[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: mod_dav_svn + automatic per-directory user authorization

From: David Chapman <dcchapman_at_acm.org>
Date: Sat, 12 Feb 2011 09:47:36 -0800

On 2/12/2011 8:34 AM, m irya wrote:
> The problem:
> 1) there's a directory on the server containing multiple svn
> repositories roots, say /var/svn, with /var/svn/a, /var/svn/b, etc.
> being repository roots
> 2) these repositories are accessed via HTTP, handled by Apache2 + mod_dav_svn
> 3) there's a MySQL user-password database we need to use to
> authenticate access to those repositories
> 4) at last the problematic place itself: the repository
> /var/svn/$username must be accessible (both read and write) only to
> those who authenticated themselves as "$username" with a valid
> password from the MySQL database
>
> Currently i've stuck with two solutions (both incomplete) from tons of
> manuals and how-tos:
> a) AuthzSVNAccessFile could be a key to such an automatic repository
> -> user binding, but updating the access rights file on changes to
> MySQL database looks no way elegant, and will probably become a
> bottleneck with growing users database
> b) mod_auth_mysql (whatever one) makes it possible to transparently
> use the users database in Apache config, but still I'm unable to find
> a way to automatically Require user $username for a given repository
> /var/svn/$username.
>
> Please reply, if someone has an experience with such a configuration,
> any ideas/thoughts are welcome.
>
>

I'm not sure I understand the problem. Except for not using mysql to
access passwords, this is what I have now, and it works fine (with one
very important caveat: see below). Here is part of my httpd.conf file:

<VirtualHost 1.2.3.4:80>
   ServerName repos1.mydomain.com
   ServerAlias mydomain.com
   ServerAdmin admin_at_mydomain.com
   # just a placeholder:
   DocumentRoot "/home/user1"

<Location /user1>
     DAV svn
     SVNPath /home/user1
     AuthType Basic
     AuthName "Subversion repository"
     AuthUserFile /etc/passwd.user1
     Require valid-user
     AuthzSVNAccessFile /home/user1/conf/access.conf
</Location>

<Directory /home/user1>
     Options Indexes FollowSymLinks
     AllowOverride None
     Order allow,deny
     Allow from all
</Directory>

   # log user1 operations separately from other users' operations
   CustomLog /var/log/httpd/svn_logfile "%t %u user1 %{SVN-ACTION}e"
env=SVN-ACTION
</VirtualHost>

and the file /home/user1/conf/access.conf has:

[user1:/]
user1 = rw

There's been some name changing here, so this configuration has not been
tested in this precise form :-) but you get the idea. Every repository
has its own VirtualHost and its own access file; unless you have the
password for the one user in the repository, you can't read any of it.

You don't need to have <VirtualHost> entries for each repository; I host
multiple domains on a single machine and so I chose to have a different
host name (e.g. user1.mydomain.com) for every repository. This also
allows me to have user-specific access logging with CustomLog. You
could simply have a set of <Location> entries at the top level of the
httpd.conf file.

Note: <VirtualHost> with name-based hosts is incompatible with SSL
access (https://). I have a small number of repositories (and some
spare IP addresses), so in theory I could use network adapter aliasing
with "ifconfig", but I haven't got that far yet. Last time I tried
certificates I made a mess, and I spent too much time last month working
on computers anyway.

Here's the big caveat: whenever a repository is added or removed (in
your case, every time a user is added or removed), httpd must be
restarted because a <Location> entry must be added or removed. This
could be the big bottleneck, and if you use httpd to serve your
repositories, it's unavoidable. I know that some publicly accessible
Subversion hosting services (e.g. unfuddle.com) use http:// access, but
I don't know how they manage adding or removing users (unfuddle.com
advertises "up and running in as little as one minute").

So you need some method of getting the username and password from mysql
to httpd (replacing AuthType and AuthUserFile), but otherwise it's
pretty straightforward.

-- 
     David Chapman         dcchapman_at_acm.org
     Chapman Consulting -- San Jose, CA
Received on 2011-02-12 18:48:36 CET

This is an archived mail posted to the Subversion Users mailing list.