[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Authentication and Authorisation

From: Michael Jervis <mjervis_at_gmail.com>
Date: 2006-03-07 17:46:10 CET


Recently having set up a SVN repository at work, we decided to go for
a very simple A&A scheme. Anyone could read any repository, only
logged in developers could write to the repositories.

<Location /repository>
        DAV svn
        SVNParentPath d:/svn/
        SVNIndexXSLT "/svnindex.xsl"

        AuthType Basic
        AuthName "Subversion Repository"
        AuthUserFile "d:/svn/svn-auth-file"

                Require valid-user

This works fine. Now however, we have a new requirement to restrict
access to one of our repositories to only certain developers, and
grant write access to another repository to a lot more users, whilst
restricting the core respository to certain users... So I looked at
the FGAC settings:

<Location /repository>
        DAV svn
        SVNParentPath d:/svn/
        SVNIndexXSLT "/svnindex.xsl"

        # our access control policy
  AuthzSVNAccessFile d:/svn/authpolicy

  # try anonymous access first, resort to real
  # authentication if necessary.
  Satisfy Any
  Require valid-user

        AuthType Basic
        AuthName "RiO Subversion Repository"
        AuthUserFile "d:/svn/svn-auth-file"
# Require valid-user
# </LimitExcept>

So far, just what I've grabbed from the book really.

Then in the authpolicy file:

developers = mjervis and lots of others
other-app-developers = mjervis, another
otherusers = some other people
everyone = @developers, @other-app-developers, @otherusers

# Read only access to everyone for everything:
* = r

# write access to core app for devs only
@developers = rw

# Write access to otherapp for mike and h only
@other-app-developers = rw

# Write access to sandbox for everyone with a login:
@everyone = rw

Bearing in mind that my login (mjervis) has not changed, I have not
changed the svn-auth-file at all (yet). When I access:


Which should be rw by all people, I get 403, forbidden. When I access
any other repository I get the same, 403, forbidden. I've tried adding
mjervis to the / rule and to the repository:/ rules. No joy.

Working on the basis, it's something obvious to an experience admin,
how big an idiot am I being? What have I missed?

Michael Jervis
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Mar 7 17:47:48 2006

This is an archived mail posted to the Subversion Users mailing list.