[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Enforcing per project permissions with groups

From: Reinhard Brandstädter <reinhard.brandstaedter_at_jku.at>
Date: 2006-10-27 11:17:04 CEST

On Wednesday 25 October 2006 18:00, Tom Hodder wrote:
> Hi,
>
> I am attempting to configure apache/mod_dav_svn to handle per project
> group authentication.
> I have tried something like;
>
> <Location /repos>
> DAV svn
> SVNPath /data/repos
> #Require group admins
> AuthType Basic
> AuthName "EMAP subversion repository"
> # temporarily using auth text files instead of db backend
> AuthUserFile AuthUserFile
> AuthGroupFile AuthGroupFile
> </Location>
>
> <Location /repos/site1>
> Require group site1
> </Location>
>
> <Location /repos/site2>
> Require group site2
> </Location>
>
> However, this allows users to access the root of the repository. And I
> guess do bad things there, as they have write access.
>
> If I include a directive in the <Location /repos> block like;
> <Location /repos>
> Require group admins
>
> The users cannot get into the sites - and I get a whole bunch of errors
> like this;
> [Wed Oct 25 16:51:38 2006] [error] [client x.x.x.x] access to
> /repos/!svn/vcc/default failed, reason: user user1 not allowed access
>
>
> Any ideas on how to do this?
>
> (I tried implementing this in the AuthzSVNAccessFile file, but
> mod_authz_svn does not include apache groups, and it looks like the
> config for this is going to get big, as I have 100 projects/groups and
> 20 users to configure.)

If you do not use these AuthGroupFile and AuthUserFile for anything else but
Subversion I'd pass the Authentication to a higher level instance. e.g use
Apache LDAP authentication. Althoug in your case (only 20 users) I'd create
local users and use mod_auth_shadow to authenticate agains the local user
base.
Authorization I'd still handle in SVNAuthzFile like this:
[global]
group1 = user1, user3, user5
group2 = user2, user4, user6, user1
admins = admin
[:/]
* =
admins = rw
[:/project1]
group1 = rw
group2 = r

[:/project1]
group1 =
group2 = rw

This way no user except admins have "rw" access to your repository root (users
authenticated by apache dont even have read access on root, per default they
have no access at all even though they are authenticated).
Then you selectively add permissions for groups and projects.

In the production use, once you have defined permissions on projects you only
have to assign users in the global section.

Reinhard

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Oct 27 11:17:53 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.