On Wed, 2004-05-05 at 14:23, Robin Becker wrote:
> Scott Lawrence wrote:
> > Yes, I do all the access control in apache using http authentication.
> > This means that the only (write) access to the repository has to be
> > through http - no svnserve, no file access (we actually do some
> > read-only access on the server itself through file access, but _never_
> > write access). I'd be happy to post examples...
> That would be great; my understanding of Rewrite is poor. I have a suspicion
> that RewriteBase is involved in the sort of things I might need to do.
I don't use any form of rewrite (as Seth Falcon pointed out, that would
mean understanding and being dependent on how svn does URLs internally,
which would be bad).
Known limitations of this scheme:
1) All write access must be via https.
Since we wanted to have no user accounts on the server, we actually
see this as an advantage.
2) Access control is only at the repository level, not the path level.
We do one repository per project, and that's all the granularity
we need, so that too was deemed acceptable (I think that if we decide
we need more that I will do it in a pre-commit hook). We name a
group the same as the project, and group membership controls
write access.
So here's what we do - there are two (ip-based) virtual hosts, which
both inherit the same user/group rules from the server-wide
configuration:
===================================
<Directory "/">
#
# This sets up a common access control database for everything
#
AuthType Basic
AuthName "SIPfoundry"
AuthDBMType DB
AuthDBMUserFile /path/to/user
AuthDBMGroupFile /path/to/group
#
# This ensures that only things that are explicitly allowed
# are accessible.
#
Order allow,deny
Deny from all
</Directory>
====================================
The first virtual server is for anonymous
read-only repository access over http:
================================
################################################################
#### scm.sipfoundry.org
################################################################
<VirtualHost scm.sipfoundry.org>
ServerName scm.sipfoundry.org
Include conf.d/scm.SHARED.conf
################################################################
## project-specific configurations
################################################################
# there is one of these per project...
Include conf.d/scm.example.ANON.conf
</VirtualHost>
================================
The second virtual server is for authenticated access via https:
======================================
################################################################
#### scm.sipfoundry.org
################################################################
<VirtualHost scm.sipfoundry.org:443>
ServerName scm.sipfoundry.org:443
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/scm.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/scm.key
Include conf.d/scm.SHARED.conf
################################################################
## project-specific configurations
################################################################
Include conf.d/scm.example.USER.conf
</VirtualHost>
========================================
note that they both include the same general rules from scm.SHARED.conf:
========================================
### Included into scm.{ANON,USER}.conf
###
### This configures all the scm content that is not project-specific
###
# [... a couple of non-subversion things...]
<Location /rep>
DAV svn
# any "/rep/foo" URL will map to a repository /scm/rep/foo
SVNParentPath /scm/rep
Allow from all
# For any operations other than these,
# require an authenticated user.
<LimitExcept GET PROPFIND OPTIONS REPORT>
Satisfy All
Allow from all
Require valid-user
</LimitExcept>
</Location>
=========================================
then each project gets a pair of include files that get inserted into
the ANON and USER virtual host rules respectively:
The one for anonymous project read access (included above as
scm.example.ANON.conf):
==========================================
################################################################
## Project example
################################################################
<Location /rep/example/>
<LimitExcept GET PROPFIND OPTIONS REPORT>
Deny from all
</LimitExcept>
</Location>
===========================================
and the one that permits authenticated write access (included above as
scm.example.USER.conf):
===========================================
################################################################
## Project example
################################################################
<Location /rep/example/>
<LimitExcept GET PROPFIND OPTIONS REPORT>
Satisfy all
SSLRequireSSL
Require group example
</LimitExcept>
</Location>
===========================================
--
Scott Lawrence
SIPfoundry.org system administrator
postmaster@sipfoundry.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed May 5 21:12:46 2004