that will prevent from this on db model level
64 64 - fixed problems with timestamps issues #251 and #213
65 65 - fixes #266 RhodeCode allows to create repo with the same name and in
66 66 the same parent as group
67 67 - fixes #245 Rescan of the repositories on Windows
68 68 - fixes #248 cannot edit repos inside a group on windows
69 69 - fixes #219 forking problems on windows
70 70
71 71 1.2.1 (**2011-10-08**)
72 72 ======================
73 73
74 74 news
75 75 ----
76 76
77 77
78 78 fixes
79 79 -----
80 80
81 81 - fixed problems with basic auth and push problems
82 82 - gui fixes
83 83 - fixed logger
84 84
85 85 1.2.0 (**2011-10-07**)
86 86 ======================
87 87
88 88 news
89 89 ----
90 90
91 91 - implemented #47 repository groups
92 92 - implemented #89 Can setup google analytics code from settings menu
93 93 - implemented #91 added nicer looking archive urls with more download options
94 94 like tags, branches
95 95 - implemented #44 into file browsing, and added follow branch option
96 96 - implemented #84 downloads can be enabled/disabled for each repository
97 97 - anonymous repository can be cloned without having to pass default:default
98 98 into clone url
99 99 - fixed #90 whoosh indexer can index chooses repositories passed in command
100 100 line
101 101 - extended journal with day aggregates and paging
102 102 - implemented #107 source code lines highlight ranges
103 103 - implemented #93 customizable changelog on combined revision ranges -
104 104 equivalent of githubs compare view
105 105 - implemented #108 extended and more powerful LDAP configuration
106 106 - implemented #56 users groups
107 107 - major code rewrites optimized codes for speed and memory usage
108 108 - raw and diff downloads are now in git format
109 109 - setup command checks for write access to given path
110 110 - fixed many issues with international characters and unicode. It uses utf8
111 111 decode with replace to provide less errors even with non utf8 encoded strings
112 112 - #125 added API KEY access to feeds
113 113 - #109 Repository can be created from external Mercurial link (aka. remote
114 114 repository, and manually updated (via pull) from admin panel
115 115 - beta git support - push/pull server + basic view for git repos
116 116 - added followers page and forks page
117 117 - server side file creation (with binary file upload interface)
118 118 and edition with commits powered by codemirror
119 119 - #111 file browser file finder, quick lookup files on whole file tree
120 120 - added quick login sliding menu into main page
121 121 - changelog uses lazy loading of affected files details, in some scenarios
122 122 this can improve speed of changelog page dramatically especially for
123 123 larger repositories.
124 124 - implements #214 added support for downloading subrepos in download menu.
125 125 - Added basic API for direct operations on rhodecode via JSON
126 126 - Implemented advanced hook management
127 127
128 128 fixes
129 129 -----
130 130
131 131 - fixed file browser bug, when switching into given form revision the url was
132 132 not changing
133 133 - fixed propagation to error controller on simplehg and simplegit middlewares
134 134 - fixed error when trying to make a download on empty repository
135 135 - fixed problem with '[' chars in commit messages in journal
136 136 - fixed #99 Unicode errors, on file node paths with non utf-8 characters
137 137 - journal fork fixes
138 138 - removed issue with space inside renamed repository after deletion
139 139 - fixed strange issue on formencode imports
140 140 - fixed #126 Deleting repository on Windows, rename used incompatible chars.
141 141 - #150 fixes for errors on repositories mapped in db but corrupted in
142 142 filesystem
143 143 - fixed problem with ascendant characters in realm #181
144 144 - fixed problem with sqlite file based database connection pool
145 145 - whoosh indexer and code stats share the same dynamic extensions map
146 146 - fixes #188 - relationship delete of repo_to_perm entry on user removal
147 147 - fixes issue #189 Trending source files shows "show more" when no more exist
148 148 - fixes issue #197 Relative paths for pidlocks
149 149 - fixes issue #198 password will require only 3 chars now for login form
150 150 - fixes issue #199 wrong redirection for non admin users after creating a repository
151 151 - fixes issues #202, bad db constraint made impossible to attach same group
152 152 more than one time. Affects only mysql/postgres
153 153 - fixes #218 os.kill patch for windows was missing sig param
154 154 - improved rendering of dag (they are not trimmed anymore when number of
155 155 heads exceeds 5)
156 156
157 157 1.1.8 (**2011-04-12**)
158 158 ======================
159 159
160 160 news
161 161 ----
162 162
163 163 - improved windows support
164 164
165 165 fixes
166 166 -----
167 167
168 168 - fixed #140 freeze of python dateutil library, since new version is python2.x
169 169 incompatible
170 170 - setup-app will check for write permission in given path
171 171 - cleaned up license info issue #149
172 172 - fixes for issues #137,#116 and problems with unicode and accented characters.
173 173 - fixes crashes on gravatar, when passed in email as unicode
174 174 - fixed tooltip flickering problems
175 175 - fixed came_from redirection on windows
176 176 - fixed logging modules, and sql formatters
177 177 - windows fixes for os.kill issue #133
178 178 - fixes path splitting for windows issues #148
179 179 - fixed issue #143 wrong import on migration to 1.1.X
180 180 - fixed problems with displaying binary files, thanks to Thomas Waldmann
181 181 - removed name from archive files since it's breaking ui for long repo names
182 182 - fixed issue with archive headers sent to browser, thanks to Thomas Waldmann
183 183 - fixed compatibility for 1024px displays, and larger dpi settings, thanks to
184 184 Thomas Waldmann
185 185 - fixed issue #166 summary pager was skipping 10 revisions on second page
186 186
187 187
188 188 1.1.7 (**2011-03-23**)
189 189 ======================
190 190
191 191 news
192 192 ----
193 193
194 194 fixes
195 195 -----
196 196
197 197 - fixed (again) #136 installation support for FreeBSD
198 198
199 199
200 200 1.1.6 (**2011-03-21**)
201 201 ======================
202 202
203 203 news
204 204 ----
205 205
206 206 fixes
207 207 -----
208 208
209 209 - fixed #136 installation support for FreeBSD
210 210 - RhodeCode will check for python version during installation
211 211
212 212 1.1.5 (**2011-03-17**)
213 213 ======================
214 214
215 215 news
216 216 ----
217 217
218 218 - basic windows support, by exchanging pybcrypt into sha256 for windows only
219 219 highly inspired by idea of mantis406
220 220
221 221 fixes
222 222 -----
223 223
224 224 - fixed sorting by author in main page
225 225 - fixed crashes with diffs on binary files
226 226 - fixed #131 problem with boolean values for LDAP
227 227 - fixed #122 mysql problems thanks to striker69
228 228 - fixed problem with errors on calling raw/raw_files/annotate functions
229 229 with unknown revisions
230 230 - fixed returned rawfiles attachment names with international character
231 231 - cleaned out docs, big thanks to Jason Harris
232 232
233 233 1.1.4 (**2011-02-19**)
234 234 ======================
235 235
236 236 news
237 237 ----
238 238
239 239 fixes
240 240 -----
241 241
242 242 - fixed formencode import problem on settings page, that caused server crash
243 243 when that page was accessed as first after server start
244 244 - journal fixes
245 245 - fixed option to access repository just by entering http://server/<repo_name>
246 246
247 247 1.1.3 (**2011-02-16**)
248 248 ======================
249 249
250 250 news
251 251 ----
252 252
253 253 - implemented #102 allowing the '.' character in username
254 254 - added option to access repository just by entering http://server/<repo_name>
255 255 - celery task ignores result for better performance
256 256
257 257 fixes
258 258 -----
259 259
260 260 - fixed ehlo command and non auth mail servers on smtp_lib. Thanks to
261 261 apollo13 and Johan Walles
262 262 - small fixes in journal
263 263 - fixed problems with getting setting for celery from .ini files
264 264 - registration, password reset and login boxes share the same title as main
265 265 application now
266 266 - fixed #113: to high permissions to fork repository
267 267 - fixed problem with '[' chars in commit messages in journal
268 268 - removed issue with space inside renamed repository after deletion
269 269 - db transaction fixes when filesystem repository creation failed
270 270 - fixed #106 relation issues on databases different than sqlite
271 271 - fixed static files paths links to use of url() method
272 272
273 273 1.1.2 (**2011-01-12**)
274 274 ======================
275 275
276 276 news
277 277 ----
278 278
279 279
280 280 fixes
281 281 -----
282 282
283 283 - fixes #98 protection against float division of percentage stats
284 284 - fixed graph bug
285 285 - forced webhelpers version since it was making troubles during installation
286 286
287 287 1.1.1 (**2011-01-06**)
288 288 ======================
289 289
290 290 news
291 291 ----
292 292
293 293 - added force https option into ini files for easier https usage (no need to
294 294 set server headers with this options)
295 295 - small css updates
296 296
297 297 fixes
298 298 -----
299 299
300 300 - fixed #96 redirect loop on files view on repositories without changesets
301 301 - fixed #97 unicode string passed into server header in special cases (mod_wsgi)
302 302 and server crashed with errors
303 303 - fixed large tooltips problems on main page
304 304 - fixed #92 whoosh indexer is more error proof
305 305
306 306 1.1.0 (**2010-12-18**)
307 307 ======================
308 308
309 309 news
310 310 ----
311 311
312 312 - rewrite of internals for vcs >=0.1.10
313 313 - uses mercurial 1.7 with dotencode disabled for maintaining compatibility
314 314 with older clients
315 315 - anonymous access, authentication via ldap
316 316 - performance upgrade for cached repos list - each repository has it's own
317 317 cache that's invalidated when needed.
318 318 - performance upgrades on repositories with large amount of commits (20K+)
319 319 - main page quick filter for filtering repositories
320 320 - user dashboards with ability to follow chosen repositories actions
321 321 - sends email to admin on new user registration
322 322 - added cache/statistics reset options into repository settings
323 323 - more detailed action logger (based on hooks) with pushed changesets lists
324 324 and options to disable those hooks from admin panel
325 325 - introduced new enhanced changelog for merges that shows more accurate results
326 326 - new improved and faster code stats (based on pygments lexers mapping tables,
327 327 showing up to 10 trending sources for each repository. Additionally stats
328 328 can be disabled in repository settings.
329 329 - gui optimizations, fixed application width to 1024px
330 330 - added cut off (for large files/changesets) limit into config files
331 331 - whoosh, celeryd, upgrade moved to paster command
332 332 - other than sqlite database backends can be used
333 333
334 334 fixes
335 335 -----
336 336
337 337 - fixes #61 forked repo was showing only after cache expired
338 338 - fixes #76 no confirmation on user deletes
339 339 - fixes #66 Name field misspelled
340 340 - fixes #72 block user removal when he owns repositories
341 341 - fixes #69 added password confirmation fields
342 342 - fixes #87 RhodeCode crashes occasionally on updating repository owner
343 343 - fixes #82 broken annotations on files with more than 1 blank line at the end
344 344 - a lot of fixes and tweaks for file browser
345 345 - fixed detached session issues
346 346 - fixed when user had no repos he would see all repos listed in my account
347 347 - fixed ui() instance bug when global hgrc settings was loaded for server
348 348 instance and all hgrc options were merged with our db ui() object
349 349 - numerous small bugfixes
350 350
351 351 (special thanks for TkSoh for detailed feedback)
352 352
353 353
354 354 1.0.2 (**2010-11-12**)
355 355 ======================
356 356
357 357 news
358 358 ----
359 359
360 360 - tested under python2.7
361 361 - bumped sqlalchemy and celery versions
362 362
363 363 fixes
364 364 -----
365 365
366 366 - fixed #59 missing graph.js
367 367 - fixed repo_size crash when repository had broken symlinks
368 368 - fixed python2.5 crashes.
369 369
370 370
371 371 1.0.1 (**2010-11-10**)
372 372 ======================
373 373
374 374 news
375 375 ----
376 376
377 377 - small css updated
378 378
379 379 fixes
380 380 -----
381 381
382 382 - fixed #53 python2.5 incompatible enumerate calls
383 383 - fixed #52 disable mercurial extension for web
384 384 - fixed #51 deleting repositories don't delete it's dependent objects
385 385
386 386
387 387 1.0.0 (**2010-11-02**)
388 388 ======================
389 389
390 390 - security bugfix simplehg wasn't checking for permissions on commands
391 391 other than pull or push.
392 392 - fixed doubled messages after push or pull in admin journal
393 393 - templating and css corrections, fixed repo switcher on chrome, updated titles
394 394 - admin menu accessible from options menu on repository view
395 395 - permissions cached queries
396 396
397 397 1.0.0rc4 (**2010-10-12**)
398 398 ==========================
399 399
400 400 - fixed python2.5 missing simplejson imports (thanks to Jens BΓ€ckman)
401 401 - removed cache_manager settings from sqlalchemy meta
402 402 - added sqlalchemy cache settings to ini files
403 403 - validated password length and added second try of failure on paster setup-app
404 404 - fixed setup database destroy prompt even when there was no db
405 405
406 406
407 407 1.0.0rc3 (**2010-10-11**)
408 408 =========================
409 409
410 410 - fixed i18n during installation.
411 411
412 412 1.0.0rc2 (**2010-10-11**)
413 413 =========================
414 414
415 415 - Disabled dirsize in file browser, it's causing nasty bug when dir renames
416 416 occure. After vcs is fixed it'll be put back again.
417 417 - templating/css rewrites, optimized css. No newline at end of file
Show file before | Show file after | Hide comments
@@ -1,605 +1,685 b''
1 1 .. _setup:
2 2
3 3 Setup
4 4 =====
5 5
6 6
7 7 Setting up RhodeCode
8 8 --------------------
9 9
10 10 First, you will need to create a RhodeCode configuration file. Run the
11 11 following command to do this::
12 12
13 13 paster make-config RhodeCode production.ini
14 14
15 15 - This will create the file `production.ini` in the current directory. This
16 16 configuration file contains the various settings for RhodeCode, e.g proxy
17 17 port, email settings, usage of static files, cache, celery settings and
18 18 logging.
19 19
20 20
21 21 Next, you need to create the databases used by RhodeCode. I recommend that you
22 22 use sqlite (default) or postgresql. If you choose a database other than the
23 23 default ensure you properly adjust the db url in your production.ini
24 24 configuration file to use this other database. Create the databases by running
25 25 the following command::
26 26
27 27 paster setup-app production.ini
28 28
29 29 This will prompt you for a "root" path. This "root" path is the location where
30 30 RhodeCode will store all of its repositories on the current machine. After
31 31 entering this "root" path ``setup-app`` will also prompt you for a username
32 32 and password for the initial admin account which ``setup-app`` sets up for you.
33 33
34 34 - The ``setup-app`` command will create all of the needed tables and an admin
35 35 account. When choosing a root path you can either use a new empty location,
36 36 or a location which already contains existing repositories. If you choose a
37 37 location which contains existing repositories RhodeCode will simply add all
38 38 of the repositories at the chosen location to it's database. (Note: make
39 39 sure you specify the correct path to the root).
40 40 - Note: the given path for mercurial_ repositories **must** be write accessible
41 41 for the application. It's very important since the RhodeCode web interface
42 42 will work without write access, but when trying to do a push it will
43 43 eventually fail with permission denied errors unless it has write access.
44 44
45 45 You are now ready to use RhodeCode, to run it simply execute::
46 46
47 47 paster serve production.ini
48 48
49 49 - This command runs the RhodeCode server. The web app should be available at the
50 50 127.0.0.1:5000. This ip and port is configurable via the production.ini
51 51 file created in previous step
52 52 - Use the admin account you created above when running ``setup-app`` to login
53 53 to the web app.
54 54 - The default permissions on each repository is read, and the owner is admin.
55 55 Remember to update these if needed.
56 56 - In the admin panel you can toggle ldap, anonymous, permissions settings. As
57 57 well as edit more advanced options on users and repositories
58 58
59 59 Try copying your own mercurial repository into the "root" directory you are
60 60 using, then from within the RhodeCode web application choose Admin >
61 61 repositories. Then choose Add New Repository. Add the repository you copied
62 62 into the root. Test that you can browse your repository from within RhodeCode
63 63 and then try cloning your repository from RhodeCode with::
64 64
65 65 hg clone http://127.0.0.1:5000/<repository name>
66 66
67 67 where *repository name* is replaced by the name of your repository.
68 68
69 69 Using RhodeCode with SSH
70 70 ------------------------
71 71
72 72 RhodeCode currently only hosts repositories using http and https. (The addition
73 73 of ssh hosting is a planned future feature.) However you can easily use ssh in
74 74 parallel with RhodeCode. (Repository access via ssh is a standard "out of
75 75 the box" feature of mercurial_ and you can use this to access any of the
76 76 repositories that RhodeCode is hosting. See PublishingRepositories_)
77 77
78 78 RhodeCode repository structures are kept in directories with the same name
79 79 as the project. When using repository groups, each group is a subdirectory.
80 80 This allows you to easily use ssh for accessing repositories.
81 81
82 82 In order to use ssh you need to make sure that your web-server and the users
83 83 login accounts have the correct permissions set on the appropriate directories.
84 84 (Note that these permissions are independent of any permissions you have set up
85 85 using the RhodeCode web interface.)
86 86
87 87 If your main directory (the same as set in RhodeCode settings) is for example
88 88 set to **/home/hg** and the repository you are using is named `rhodecode`, then
89 89 to clone via ssh you should run::
90 90
91 91 hg clone ssh://user@server.com/home/hg/rhodecode
92 92
93 93 Using other external tools such as mercurial-server_ or using ssh key based
94 94 authentication is fully supported.
95 95
96 96 Note: In an advanced setup, in order for your ssh access to use the same
97 97 permissions as set up via the RhodeCode web interface, you can create an
98 98 authentication hook to connect to the rhodecode db and runs check functions for
99 99 permissions against that.
100 100
101 101 Setting up Whoosh full text search
102 102 ----------------------------------
103 103
104 104 Starting from version 1.1 the whoosh index can be build by using the paster
105 105 command ``make-index``. To use ``make-index`` you must specify the configuration
106 106 file that stores the location of the index. You may specify the location of the
107 107 repositories (`--repo-location`). If not specified, this value is retrieved
108 108 from the RhodeCode database. This was required prior to 1.2. Starting from
109 109 version 1.2 it is also possible to specify a comma separated list of
110 110 repositories (`--index-only`) to build index only on chooses repositories
111 111 skipping any other found in repos location
112 112
113 113 You may optionally pass the option `-f` to enable a full index rebuild. Without
114 114 the `-f` option, indexing will run always in "incremental" mode.
115 115
116 116 For an incremental index build use::
117 117
118 118 paster make-index production.ini
119 119
120 120 For a full index rebuild use::
121 121
122 122 paster make-index production.ini -f
123 123
124 124
125 125 building index just for chosen repositories is possible with such command::
126 126
127 127 paster make-index production.ini --index-only=vcs,rhodecode
128 128
129 129
130 130 In order to do periodical index builds and keep your index always up to date.
131 131 It's recommended to do a crontab entry for incremental indexing.
132 132 An example entry might look like this::
133 133
134 134 /path/to/python/bin/paster make-index /path/to/rhodecode/production.ini
135 135
136 136 When using incremental mode (the default) whoosh will check the last
137 137 modification date of each file and add it to be reindexed if a newer file is
138 138 available. The indexing daemon checks for any removed files and removes them
139 139 from index.
140 140
141 141 If you want to rebuild index from scratch, you can use the `-f` flag as above,
142 142 or in the admin panel you can check `build from scratch` flag.
143 143
144 144
145 145 Setting up LDAP support
146 146 -----------------------
147 147
148 148 RhodeCode starting from version 1.1 supports ldap authentication. In order
149 149 to use LDAP, you have to install the python-ldap_ package. This package is
150 150 available via pypi, so you can install it by running
151 151
152 152 using easy_install::
153 153
154 154 easy_install python-ldap
155 155
156 156 using pip::
157 157
158 158 pip install python-ldap
159 159
160 160 .. note::
161 161 python-ldap requires some certain libs on your system, so before installing
162 162 it check that you have at least `openldap`, and `sasl` libraries.
163 163
164 164 LDAP settings are located in admin->ldap section,
165 165
166 166 Here's a typical ldap setup::
167 167
168 168 Connection settings
169 169 Enable LDAP = checked
170 170 Host = host.example.org
171 171 Port = 389
172 172 Account = <account>
173 173 Password = <password>
174 174 Connection Security = LDAPS connection
175 175 Certificate Checks = DEMAND
176 176
177 177 Search settings
178 178 Base DN = CN=users,DC=host,DC=example,DC=org
179 179 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
180 180 LDAP Search Scope = SUBTREE
181 181
182 182 Attribute mappings
183 183 Login Attribute = uid
184 184 First Name Attribute = firstName
185 185 Last Name Attribute = lastName
186 186 E-mail Attribute = mail
187 187
188 188 .. _enable_ldap:
189 189
190 190 Enable LDAP : required
191 191 Whether to use LDAP for authenticating users.
192 192
193 193 .. _ldap_host:
194 194
195 195 Host : required
196 196 LDAP server hostname or IP address.
197 197
198 198 .. _Port:
199 199
200 200 Port : required
201 201 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
202 202
203 203 .. _ldap_account:
204 204
205 205 Account : optional
206 206 Only required if the LDAP server does not allow anonymous browsing of
207 207 records. This should be a special account for record browsing. This
208 208 will require `LDAP Password`_ below.
209 209
210 210 .. _LDAP Password:
211 211
212 212 Password : optional
213 213 Only required if the LDAP server does not allow anonymous browsing of
214 214 records.
215 215
216 216 .. _Enable LDAPS:
217 217
218 218 Connection Security : required
219 219 Defines the connection to LDAP server
220 220
221 221 No encryption
222 222 Plain non encrypted connection
223 223
224 224 LDAPS connection
225 225 Enable ldaps connection. It will likely require `Port`_ to be set to
226 226 a different value (standard LDAPS port is 636). When LDAPS is enabled
227 227 then `Certificate Checks`_ is required.
228 228
229 229 START_TLS on LDAP connection
230 230 START TLS connection
231 231
232 232 .. _Certificate Checks:
233 233
234 234 Certificate Checks : optional
235 235 How SSL certificates verification is handled - this is only useful when
236 236 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
237 237 while the other options are susceptible to man-in-the-middle attacks. SSL
238 238 certificates can be installed to /etc/openldap/cacerts so that the
239 239 DEMAND or HARD options can be used with self-signed certificates or
240 240 certificates that do not have traceable certificates of authority.
241 241
242 242 NEVER
243 243 A serve certificate will never be requested or checked.
244 244
245 245 ALLOW
246 246 A server certificate is requested. Failure to provide a
247 247 certificate or providing a bad certificate will not terminate the
248 248 session.
249 249
250 250 TRY
251 251 A server certificate is requested. Failure to provide a
252 252 certificate does not halt the session; providing a bad certificate
253 253 halts the session.
254 254
255 255 DEMAND
256 256 A server certificate is requested and must be provided and
257 257 authenticated for the session to proceed.
258 258
259 259 HARD
260 260 The same as DEMAND.
261 261
262 262 .. _Base DN:
263 263
264 264 Base DN : required
265 265 The Distinguished Name (DN) where searches for users will be performed.
266 266 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
267 267
268 268 .. _LDAP Filter:
269 269
270 270 LDAP Filter : optional
271 271 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
272 272 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
273 273 which LDAP objects are identified as representing Users for
274 274 authentication. The filter is augmented by `Login Attribute`_ below.
275 275 This can commonly be left blank.
276 276
277 277 .. _LDAP Search Scope:
278 278
279 279 LDAP Search Scope : required
280 280 This limits how far LDAP will search for a matching object.
281 281
282 282 BASE
283 283 Only allows searching of `Base DN`_ and is usually not what you
284 284 want.
285 285
286 286 ONELEVEL
287 287 Searches all entries under `Base DN`_, but not Base DN itself.
288 288
289 289 SUBTREE
290 290 Searches all entries below `Base DN`_, but not Base DN itself.
291 291 When using SUBTREE `LDAP Filter`_ is useful to limit object
292 292 location.
293 293
294 294 .. _Login Attribute:
295 295
296 296 Login Attribute : required
297 297 The LDAP record attribute that will be matched as the USERNAME or
298 298 ACCOUNT used to connect to RhodeCode. This will be added to `LDAP
299 299 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
300 300 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
301 301 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
302 302 ::
303 303
304 304 (&(LDAPFILTER)(uid=jsmith))
305 305
306 306 .. _ldap_attr_firstname:
307 307
308 308 First Name Attribute : required
309 309 The LDAP record attribute which represents the user's first name.
310 310
311 311 .. _ldap_attr_lastname:
312 312
313 313 Last Name Attribute : required
314 314 The LDAP record attribute which represents the user's last name.
315 315
316 316 .. _ldap_attr_email:
317 317
318 318 Email Attribute : required
319 319 The LDAP record attribute which represents the user's email address.
320 320
321 321 If all data are entered correctly, and python-ldap_ is properly installed
322 322 users should be granted access to RhodeCode with ldap accounts. At this
323 323 time user information is copied from LDAP into the RhodeCode user database.
324 324 This means that updates of an LDAP user object may not be reflected as a
325 325 user update in RhodeCode.
326 326
327 327 If You have problems with LDAP access and believe You entered correct
328 328 information check out the RhodeCode logs, any error messages sent from LDAP
329 329 will be saved there.
330 330
331 331 Active Directory
332 332 ''''''''''''''''
333 333
334 334 RhodeCode can use Microsoft Active Directory for user authentication. This
335 335 is done through an LDAP or LDAPS connection to Active Directory. The
336 336 following LDAP configuration settings are typical for using Active
337 337 Directory ::
338 338
339 339 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
340 340 Login Attribute = sAMAccountName
341 341 First Name Attribute = givenName
342 342 Last Name Attribute = sn
343 343 E-mail Attribute = mail
344 344
345 345 All other LDAP settings will likely be site-specific and should be
346 346 appropriately configured.
347 347
348 348
349 349
350 Authentication by container or reverse-proxy
351 --------------------------------------------
352
353 Starting with version 1.3, RhodeCode supports delegating the authentication
354 of users to its WSGI container, or to a reverse-proxy server through which all
355 clients access the application.
356
357 When these authentication methods are enabled in RhodeCode, it uses the
358 username that the container/proxy (Apache/Nginx/etc) authenticated and doesn't
359 perform the authentication itself. The authorization, however, is still done by
360 RhodeCode according to its settings.
361
362 When a user logs in for the first time using these authentication methods,
363 a matching user account is created in RhodeCode with default permissions. An
364 administrator can then modify it using RhodeCode's admin interface.
365 It's also possible for an administrator to create accounts and configure their
366 permissions before the user logs in for the first time.
367
368 Container-based authentication
369 ''''''''''''''''''''''''''''''
370
371 In a container-based authentication setup, RhodeCode reads the user name from
372 the ``REMOTE_USER`` server variable provided by the WSGI container.
373
374 After setting up your container (see `Apache's WSGI config`_), you'd need
375 to configure it to require authentication on the location configured for
376 RhodeCode.
377
378 In order for RhodeCode to start using the provided username, you should set the
379 following in the [app:main] section of your .ini file::
380
381 container_auth_enabled = true
382
383
384 Proxy pass-through authentication
385 '''''''''''''''''''''''''''''''''
386
387 In a proxy pass-through authentication setup, RhodeCode reads the user name
388 from the ``X-Forwarded-User`` request header, which should be configured to be
389 sent by the reverse-proxy server.
390
391 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
392 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'd need to
393 configure the authentication and add the username in a request header named
394 ``X-Forwarded-User``.
395
396 For example, the following config section for Apache sets a subdirectory in a
397 reverse-proxy setup with basic auth::
398
399 <Location /<someprefix> >
400 ProxyPass http://127.0.0.1:5000/<someprefix>
401 ProxyPassReverse http://127.0.0.1:5000/<someprefix>
402 SetEnvIf X-Url-Scheme https HTTPS=1
403
404 AuthType Basic
405 AuthName "RhodeCode authentication"
406 AuthUserFile /home/web/rhodecode/.htpasswd
407 require valid-user
408
409 RequestHeader unset X-Forwarded-User
410
411 RewriteEngine On
412 RewriteCond %{LA-U:REMOTE_USER} (.+)
413 RewriteRule .* - [E=RU:%1]
414 RequestHeader set X-Forwarded-User %{RU}e
415 </Location>
416
417 In order for RhodeCode to start using the forwarded username, you should set
418 the following in the [app:main] section of your .ini file::
419
420 proxypass_auth_enabled = true
421
422 .. note::
423 If you enable proxy pass-through authentication, make sure your server is
424 only accessible through the proxy. Otherwise, any client would be able to
425 forge the authentication header and could effectively become authenticated
426 using any account of their liking.
427
428
429
350 430 Hook management
351 431 ---------------
352 432
353 433 Hooks can be managed in similar way to this used in .hgrc files.
354 434 To access hooks setting click `advanced setup` on Hooks section of Mercurial
355 435 Settings in Admin.
356 436
357 437 There are 4 built in hooks that cannot be changed (only enable/disable by
358 438 checkboxes on previos section).
359 439 To add another custom hook simply fill in first section with
360 440 <name>.<hook_type> and the second one with hook path. Example hooks
361 441 can be found at *rhodecode.lib.hooks*.
362 442
363 443
364 444 Setting Up Celery
365 445 -----------------
366 446
367 447 Since version 1.1 celery is configured by the rhodecode ini configuration files.
368 448 Simply set use_celery=true in the ini file then add / change the configuration
369 449 variables inside the ini file.
370 450
371 451 Remember that the ini files use the format with '.' not with '_' like celery.
372 452 So for example setting `BROKER_HOST` in celery means setting `broker.host` in
373 453 the config file.
374 454
375 455 In order to start using celery run::
376 456
377 457 paster celeryd <configfile.ini>
378 458
379 459
380 460 .. note::
381 461 Make sure you run this command from the same virtualenv, and with the same
382 462 user that rhodecode runs.
383 463
384 464 HTTPS support
385 465 -------------
386 466
387 467 There are two ways to enable https:
388 468
389 469 - Set HTTP_X_URL_SCHEME in your http server headers, than rhodecode will
390 470 recognize this headers and make proper https redirections
391 471 - Alternatively, change the `force_https = true` flag in the ini configuration
392 472 to force using https, no headers are needed than to enable https
393 473
394 474
395 475 Nginx virtual host example
396 476 --------------------------
397 477
398 478 Sample config for nginx using proxy::
399 479
400 480 server {
401 481 listen 80;
402 482 server_name hg.myserver.com;
403 483 access_log /var/log/nginx/rhodecode.access.log;
404 484 error_log /var/log/nginx/rhodecode.error.log;
405 485 location / {
406 486 root /var/www/rhodecode/rhodecode/public/;
407 487 if (!-f $request_filename){
408 488 proxy_pass http://127.0.0.1:5000;
409 489 }
410 490 #this is important if you want to use https !!!
411 491 proxy_set_header X-Url-Scheme $scheme;
412 492 include /etc/nginx/proxy.conf;
413 493 }
414 494 }
415 495
416 496 Here's the proxy.conf. It's tuned so it will not timeout on long
417 497 pushes or large pushes::
418 498
419 499 proxy_redirect off;
420 500 proxy_set_header Host $host;
421 501 proxy_set_header X-Host $http_host;
422 502 proxy_set_header X-Real-IP $remote_addr;
423 503 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
424 504 proxy_set_header Proxy-host $proxy_host;
425 505 client_max_body_size 400m;
426 506 client_body_buffer_size 128k;
427 507 proxy_buffering off;
428 508 proxy_connect_timeout 7200;
429 509 proxy_send_timeout 7200;
430 510 proxy_read_timeout 7200;
431 511 proxy_buffers 8 32k;
432 512
433 513 Also, when using root path with nginx you might set the static files to false
434 514 in the production.ini file::
435 515
436 516 [app:main]
437 517 use = egg:rhodecode
438 518 full_stack = true
439 519 static_files = false
440 520 lang=en
441 521 cache_dir = %(here)s/data
442 522
443 523 In order to not have the statics served by the application. This improves speed.
444 524
445 525
446 526 Apache virtual host reverse proxy example
447 527 -----------------------------------------
448 528
449 529 Here is a sample configuration file for apache using proxy::
450 530
451 531 <VirtualHost *:80>
452 532 ServerName hg.myserver.com
453 533 ServerAlias hg.myserver.com
454 534
455 535 <Proxy *>
456 536 Order allow,deny
457 537 Allow from all
458 538 </Proxy>
459 539
460 540 #important !
461 541 #Directive to properly generate url (clone url) for pylons
462 542 ProxyPreserveHost On
463 543
464 544 #rhodecode instance
465 545 ProxyPass / http://127.0.0.1:5000/
466 546 ProxyPassReverse / http://127.0.0.1:5000/
467 547
468 548 #to enable https use line below
469 549 #SetEnvIf X-Url-Scheme https HTTPS=1
470 550
471 551 </VirtualHost>
472 552
473 553
474 554 Additional tutorial
475 555 http://wiki.pylonshq.com/display/pylonscookbook/Apache+as+a+reverse+proxy+for+Pylons
476 556
477 557
478 558 Apache as subdirectory
479 559 ----------------------
480 560
481 561 Apache subdirectory part::
482 562
483 563 <Location /<someprefix> >
484 564 ProxyPass http://127.0.0.1:5000/<someprefix>
485 565 ProxyPassReverse http://127.0.0.1:5000/<someprefix>
486 566 SetEnvIf X-Url-Scheme https HTTPS=1
487 567 </Location>
488 568
489 569 Besides the regular apache setup you will need to add the following line
490 570 into [app:main] section of your .ini file::
491 571
492 572 filter-with = proxy-prefix
493 573
494 574 Add the following at the end of the .ini file::
495 575
496 576 [filter:proxy-prefix]
497 577 use = egg:PasteDeploy#prefix
498 578 prefix = /<someprefix>
499 579
500 580
501 581 then change <someprefix> into your choosen prefix
502 582
503 583 Apache's WSGI config
504 584 --------------------
505 585
506 586 Alternatively, RhodeCode can be set up with Apache under mod_wsgi. For
507 587 that, you'll need to:
508 588
509 589 - Install mod_wsgi. If using a Debian-based distro, you can install
510 590 the package libapache2-mod-wsgi::
511 591
512 592 aptitude install libapache2-mod-wsgi
513 593
514 594 - Enable mod_wsgi::
515 595
516 596 a2enmod wsgi
517 597
518 598 - Create a wsgi dispatch script, like the one below. Make sure you
519 599 check the paths correctly point to where you installed RhodeCode
520 600 and its Python Virtual Environment.
521 601 - Enable the WSGIScriptAlias directive for the wsgi dispatch script,
522 602 as in the following example. Once again, check the paths are
523 603 correctly specified.
524 604
525 605 Here is a sample excerpt from an Apache Virtual Host configuration file::
526 606
527 607 WSGIDaemonProcess pylons user=www-data group=www-data processes=1 \
528 608 threads=4 \
529 609 python-path=/home/web/rhodecode/pyenv/lib/python2.6/site-packages
530 610 WSGIScriptAlias / /home/web/rhodecode/dispatch.wsgi
531 611
532 612 Example wsgi dispatch script::
533 613
534 614 import os
535 615 os.environ["HGENCODING"] = "UTF-8"
536 616 os.environ['PYTHON_EGG_CACHE'] = '/home/web/rhodecode/.egg-cache'
537 617
538 618 # sometimes it's needed to set the curent dir
539 619 os.chdir('/home/web/rhodecode/')
540 620
541 621 import site
542 622 site.addsitedir("/home/web/rhodecode/pyenv/lib/python2.6/site-packages")
543 623
544 624 from paste.deploy import loadapp
545 625 from paste.script.util.logging_config import fileConfig
546 626
547 627 fileConfig('/home/web/rhodecode/production.ini')
548 628 application = loadapp('config:/home/web/rhodecode/production.ini')
549 629
550 630 Note: when using mod_wsgi you'll need to install the same version of
551 631 Mercurial that's inside RhodeCode's virtualenv also on the system's Python
552 632 environment.
553 633
554 634
555 635 Other configuration files
556 636 -------------------------
557 637
558 638 Some example init.d scripts can be found here, for debian and gentoo:
559 639
560 640 https://rhodecode.org/rhodecode/files/tip/init.d
561 641
562 642
563 643 Troubleshooting
564 644 ---------------
565 645
566 646 :Q: **Missing static files?**
567 647 :A: Make sure either to set the `static_files = true` in the .ini file or
568 648 double check the root path for your http setup. It should point to
569 649 for example:
570 650 /home/my-virtual-python/lib/python2.6/site-packages/rhodecode/public
571 651
572 652 |
573 653
574 654 :Q: **Can't install celery/rabbitmq**
575 655 :A: Don't worry RhodeCode works without them too. No extra setup is required.
576 656
577 657 |
578 658
579 659 :Q: **Long lasting push timeouts?**
580 660 :A: Make sure you set a longer timeouts in your proxy/fcgi settings, timeouts
581 661 are caused by https server and not RhodeCode.
582 662
583 663 |
584 664
585 665 :Q: **Large pushes timeouts?**
586 666 :A: Make sure you set a proper max_body_size for the http server.
587 667
588 668 |
589 669
590 670 :Q: **Apache doesn't pass basicAuth on pull/push?**
591 671 :A: Make sure you added `WSGIPassAuthorization true`.
592 672
593 673 For further questions search the `Issues tracker`_, or post a message in the
594 674 `google group rhodecode`_
595 675
596 676 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
597 677 .. _python: http://www.python.org/
598 678 .. _mercurial: http://mercurial.selenic.com/
599 679 .. _celery: http://celeryproject.org/
600 680 .. _rabbitmq: http://www.rabbitmq.com/
601 681 .. _python-ldap: http://www.python-ldap.org/
602 682 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
603 683 .. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories
604 684 .. _Issues tracker: https://bitbucket.org/marcinkuzminski/rhodecode/issues
605 685 .. _google group rhodecode: http://groups.google.com/group/rhodecode
General Comments 0
You need to be logged in to leave comments. Login now