[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: mod_authz_svn: Failed Authorization During COPY, RENAME, MOVE

From: Brian Brophy <brianbrophy_at_email.com>
Date: 2006-07-21 04:41:44 CEST

I have not heard any responses yet. Should I be perhaps posting this to
an alternate location?

Thanks again,
Brian

Brian Brophy wrote:

> Hello,
>
> We are using mod_authz_ldap to authenticate our users and
> mod_authz_svn to authorize them. Subversion 1.3.1 running on Red Hat
> Enterprise Linux 3 and Apache 2.0.46.
>
> What I can see is that authentication is working fine and the user is
> being identified by mod_authz_svn correctly. Authorization is working
> fine for everything except the COPY operation, and thus MOVE and
> RENAME as well (since these attempt copies at some point).
>
> Here is the attempt:
> svn copy -m 'testing' --username user123 --password mySecret
> "https://server.abc.com/svn/repo/Common/Architecture/Publish/Working/hotBackup"
> "https://server.abc.com/svn/repo/Common/Architecture/Publish/Working/hotBackup2"
>
>
> Here is an excerpt from a failed COPY (note how the user is correctly
> identified and then failed as 'null' when SVN tries to copy the new
> files name to itself ... weird ...):
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND repo:/Common/Architecture/Publish/Working
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.18) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND repo:
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.19) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted:
> 'user123' CHECKOUT repo:
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.20) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted:
> 'user123' PROPPATCH repo:
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.21) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND repo:/Common/Architecture/Publish/Working
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.22) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted:
> 'user123' CHECKOUT repo:/Common/Architecture/Publish/Working
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.23) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND repo:/Common/Architecture/Publish/Working/hotBackup2
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
> GET repo:/Common/Architecture/Publish/Working/hotBackup2
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.24) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND repo:/Common/Architecture/Publish/Working/hotBackup
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.25) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND repo:
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.26) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:15 2006] [info] [client 127.0.0.1] Access granted:
> 'user123' COPY repo:/Common/Architecture/Publish/Working/hotBackup
> repo:/Common/Architecture/Publish/Working/hotBackup2
> [Sun Jul 16 22:45:15 2006] [error] [client 127.0.0.1] Access denied:
> '(null)' COPY repo:/Common/Architecture/Publish/Working/hotBackup2
> repo:/Common/Architecture/Publish/Working/hotBackup2
> [Sun Jul 16 22:45:15 2006] [info] Subsequent (No.27) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:15 2006] [info] [client 127.0.0.1] Access granted:
> 'user123' DELETE repo:
> [Sun Jul 16 22:45:15 2006] [info] Connection to child 2 closed with
> standard shutdown(server server.abc.com:443, client 127.0.0.1)
>
> And here is the corresponding mod_authz_svn ACL file:
> # Last Updated 07/11/2006 11:30:02 from ldap://127.0.0.1:10636
> [groups]
> repo_SVN Administrator = user123, user789
> repo_SVN Architecture = user123, user456
>
> [repo:/]
> * = r
> @repo_SVN Administrator = rw
>
> [repo:/Common/Architecture]
> @repo_SVN Architecture = rw
>
> Additionally, here is the apache subversion.conf file:
> # Load Subversion Modules
> LoadModule authz_ldap_module modules/mod_authz_ldap.so
> LoadModule dav_svn_module modules/mod_dav_svn.so
> LoadModule authz_svn_module modules/mod_authz_svn.so
>
> <Location /svn/repo>
> DAV svn
> SVNPath /shared/subversion/repos/abc
> SVNIndexXSLT "/arch-svnindex.xsl"
> SSLRequireSSL
> AuthzLDAPMethod ldap
> AuthzLDAPAuthoritative off
> AuthzSVNAuthoritative on
> AuthType Basic
> AuthName "LDAP"
> AuthzLDAPServer 127.0.0.1:10636
> AuthzLDAPLogLevel debug
> AuthzLDAPUserBase cn=users,ou=org,dc=abc,dc=com
> AuthzLDAPUserKey uid
> AuthzLDAPUserScope base
> AuthzLDAPGroupBase cn=groups,ou=org,dc=abc,dc=com
> AuthzLDAPGroupKey cn
> AuthzLDAPGroupScope base
> AuthzLDAPMemberKey uniquemember
> <LimitExcept GET PROPFIND OPTIONS REPORT>
> Require valid-user
> </LimitExcept>
> AuthzSVNAccessFile /shared/subversion/repos/abc/conf/subversion.acl
> </Location>
>
> Please note that the log excerpt above is the result of the single
> copy command ... why does it attempt to copy from old to new
> (expected) but then also after that from new to new?
>
> Thanks,
> Brian
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Jul 21 04:42:50 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.