[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Fine grained access control over ra_dav using... mod_authz_svn

From: Sander Striker <striker_at_apache.org>
Date: 2003-06-10 14:02:46 CEST


I just completed the first implementation of mod_authz_svn.
This is a stop-gap for the time we don't have acls in the
filesystem. Note that the config reading is implemented
in a very naive way; the config is reloaded at every request.
So if you see some slowdown, it could be caused by this ;).

Also, there are several things to do left in the implementation.
Search the source for comments marked with XXX.

Nevertheless I feel this is ready to see the day of light
so a few people can play with it. Personally I'd like to
see mod_authz_svn incorporated in the main repository right
next to mod_dav_svn. I'll let others comment on that first

Attached is the source file for mod_authz_svn. Building it
is still a bit painful since I haven't made it into a nice
package with a 'configure' and all that. I'm hoping I don't
have to and can just ride along on the nice svn build system ;).

Compiling and installing:


$APXS -c -I${SVN_INSTALL_PATH}/include/subversion-1 \
         -I${SVN_SOURCE_PATH}/subversion/mod_dav_svn \
         -L${SVN_INSTALL_PATH}/lib -lsvn_subr-1 \
         -i mod_authz_svn.c

Then change the httpd.conf file. Add the following line
_after_ the one that loads mod_dav_svn:

  LoadModule authz_svn_module modules/mod_authz_svn.so

Next set up your subversion location like so:

<Location /svn> # or whereever
    DAV svn
    SVNPath /path/to/repos

    # Set up digest if you want...
    AuthType Basic
    AuthName "Subversion repository"
    AuthUserFile /path/to/htpasswd/file

    AuthzSVNAccessFile /path/to/access/file

    Require valid-user

Note that you are always requiring authentication now. This means
you need a dummy 'anonymous' account for anonymous read only users
now. Hopefully we can get this sorted out in Apache, since it seems
we need to do some more revamping there.

Finally, the access file format:

<groupname> = <user>[,<user>...]

[<path in repository>]
@<group> = rw
<user> = rw
* = r

An example (line continued lines are supposed to be on one line):

subversion = jimb,sussman,kfogel,gstein,brane,joe,ghudson,fitz,daniel,cmpilato,kevin,philip, \
subversion-doc = nsd,zbrown,fmatias,dimentiy,patrick
subversion-bindings = xela,yoshiki,morten,jespersm,knacke
subversion-rm = mprice
...and so on and so on...

# Allow everyone read on the entire repository
* = r
# Allow devs with blanket commit to write to the entire repository
@subversion = rw

@subversion-doc = rw

@subversion-bindings = rw

@subversion-rm = rw

@subversion-rm = rw

mass = rw

gthompson = rw


# Just for demonstration
* =
@subversion = rw

...and so on and so on...



PS. I'm aware that there is no license yet at the top of the file. I want to see
     if it goes into the main subversion repos first, prior to tacking on the license
     we use in there.

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Tue Jun 10 14:03:41 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.