[kforge-user] Installation and setup experiences + problems

Rufus Pollock rufus.pollock at okfn.org
Tue Feb 20 11:46:26 UTC 2007 

To follow up John's comments.

Gunnar Johansson wrote:
> Hi,
> 
> This will be a long posting, but I'd like to give some comments on my 
> experience so far. I also have some additional problems.

First off, like John I'd like to thank you for your comments. This kind 
of feedback is very useful.

> == Installation ==
> 
> 1) When initially editing kforge.conf, it would be useful to point out 
> that the KForge web files (document_root) are installed in 
> /usr/local/share/kforge/www (by default). The same thing goes for the 
> django template files (templates_dir) which turns up in 
> /usr/local/share/kforge/templates/kui. This caused me some confusion 
> initiallly.

Good point. These changes have now been made in trunk.

> 2) When running kforge-admin with the --config parameter, the 
> path-to-config must be specified with the full absolute path (e.g 
> /etc/kforge.conf). The same is of course also true if you export 
> KFORGE_SETTINGS, but that's more obvious.

Yes that is a real gotcha that has caught me out several times (as stuff 
will work from the command line but *not* from the webserver). Rather 
than require this on the command line I think this should be fixed in 
the script so that we do an os.path.abspath on whatever value you pass in.

I have now made this change in trunk.

> == SSL ==
> 
> One thing that troubles me is the use of virtual hosts for admin/project 
> subdomains. If you're running a public kforge server and want full 
> certificate trust, this will be a problem unless of course you can 
> afford a wildcard certificate. I see for example you're running a 
> certificate for project.knowledgeforge.net 
> <http://project.knowledgeforge.net> for both admin and project, which 
> causes warnings on admin. Would it be possible to add an option to use 
> for example a <domain>/admin and <domain>/project structure instead? 
> This should be possible by simply changing the VirtualHost sections to 
> sets of Alias-es and <Directory ..> configurations, or is there 
> something more complex behind this? You probably would need to generate 
> two different config-files, like httpd.conf and ssl.conf and include 
> your ssl.conf inside your VirtualHost section for SSL, but I think it 
> would be quite nice..
> 
> It's no high priority though, but have you thought anything about this 
> problem?

I agree with John that we should support this -- in fact something 
similar was recently requested by another user (they wanted the ability 
to run the application in a suburl rather than at / I think). We have 
talked about this for quite a long time and we should be able to 
accomodate this fairly easily by subclassing or replacing:

kforge.apache.apacheconfig.ApacheConfigBuilder

It might also be nice to move to using routes for our url generation 
needs rather than using our own url builder from kforge.url

> == Permissions ==
> 
> For us, it is vital that certain projects are inaccessible by 
> non-members. I understand you have put a lot of effort in building user 
> access rights through the domain model, it looks like good work. I 
> really like the way services authenticate through your python 
> accesshandler. I have some problems though. According to 
> http://project.knowledgeforge.net/kforge/trac/wiki/KforgeGuide#RolesandPermissions, 

By the way that version is no longer guaranteed to be up to date. The 
latest stable version of the guide is at:

http://www.kforgeproject.com/doc/guide/

And the latest version will be in subversion in trunk/docs/guide.txt

> a Visitor should not have access to project services. This restriction 
> works fine for svn, but not for trac. Is this a known problem? (I'm 
> running kforge 0.12 stable).    This also leads to the next point..

Could you be a bit more specific here. Do you want (a) visitor to have 
no read or write access or (b) just no write access.

If (a) this should work if you do not have visitor as a member of the 
project. If (b) then this is a known problem which arose in the latest 
release (did not exist in the previous one) and we are working on a 
satisfactory fix.

> == SVN checkout ==
> 
> Though browsing a repository through a web browser works fine when 
> logged in, I get an error when doing a 'svn co <URL>'. Note that I first 
> get a prompt stating the Authentication realm and a password request for 
> my user (gunjo):
> 
> svn: PROPFIND of '': 500 internal server error
> 
> The apache access log says:
> 
> visitor [17/Feb/2007:19:39:20 +0100] "PROPFIND /gunnar/svn HTTP/1.1" 401 
> 526 "-" "SVN/1.4.2 (r22196) neon/0.25.5"
> gunjo [17/Feb/2007:19:39:23 +0100] "PROPFIND /gunnar/svn HTTP/1.1" 500 
> 661 "-" "SVN/1.4.2 (r22196) neon/0.25.5"
> 
> The kforge.log says:
> 
> [2007-02-17 19:39:20,432] Access Denied: Person 'visitor' to 'Read' 
> object '<Plugin id='3' dateCreated='2007-02-17 16:48:46' name='svn'>': 
> Access not authorised, by default.
> [2007-02-17 19:39:23,706] Access Denied: Person 'visitor' to 'Read' 
> object '<Plugin id='3' dateCreated='2007-02-17 16:48:46' name='svn'>': 
> Access not authorised, by default.
> 
> And the apache error log says:
> 
> [Sat Feb 17 19:39:23 2007] [error] [client ] (9)Bad file descriptor: 
> Could not open password file: (null)
> 
> Any thoughts?

I have got nothing to add to John's comment (other than to check that 
you are logging when using svn co using the same username as on kforge 
and not the username you have your local machine).

In any case the fact that you are getting a 500 error rather than 401 or 
similar is something we should try to investigate (the problem these 
kind of errors are so hard to track and write unittests for ...)

> Sorry for the lengthy mail, but I like your system, and would really 
> like to see it work for me  :-)

No problem, and thanks for taking the time to write.

~rufus

More information about the kforge-user mailing list