PermissionGroupProvider plugin problem
pamtrac
at first, sorry if this post is offtopic here, since I'm not a trac
developer, but only try to develop a plugin for trac and I cant find a
better place.
I try to develop a plugin that enables trac to lookup system groups,
when trac tries to get groups of a trac user (to match them with trac
permission groups).
Unfortunately I'm not very involved in apache-python web development
within Trac.
Still, I wrote a tiny plugin
http://trac-hacks.org/browser/tracsysgroupsplugin/0.11/trunk/sysgroups/sysgroups.py
#############code#######
import pwd, grp
from trac.core import *
from trac.config import *
from trac.perm import IPermissionGroupProvider
__all__ = ['SysGroups']
class SysGroups(Component):
implements(IPermissionGroupProvider)
# IPermissionGroupProvider interface method
def get_permission_groups(self, username):
groups = []
for p in grp.getgrall():
if username in p[3] : groups.append(p[0])
self.env.log.debug('sysgroups found for %s = %s' % (username,
','.join(groups)))
return groups
#############code#######
to accomplish lookup of systemgroups instead of default use the
trac.perm.DefaultPermissionGroupProvider.
The resulting behavior is realy strange (for me). My general basic
autentication is done by apache modules
mod-auth-pam and mod-auth-sys-groups, this works fine. I have 3
different Tac (0.11.1) projects hosted on a
apache 2.2/linux virtual hosts ssl configuration. If I logon as a
valid pam user with valid systemgroup after a apache startup,
everything seems to work (apache auth, lookup of systemgroups, trac
gives right permissions. ). But now it comes : if I try to call the
second Trac project on the server in my webbrowser, I will be asked
vor my credentials again and basic /pam auth works fine, again. But
out of a reason, I dont understand, my sysgroups plugin doesnt work in
trac anymore.
I dont arive on the first site of the selected project, but get this
error :
Error: Forbidden
WIKI_VIEW privileges are required to perform this operation on
WikiStart
obviously, I havn't got no permissions. (I completly removed anonymous
and authenticated in favour of my sysgroups)
It seems to my like a serversided problem, because doing anything of :
- restart browser / try an other browser
- try an other valid user
wont help. Only if I restart apache, I can log into any project the
fist time for one time, but changing project again will show same
behavior (for all valid users). My first idea was, that there is some
problem with permission caching within DefaultPermissionStore
component, but I cant figure it out. I use different basic realms for
all prjects and when I change to a second trac project in my
webbrowser, I get asked for my credential again, apache says "ok" but
trac doesnt seem to evaluate user group memberships in this case.
If anybody has an idea, where to start poking around, I woul be
happy !
Best regards
Peter
Erik Bray
You still need to add permissions to the groups that you expect your
user to belong to, regardless of how group membership is determined.
So if you an 'admin' group for example, WIKI_VIEW (or any other
permissions like TRAC_ADMIN) need to be assigned to that group in
Trac.
Peter Dulovits
wrote:
Yes, I carefully assigned all the important permissions (Actions) to
my trac groups. So,
trac-admin /var/trac/repositories/neukolln permission list
returns :
svn_admins TRAC_ADMIN
svn_devel DOWNLOADS_VIEW
svn_devel TICKET_CREATE
svn_devel svn_neukolln_guests
...
svn_guests TAGS_VIEW
svn_guests TICKET_VIEW
svn_guests TIMELINE_VIEW
svn_guests WIKI_VIEW
The strange thing is, it works the first time I log in on a trac project
after
apache restart, but not later on, if I try to log in a second project.. as
if something
gets confused in permission caching, or so.
Erik Bray
I doubt it has anything to do with the PermissionCache. It only
cache's a user's permissions in the context of a request. How exactly
is your Trac system set up and how is the plugin installed?
Also, one small I thing I noticed which should have nothing to do with
your actual problem, is that you have an unnecessary "from trac.config
import *". There generally shouldn't be any reason to import * from
that module, and you're not using anything from it anyways.
Peter Dulovits
wrote:
Thats true ! I simply reused another plugin, so this line remained,
but I will remove it, soon.
I thought, that maybe trac/apache stores a basic-realem/ip/something
that is persistent for whole apache online time. Is trac authentication
realy session oriented ? if it is , I realy would be supprised after what
I have seen here.. I'm realy clueless :(
my Plugin is installed in every trac project "plugin" subfolder as py egg.
The plugin can be trac-browsed at :
http://trac-hacks.org/browser/tracsysgroupsplugin/0.11/trunk/
My apache conf seems to be alright, here is a snip
<VirtualHost 192.168.1.254:443>
ServerAdmin webm...@celluloid-vfx.com
ServerName svn.testdomain.inc
ServerAlias svn
SSLEngine on
#DocumentRoot /var/www/trac
<Location />
SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonInterpreter main
PythonOption TracEnv ""
PythonOption PYTHON_EGG_CACHE /tmp
PythonOption TracEnvParentDir /var/trac/repositories
PythonOption TracUriRoot /
</Location>
<Location "/neukolln">
AuthPAM_Enabled On
AuthType Basic
AuthPAM_FallThrough off
AuthGROUP_Enabled on
AuthName "Celluloid neukolln web-trac login:"
AuthBasicAuthoritative Off
Require group svn_admins svn_neukolln_devel svn_neukolln_guests
require valid-user
AuthUserFile /dev/null
</Location>
<Location "/ruhrpott">
AuthPAM_Enabled On
AuthType Basic
AuthPAM_FallThrough off
AuthGROUP_Enabled on
AuthName "Celluloid ruhrpott web-trac login:"
AuthBasicAuthoritative Off
Require group svn_admins svn_ruhrpott_devel svn_ruhrpott_guests
require valid-user
AuthUserFile /dev/null
</Location>
</VirtualHost>
Erik Bray
Do you have any other plugins installed? As far as I can tell this
plugin should work, at least by itself.