Changes between Version 18 and Version 19 of TracAuthenticationIntroduction
- Timestamp:
- Jun 1, 2020, 10:27:49 PM (4 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TracAuthenticationIntroduction
v18 v19 1 1 = Introduction to Authentication for Trac 2 2 3 ||This is a work in progress document - and is written by someone who has been working this stuff out, rather than an expert. Please feel free to add clarifications, corrections and additions|| 3 {{{#!box note 4 This is a work in progress document, written by someone who has been working this stuff out, rather than an expert. Please feel free to add clarifications, corrections, and additions. 5 }}} 4 6 5 When deploying on a server such as Apache, Trac relies on any of the server's HTTP authentication methods, such as Basic and Digest. Th is is not the case for the development server [wiki:TracStandalone tracd], which is not covered here. Therefore, if you want to get Trac authentication working, you first need to understand how your server and your browser deal with HTTP authentication.7 When deploying on a server such as Apache, Trac relies on any of the server's HTTP authentication methods, such as Basic and Digest. Therefore, if you want to get Trac authentication working, you first need to understand how your server and your browser deal with HTTP authentication. 6 8 7 9 There are 2 basic approaches to Trac authentication:- … … 9 11 2. Restrict access such that the Trac installation is visible to someone without authentication, but you can login with Trac. 10 12 11 The following examples are based on an Apache httpd server. Further information on authentication on Apache can be found at https://httpd.apache.org/docs/2.4/howto/auth.html13 The following examples are based on an Apache httpd server. Further information on authentication on Apache can be found in the [https://httpd.apache.org/docs/2.4/howto/auth.html Apache Auth documentation]. 12 14 13 They use a password file at {{{/var/www/db/passwd}}}. You can manipulate this file with the {{{htpasswd}}} program or with `user_manage` as described in https://httpd.apache.org/docs/current/programs/htpasswd.html.15 They use a password file at `/var/www/db/passwd`. You can manipulate this file with the [https://httpd.apache.org/docs/current/programs/htpasswd.html htpasswd]. 14 16 15 17 == Require Authentication To Access The Entire Trac Installation … … 19 21 It has the advantage of being simpler to implement and manage. It also allows you to know that your data is as secure as your web server authentication scheme and that there is a degree of trust in the user information entered on tickets etc. 20 22 21 The disadvantage of this method is that you cannot have a finer control over user permissions, for example: user `abc` can view, but not edit location `/path/to/location`.23 The disadvantage of this method is that anonymous access, typically with view-only permissions, is not allowed. 22 24 23 For a Trac installation under {{{/var/www/trac}}}, visible as URL {{{http://www.example.com/trac/}}}you can use an authentication stanza for Apache similar to:24 {{{ 25 For a Trac installation under `/var/www/trac`, visible as URL `http://www.example.com/trac/` you can use an authentication stanza for Apache similar to: 26 {{{#!apache 25 27 <Location /trac> 26 28 AuthType Basic … … 28 30 AuthUserFile /var/www/db/passwd 29 31 Require valid-user 30 ... extra directives to invoke trac31 ... - ie ScriptAlias or mod_python stuff32 # ... extra directives to invoke trac 33 # ... - ie ScriptAlias or mod_python stuff 32 34 </Location> 33 35 }}} … … 47 49 === Basic Authentication 48 50 49 To do this you need to control access to the {{{login}}}location under each Trac project, so for the example above you would change the configuration to:50 {{{ 51 To do this you need to control access to the `login` location under each Trac project, so for the example above you would change the configuration to: 52 {{{#!apache 51 53 <Location /trac/login> 52 54 AuthType Basic … … 56 58 </Location> 57 59 <Location /trac> 58 ... extra directives to invoke trac59 ... - ie ScriptAlias or mod_python stuff60 # ... extra directives to invoke trac 61 # ... - ie ScriptAlias or mod_python stuff 60 62 </Location> 61 63 }}} … … 67 69 === Digest Authentication 68 70 69 To setup digest authentication, follow the instructions to create the digest password file. https://httpd.apache.org/docs/2.2/programs/htdigest.html. For the '''realm''' set in htdigest you must put a matching !AuthName.71 To setup digest authentication, follow [https://httpd.apache.org/docs/2.2/programs/htdigest.html the instructions] to create the digest password file. For the '''realm''' set in htdigest you must put a matching !AuthName. 70 72 71 73 For example: 72 `htdigest -c /path/to/.htdigest TracRealmName UserName` 74 {{{#!sh 75 $ htdigest -c /path/to/.htdigest TracRealmName UserName 76 }}} 73 77 74 78 Sample configuration: 75 79 76 {{{ 77 ...WSGI config if using WSGI80 {{{#!apache 81 # ... WSGI config if using WSGI 78 82 <Location /trac> 79 ...mod_python config if using mod_python83 # ...mod_python config if using mod_python 80 84 AuthType Digest 81 85 AuthName "TracRealmName" … … 89 93 If you are using Digest with WSGI you must enable authentication passthrough with: 90 94 91 {{{ 95 {{{#!apache 92 96 WSGIPassAuthorization On 93 97 WSGIScriptAlias /trac /path/to/trac/config.wsgi … … 102 106 To do so, choose one of the existing users on your `passwd` file, say the user `anadmin`, and use: 103 107 104 {{{ 105 trac-admin /path/to/the/trac/project permission add anadmin TRAC_ADMIN108 {{{#!sh 109 $ trac-admin /path/to/the/trac/project permission add anadmin TRAC_ADMIN 106 110 }}} 107 111