Re: [Trac] Reuse Trac groups on Subversion right access
On 02/20/2012 12:06 PM, Jason Miller wrote: > > However painful that initial LDAP group setup would be… I think your right in the end, the LDAP group method is probably the correct permanent way to go. Well, the devil is in the details. E.g. the good old unix 32 groups per user limit: I've no idea if it'd still apply in your situation, or whether you'd hit it -- but with that many users it sounds likely. Or if you need to also manage group permissions inside track -- that's a whole another can of worms. -- Dimitri Maziuk Programmer/sysadmin BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu signature.asc Description: OpenPGP digital signature
Re: [Trac] Reuse Trac groups on Subversion right access
On Feb 20, 2012, at 10:52 AM, Dimitri Maziuk wrote: > On 02/20/2012 09:52 AM, Jason Miller wrote: > > >> Is there a better way? If so, please share! > > I don't know, I don't have a 1K users with sepatate acls for svn, track, > and upload directories. > > I thought you could use > RequireGroup testing1 > in *and* *and* > , and then actually put the group in ldap > and do all your acl assignments via ldapadd et al. > > Whether that will work for you is another question. > > -- > Dimitri Maziuk > Programmer/sysadmin > BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu > I myself have no rights to modify LDAP group/users otherwise your right, I would do it there… but I do have write access to our apache configs and the like. I probably would still need to do it the way were doing it now. Just because the LDAP guys would shoot me if I asked them to make all the different (fined grained) groups we require! lol However painful that initial LDAP group setup would be… I think your right in the end, the LDAP group method is probably the correct permanent way to go. Jason Miller -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to trac-users@googlegroups.com. To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.
Re: [Trac] Reuse Trac groups on Subversion right access
On 02/20/2012 09:52 AM, Jason Miller wrote: > Is there a better way? If so, please share! I don't know, I don't have a 1K users with sepatate acls for svn, track, and upload directories. I thought you could use RequireGroup testing1 in *and* *and* , and then actually put the group in ldap and do all your acl assignments via ldapadd et al. Whether that will work for you is another question. -- Dimitri Maziuk Programmer/sysadmin BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu signature.asc Description: OpenPGP digital signature
Re: [Trac] Reuse Trac groups on Subversion right access
On Feb 20, 2012, at 8:37 AM, Dimitri Maziuk wrote: > On 2/20/2012 8:10 AM, Jason Miller wrote: > >> I was going to suggest this as well. We are nearing 1000 employees >> we > keep track of. Some needing access to a specific out of the many > available SVN repos, some to Trac site 1, others to Trac site 2, etc > etc... or all of the above. It became clear that in order to get > permissions _correct_ for so many different scenarios, we needed a > non-gui, scripted method (Build our own). > > ... >> On top of the SVN and Trac permissions, >> we > needed to 'extend' the script to maintain Apache rules to specific > directories within the multiple available Trac sites (due to externally > linked document attachments). > > Won't apache's require_ldap_group do what you need? > > Dima > I am not sure I understand, as we are using ldap groups currently: apache/ssl-vhost.conf: # > AuthType Basic AuthGroupFile /data/svn/authz_generator/apache_groups_acl AuthName "Doxygen Access" AuthBasicProvider ldap AuthLDAPURL "ldap://" AuthzLDAPAuthoritative off require group testing1 Allow from all # and now the generated apache_groups_acl (generated by our script) file: testing1:: someuser1 someuser2 someuser3 testing2:: someuser4 someuser5 someuser6 # Is there a better way? If so, please share! Thanks, Jason Miller > -- > You received this message because you are subscribed to the Google Groups > "Trac Users" group. > To post to this group, send email to trac-users@googlegroups.com. > To unsubscribe from this group, send email to > trac-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/trac-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to trac-users@googlegroups.com. To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.
Re: [Trac] Reuse Trac groups on Subversion right access
On 2/20/2012 8:10 AM, Jason Miller wrote: I was going to suggest this as well. We are nearing 1000 employees we keep track of. Some needing access to a specific out of the many available SVN repos, some to Trac site 1, others to Trac site 2, etc etc... or all of the above. It became clear that in order to get permissions _correct_ for so many different scenarios, we needed a non-gui, scripted method (Build our own). ... On top of the SVN and Trac permissions, we needed to 'extend' the script to maintain Apache rules to specific directories within the multiple available Trac sites (due to externally linked document attachments). Won't apache's require_ldap_group do what you need? Dima -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to trac-users@googlegroups.com. To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.
Re: [Trac] Reuse Trac groups on Subversion right access
On Feb 20, 2012, at 6:45 AM, Matthew Caron wrote: > On 02/14/2012 03:32 AM, Alvaro wrote: >> What I am looking for is a plugin that may permit to use a Trac group >> as a Subversion group -> Like that, the Trac group may be used >> directly on the Subversion path without having to do 2 entries each >> time. >> Do you have some ideas about it ? > > Another option - cli script it. Write a wrapper script from the CLI which > takes all necessary information, then adds the user to both Trac and SVN. I was going to suggest this as well. We are nearing 1000 employees we keep track of. Some needing access to a specific out of the many available SVN repos, some to Trac site 1, others to Trac site 2, etc etc... or all of the above. It became clear that in order to get permissions _correct_ for so many different scenarios, we needed a non-gui, scripted method (Build our own). > You could then extend said script (or wrap it again) with additional > functionality to take some input list of all your users (say, a CSV file you > get from a spreadsheet from HR) and then you can just batch import all the > existing users. Exactly my thoughts again. On top of the SVN and Trac permissions, we needed to 'extend' the script to maintain Apache rules to specific directories within the multiple available Trac sites (due to externally linked document attachments). > -- > Matthew Caron, Build Engineer > Sixnet, a Red Lion business | www.sixnet.com > +1 (518) 877-5173 x138 office > > -- > You received this message because you are subscribed to the Google Groups > "Trac Users" group. > To post to this group, send email to trac-users@googlegroups.com. > To unsubscribe from this group, send email to > trac-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/trac-users?hl=en. > A specific plugin may be well received for some, but not for all. Most of us have entirely different needs when it comes to permissions. However the more plugins the better of course! Until then, my advice is to script your own Authz generator. I would also shy away from the Trac's GUI authentication management and similar plugins, if you will have hundred/s of users. You will thank your self in the end when all you have to do in order to add/remove/modify a privilege is through an executional script and not a painstaking 10-20 mouse click operation per user. Jason Miller -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to trac-users@googlegroups.com. To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.
Re: [Trac] Reuse Trac groups on Subversion right access
On 02/14/2012 03:32 AM, Alvaro wrote: What I am looking for is a plugin that may permit to use a Trac group as a Subversion group -> Like that, the Trac group may be used directly on the Subversion path without having to do 2 entries each time. Do you have some ideas about it ? Another option - cli script it. Write a wrapper script from the CLI which takes all necessary information, then adds the user to both Trac and SVN. You could then extend said script (or wrap it again) with additional functionality to take some input list of all your users (say, a CSV file you get from a spreadsheet from HR) and then you can just batch import all the existing users. -- Matthew Caron, Build Engineer Sixnet, a Red Lion business | www.sixnet.com +1 (518) 877-5173 x138 office -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to trac-users@googlegroups.com. To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.
Re: [Trac] Reuse Trac groups on Subversion right access
On 02/14/2012 03:32 AM, Alvaro wrote: Hello, What I am looking for is a plugin that may permit to use a Trac group as a Subversion group -> Like that, the Trac group may be used directly on the Subversion path without having to do 2 entries each time. I do not know of such a plugin and looking around TH doesn't show anything like this. Do you have some ideas about it ? You could write one. Trac plugins are pretty simple. -- Matthew Caron, Build Engineer Sixnet, a Red Lion business | www.sixnet.com +1 (518) 877-5173 x138 office -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to trac-users@googlegroups.com. To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.
[Trac] Reuse Trac groups on Subversion right access
Hello, I'm working on a project which is using Trac to manage a few subversion repositories at the same time from a GUI. However, I'v a big problem with it actually, and that's why I come here today. Indeed, the fact is that this Trac won't be used to manage 10 or 20 rights, but for the access of more then 100 employees. The problem is that, when we want to add a new user to Trac & Subversion, we need to add his name on the Trac permissions, then to use these names on a Subversion group which is related to a path. It gives a result of 2 entries for 1 men. For the moment, right access on Subversion can be entered from the GUI on Subversion page thanks to these plugins: -SvnAuthzAdminPlugin -TracAccountManager -TracActiveDirectoryAuth What I am looking for is a plugin that may permit to use a Trac group as a Subversion group -> Like that, the Trac group may be used directly on the Subversion path without having to do 2 entries each time. Do you have some ideas about it ? Thank you, Alvaro -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to trac-users@googlegroups.com. To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.
