|Version 21 (modified by mpalmer@…, 7 years ago) (diff)|
Experimental Trac multi-project support
Still developing this concept.
Note: What is in subversion is currently usable, but there isn't (yet) much documentation. If you would like to try this out you should probably try finding me on #trac (I am usually on as coderanger).
An alternate(in idled/stalled/rethinking development) implementation of the same idea, and with the same name (great minds etc etc), is at http://tracforge.net.
In order to add projects right now, create a prototype containing only DoNothing. You still need to make the Trac environment and other things the normal way for now.
First designate one env to be the master. This will manage SSO, and hold the central roles and permissions. This is also commonly the aggregate trac if you are using the data subscription system, but it doesn't need to be.
On the master env, activate these components:
tracforge.* = enabled tracforge.linker.* = disabled tracforge.linker.auth.tracforgecookiemunger = enabled tracforge.subscriptions.* = disabled
On each client env activate these:
trac.web.auth.loginmodule = disabled tracforge.admin.perm.* = enabled tracforge.linker.* = enabled tracforge.perms.* = enabled
NOTE: The last module was not previously listed for clients, please make sure to add it when upgrading to a newer version of TracForge.
ANOTHER NOTE: If you are using AccountManager, make sure it is disabled in all clients.
In the master be sure you set base_url. You will also need some kind of authentication setup on the master, either the default HTTP auth system or the AccountManagerPlugin are popular choices (I recommend the latter).
For all envs set this in [trac]:
permission_store = TracForgePermissionModule
and add this in [tracforge]:
master_path = /path/to/master/env
That should be all config changes you need. If you want to use the data subscription system, just enable tracforge.subscriptions.* on all envs.
To setup the TracForge system, go into WebAdmin on the master, and there should be a TracForge Project Admin screen. In there add each of your projects. For now TracForge cannot actually create the projects, so make them the normal way and then just enter them into TracForge (see above about prototypes). Once that is done you should be able to add central roles and permissions. Permissions work exactly the same way as normal, with the central ones combined with the per-project permissions. Roles show up as groups, so you can do something like give the group "member" the permission WIKI_MODIFY, and then add some users as members to a project. The "*" project on the roles screen means that user will have the given role on all projects (very handy for configuring global admin accounts).
TracForge now can handle displaying the project index, and dispatching to subordinate environments (in a similar fashion a TRAC_ENV_PARENT_DIR setup). To use this you just need to setup the master environment normally, but do not setup anything in the webserver for the TRAC_ENV_PARENT_DIR. One advantage this has over the built-in system is that it can control access using Trac permissions, specifically PROJECT_VIEW. This check is done against the project they are trying to access, not the master. The project index will also be filtered so they can only see projects they can access.
There isn't much configuration to the subscription system. It should autodetect all sibling envs (envs sharing the same enclosing folder), and let you add subscriptions from one env to another. Changesets work very well, and tickets are mostly working (though there is no support for attachments yet).
The global permissions system works in exactly the same way as the per-project permissions system -- you can create groups and map groups and users to any of the usual Trac permissions. Any permissions you set at this level will be available to all projects as though you set that permission in every single project.
You need to be careful with the global permissions, though, because you can't "negate" a permission. If you grant, say, WIKI_VIEW to anonymous in the Tracforge permissions, then everyone will be able to view all your wikis, and there's nothing you can do in each client project to stop that. It's probably best to stick to granting perms to certain really-global groups.
Tracforge provides three new permission flags:
|TRACFORGE_ADMIN||(Master only) Access the Tracforge !admin pages, to set global permissions and create new projects|
|TRACFORGE_CREATE||(Master only) Create new Trac projects (it's not actually used anywhere though, but since project creation is broken anyway, it's not such a big deal)|
|PROJECT_VIEW||(All projects) The project is visible in the "Project Index" list available from the 'Projects' link in the title bar|
If you have any issues, create a new ticket.
Download the zipped source from here.
There is also an (unofficial) darcs repository containing some additional bugfixes which aren't in trunk yet. This branch will always follow the trunk, but with added bugfixes that are in use on at least one production TracForge instance. You can also see all the patches currently in this branch.