[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: subversion acls

From: Michael Hertling <hertling_at_ikp.tu-darmstadt.de>
Date: 2006-02-20 20:08:10 CET

On Fri, 17 Feb 2006, Rahul S wrote:
> [...] I am trying to set up directory-level
> access control in the repository. The 'conf/authz' is as follows:
> [/]
> * = r
> [/abc/trunk/src]
> * =
> user1 = rw
> But when I try to checkout the source as the user 'user1', I get the
> following error:
> "svn: Not authorized to open root of edit operation"

Hi Rahul, dear svn community,

using the new path-based authorization feature of svnserve 1.3.0 - no
Apache involved - I've encountered a similar problem which appears to
have the same origin. Having 'svnuser' in 'conf/passwd' of repository
'repos', blanket access rules in 'conf/svnserve.conf' set to defaults
'anon-access=read' and 'auth-access=write', resp., it was my intention
to disable anonymous access to the repository's root and explicitly
enable it for selected paths, i.e. in 'conf/authz':

* =
svnuser = r
* = r
svnuser = rw

The above lines should allow authenticated read access to '/' for
'svnuser' and anonymous read access to '/trunk'. The command line

svn co --username svnuser svn://localhost/repos workdir

correctly challenges for authentication as user 'svnuser', but then
terminates with "svn: Not authorized to open root of edit operation",
leaving a working directory 'workdir' with only a '.svn' subdirectory
therein. In particular, the latter strikes me as faulty behaviour since
svn usually doesn't create a working directory if a checkout operation
aborts due to failed authentication.

Furthermore, in case of anonymous access being forbidden in general by
'anon-access=none' in 'conf/svnserve.conf' with 'conf/authz' unchanged,
the above command works as expected: challenge for authentication and
subsequent checkout. This leads to the - imho - somewhat paradoxical
situation where one has to tighten the rules for anonymous access in
order to gain the desired authenticated access. Nevertheless, even if
it's the normal method of svn to operate anonymously as far as possible,
it should manage to perform the checkout mentioned at first after it
receives a valid authentication. To me, it seems as if svn tries to
perform the checkout anonymously even after the need for authentication
has been realized and caused the proper challenge, and finally stumbles
across the entirety of access rules.

@ Rahul: Try your desired operations with 'anon-access=none' and see if
this succeeds. Provided that you're absolutely in need of an anonymous
repository handling, my suggestion is to add an account without password
to the repository, e.g. 'guest', and give the access rights originally
intended for the anonymous user to it. This workaround will complicate
access rules in 'conf/authz' though, but allows at least anonymous-like
operations, e.g.:

svn co --username guest --password '' svn://<host>/<repos>/<path>

@ svn developers: I'd like to ask if the behaviour described above and
earlier by Rahul is really intented w.r.t. svnserve's new path-based
authorization and I'm overlooking something, or if it's indeed

Any suggestions, clarifications etc. will be greatly appreciated.



To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Feb 20 20:10:30 2006

This is an archived mail posted to the Subversion Users mailing list.