Synchronize User Account data between multiple Trac projects
This plugin can be used to synchronize user account data between multiple projects within the same TRAC_PARENT. It reads the account information from all the separate environments, merges them, and then updates all environments accordingly. As it currently still is in early beta, a dryrun mode is enabled by default - so no changes will be written to the database. Instead, the updates for the affected environments will be stored in <tracenv>.sql files to investigate.
If you intend to use this plugin in its current state, you are strongly encouraged to:
- first test it in a non-productive environment, best is a copy of the intended productive environment to be used on later
- first let it run in drymode, and investigate the resulting *.sql files carefully (see below)
- only if everything seems to be fine, and still being in your test environment, and after making a copy of the databases, disable drymode and verify the results
- only if still everything seems to be OK, repeat these steps in your productive environment - at your own risk
If you are still eager to try it: Great - I love to receive your feedback!
There are the following limitations to this plugin:
- it is not widely tested yet
- it is not yet "fool-proof" (if it ever will be). This especially means, not all possible exceptions may be handled yet
- it works only for environments, which meet the following conditions:
- share the same TRAC_PARENT_DIR
- use the AccountManagerPlugin
- store the user passwords in a .htpasswd file
- share the same .htpasswd password file
If you have any issues, create a new ticket.
Download the zipped source from here.
The easiest way to install this plugin is:
While you may want to replace "trunk" by one of the branches. "trunk" is usually the "code in development", while the branches should reflect something "stable".
You can also checkout the code from the repository, or download and unpack the zipped source (see above) - and then run either easy_install or python setup.py from where the setup.py file resides.
First you of course need to activate the plugin. This is, as usual, done in the components section of your trac.ini:
[components] tracusersync.* = enabled
For testing purposes, default settings should be fine. However, there are some settings you can use for "fine-tuning" - they are to be found (or inserted) in(to) your trac.ini in the [user_sync] section:
[user_sync] dryrun = true merge_conflicts = skip sql_file_path = sync_fields = email,name users_keep = exclude_envs =
The easiest way to modify these settings is using the IniAdminPlugin, where you always have some helpful information displayed next to the options. I will explain them here in short, though:
This enables the "test mode", in which no changes won't be done to your environments - especially the databases will not be written to. Instead, changes which would be written to the database will be stored in *.sql files, one for each environment. This is a boolean setting - so the only valid values here are "true" and "false".
What should be done if records from two (or more) environments conflict. Possible values are "skip" (do not update this user anywhere) and "newer" (use the record from the environment the user was last active in - which must not necessarily be the one with the most recent data). Default is "skip", to be on the safe side.
What makes a conflict? Say user Tom registers in environment A, and sets his name to "Tom Sawyer" and his email to "tom@…". His password is stored to the shared .htpasswd file, so he can immediately login to environment B without registering again. He does so - but edits his record here, using the name "Tommy". If the field name is contained in the sync_fields list (see below), this would cause a conflict since the two names don't match - which means, the email won't be synchronized either. The same applies the other way round: If a different email was specified in one environment, the entire record would be considered conflicting.
The path where the *.sql files shall be stored into. If not set, they will be written into the log sub directory of the environment the plugin was invoked from.
Which fields of the user records should be considered for synchronization. By default, this is set to name,email - the two basic fields. If you use the UserManagerPlugin, you may want to add some more fields. Note that for now a single conflict on any of the fields will exclude a user record from being merged (though this may change in the future) - so the more fields added, the higher are chances for conflicts.
There are two more fields considered here, even if not mentioned (and you should never introduce them into that list): the information used by the email verification. This means, if you enabled email verification in the AccountManagerPlugin, we will try to take care for that as well. So if a user verified for one environment, we try to do this for the other environments as well.
This option only affects purging: here you can define users which shall always be excluded from purging. The plugin will take care for your permission groups (e.g. anonymous, authenticated) automatically, so you don't need to add those (if your check - see below - shows the plugin missed one, you might add it here, though).
A comma separated list of environments to exclude from our actions by default. The only effect here is that the corresponding check boxes in the web_ui will not be checked then.
You will find the interface on the Admin page in the Accounts section as User Sync (see also below screenshot). After invoking this page, you can select the environments to synchronize. The list includes all Trac environments sharing the TRAC_PARENT_DIR with the environment you are currently in - though it did not yet check what password store they are using or even whether they share the same password file (this may be added later). If your selection includes an environment with conflicting data, it will be excluded later. All found environments are pre-selected except those mentioned in the exclude_envs setting - so you might want to (un)check one/some or leave it as is.
The second "field set" shows you the password file used by the current environment, and what users have been stored there. This is just for your information.
The third section lets you select the actions to perform. Synchronize is already pre-selected here, since this is the main task this plugin is for, and also is what you probably want to do. This action means: Make sure all included environments get the account data users have entered in one of the environments for fields contained in the sync_fields setting. The second check box, labeled Purge, will cause the plugin to remove all users from all environments - except those contained in the password file or mentioned in the users_keep setting. Of course, it would not touch your permission groups (anonymous,authenticated, and whatever you may have added) - these are evaluated automatically.
Now that you've made your selections, push the Perform actions button. When the page is reloaded, it will inform you about the results:
A green box on top (see below screenshot) will give you short information about successful operation. If you got a red box instead, the operation failed completely.
At the end of the page, a new "field set" called Log messages appears, giving you more detailed information about the process. This includes successful steps as well as "minor failures" (such as environments excluded for reasons like missing privileges or conflicting settings). Read this carefully to get an overview.
Next, you should also investigate the resulting *.sql files. Some hints:
- Check the NOT IN () list of the DELETE statements to make sure it contains all the users of your password file (they should be in here) as well as all your permission groups (should be in as well - but the plugin may have failed to set them all up correctly - remember, it's not yet thoroughly tested) and users_keep
- Check the INSERT statements for each environment (e.g. by turning them into SELECT statements and run those against the database - they should return no data then)
- Check the UPDATE statements in the same way, if there are any - in this case, the corresponding SELECT must return a record, but not necessarily with the same data (hence the update)
You may disable the dryrun mode once you finished the checks above. Well, you may even disable it immediately - but that's currently not recommended. Once you are sure everything works fine, you can even disable the writing of the *.sql files by setting the sql_file_path = none in your trac.ini.
This is what it could look like after a successful synchronization:
There are some things I consider for the future:
- only list "compatible" environments (i.e. those sharing the same password file, and where the current user has the required privileges)
- make the plugin more "fool-proof" and reliable (I need your feedback for that)
- identify and remove "dummy users" (i.e. spammers whose spam you already removed: registered users with no ownership/authorship of any ticket, wiki article, component, whatsoever - and a last_visit xx days in the past)
- introduce some "Listeners" (to notice registrations/changes in environments and automatically propagate them to the other environments, so you only need to run the synchronization manually once - which is after installation).
- Your feedback here, please.
- 7733 by izzy on 2010-02-26 08:03:06
fixed a typo and added some more exception handling (usersync crashed under some strange conditions)
- 6987 by izzy on 2009-11-01 19:15:44
! wrong defaults for excludes
- 6986 by izzy on 2009-11-01 19:14:38
+ added option to exclude environments form sync by default
! selection of environments was ignored