[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

mod_authz_svn: Failed Authorization During COPY, RENAME, MOVE

From: Brian Brophy <brianbrophy_at_email.com>
Date: 2006-07-17 04:56:35 CEST

Hello,

We are using mod_authz_ldap to authenticate our users and mod_authz_svn
to authorize them. Subversion 1.3.1 running on Red Hat Enterprise Linux
3 and Apache 2.0.46.

What I can see is that authentication is working fine and the user is
being identified by mod_authz_svn correctly. Authorization is working
fine for everything except the COPY operation, and thus MOVE and RENAME
as well (since these attempt copies at some point).

Here is the attempt:
svn copy -m 'testing' --username user123 --password mySecret
"https://server.abc.com/svn/repo/Common/Architecture/Publish/Working/hotBackup"
"https://server.abc.com/svn/repo/Common/Architecture/Publish/Working/hotBackup2"

Here is an excerpt from a failed COPY (note how the user is correctly
identified and then failed as 'null' when SVN tries to copy the new
files name to itself ... weird ...):
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:/Common/Architecture/Publish/Working
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.18) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.19) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted:
'user123' CHECKOUT repo:
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.20) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted:
'user123' PROPPATCH repo:
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.21) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:/Common/Architecture/Publish/Working
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.22) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted:
'user123' CHECKOUT repo:/Common/Architecture/Publish/Working
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.23) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:/Common/Architecture/Publish/Working/hotBackup2
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
GET repo:/Common/Architecture/Publish/Working/hotBackup2
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.24) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:/Common/Architecture/Publish/Working/hotBackup
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.25) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.26) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:15 2006] [info] [client 127.0.0.1] Access granted:
'user123' COPY repo:/Common/Architecture/Publish/Working/hotBackup
repo:/Common/Architecture/Publish/Working/hotBackup2
[Sun Jul 16 22:45:15 2006] [error] [client 127.0.0.1] Access denied:
'(null)' COPY repo:/Common/Architecture/Publish/Working/hotBackup2
repo:/Common/Architecture/Publish/Working/hotBackup2
[Sun Jul 16 22:45:15 2006] [info] Subsequent (No.27) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:15 2006] [info] [client 127.0.0.1] Access granted:
'user123' DELETE repo:
[Sun Jul 16 22:45:15 2006] [info] Connection to child 2 closed with
standard shutdown(server server.abc.com:443, client 127.0.0.1)

And here is the corresponding mod_authz_svn ACL file:
# Last Updated 07/11/2006 11:30:02 from ldap://127.0.0.1:10636
[groups]
repo_SVN Administrator = user123, user789
repo_SVN Architecture = user123, user456

[repo:/]
* = r
@repo_SVN Administrator = rw

[repo:/Common/Architecture]
@repo_SVN Architecture = rw

Additionally, here is the apache subversion.conf file:
# Load Subversion Modules
LoadModule authz_ldap_module modules/mod_authz_ldap.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

<Location /svn/repo>
   DAV svn
   SVNPath /shared/subversion/repos/abc
   SVNIndexXSLT "/arch-svnindex.xsl"
   SSLRequireSSL
   AuthzLDAPMethod ldap
   AuthzLDAPAuthoritative off
   AuthzSVNAuthoritative on
   AuthType Basic
   AuthName "LDAP"
   AuthzLDAPServer 127.0.0.1:10636
   AuthzLDAPLogLevel debug
   AuthzLDAPUserBase cn=users,ou=org,dc=abc,dc=com
   AuthzLDAPUserKey uid
   AuthzLDAPUserScope base
   AuthzLDAPGroupBase cn=groups,ou=org,dc=abc,dc=com
   AuthzLDAPGroupKey cn
   AuthzLDAPGroupScope base
   AuthzLDAPMemberKey uniquemember
   <LimitExcept GET PROPFIND OPTIONS REPORT>
     Require valid-user
   </LimitExcept>
   AuthzSVNAccessFile /shared/subversion/repos/abc/conf/subversion.acl
</Location>

Please note that the log excerpt above is the result of the single copy
command ... why does it attempt to copy from old to new (expected) but
then also after that from new to new?

Thanks,
Brian

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Jul 17 04:57:58 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.