[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Authentication and Authorisation

From: Michael Jervis <mjervis_at_gmail.com>
Date: 2006-03-07 17:46:10 CET

Hi,

Recently having set up a SVN repository at work, we decided to go for
a very simple A&A scheme. Anyone could read any repository, only
logged in developers could write to the repositories.

<Location /repository>
        DAV svn
        SVNParentPath d:/svn/
        SVNIndexXSLT "/svnindex.xsl"

        AuthType Basic
        AuthName "Subversion Repository"
        AuthUserFile "d:/svn/svn-auth-file"

        <LimitExcept GET PROPFIND OPTIONS REPORT>
                Require valid-user
        </LimitExcept>
</Location>

This works fine. Now however, we have a new requirement to restrict
access to one of our repositories to only certain developers, and
grant write access to another repository to a lot more users, whilst
restricting the core respository to certain users... So I looked at
the FGAC settings:

<Location /repository>
        DAV svn
        SVNParentPath d:/svn/
        SVNIndexXSLT "/svnindex.xsl"

        # our access control policy
  AuthzSVNAccessFile d:/svn/authpolicy

  # try anonymous access first, resort to real
  # authentication if necessary.
  Satisfy Any
  Require valid-user

        AuthType Basic
        AuthName "RiO Subversion Repository"
        AuthUserFile "d:/svn/svn-auth-file"
# <LimitExcept GET PROPFIND OPTIONS REPORT>
# Require valid-user
# </LimitExcept>
</Location>

So far, just what I've grabbed from the book really.

Then in the authpolicy file:

[groups]
developers = mjervis and lots of others
other-app-developers = mjervis, another
otherusers = some other people
everyone = @developers, @other-app-developers, @otherusers

# Read only access to everyone for everything:
[/]
* = r

# write access to core app for devs only
[coreapp:/]
@developers = rw

# Write access to otherapp for mike and h only
[otherapp:/]
@other-app-developers = rw

# Write access to sandbox for everyone with a login:
[sandbox:/]
@everyone = rw

Bearing in mind that my login (mjervis) has not changed, I have not
changed the svn-auth-file at all (yet). When I access:

http://devserver:8080/repository/sandbox

Which should be rw by all people, I get 403, forbidden. When I access
any other repository I get the same, 403, forbidden. I've tried adding
mjervis to the / rule and to the repository:/ rules. No joy.

Working on the basis, it's something obvious to an experience admin,
how big an idiot am I being? What have I missed?

--
Michael Jervis
mjervis@gmail.com
504B03041400000008008F846431E3543A820800000006000000060000007765
62676F642B4F4D4ACF4F0100504B010214001400000008008F846431E3543A82
0800000006000000060000000000000000002000000000000000776562676F64
504B05060000000001000100340000002C0000000000
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Mar 7 17:47:48 2006

This is an archived mail posted to the Subversion Users mailing list.