[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

detecting AuthzSVNAccessFile errors

From: Todd C. Gleason <tgleason_at_impac.com>
Date: Fri, 29 May 2009 11:26:34 -0700

I recently encountered a problem where a badly formatted
AuthzSVNAccessFile went undetected and we struggled to figure out why
some users could not commit to the repository.

 

The server is a Windows 2003 Server running Apache 2.2 and Subversion
1.5.2. To install an updated configuration I basically do this:

* Run httpd -t to test httpd-ssl.conf.
* Run httpd -n "[service name]" -k restart to do a graceful
restart
* Run net start | find /I "[service name]" > NUL and check
ERRORLEVEL to determine whether the server is started.
* Run an svn ls command to verify the AuthZSVNAccessFile.
* On any error, roll back the configuration, restart the server
again, and re-test to determine whether the roll back succeeded.

 

With some AuthzSVNAccessFile parsing errors, the svn ls command will
fail after the restart. However, in one case I just found out about,
the server appears to restart, and svn ls runs, but the new auth file
doesn't really seem to be active, because any subsequent changes don't
seem to be recognized.

 

The parsing error we had was in the [groups] section. Our ordinary
format would look like this:

 

[groups]

GroupName = one, two, three, four

 

The bad edit left it like this:

 

[groups]

GroupName = one, two twob, three, four

 

Note the missing comma.

 

I realize I can install a command-line grep to detect this specific case
if nothing else, but is there a better way to detect this problem and
maybe other syntax errors at the same time? I'd really like something
like httpd -t for the AuthzSVNAccessFile but I haven't heard of such a
thing. I also scanned all the Apache logs and found nothing helpful.

 

Some more configuration information:

* We have users authenticating from multiple domains
* SSPIOmitDomain On
* For some reason we had to specify an SSPIDomain and doing this
with one of our domains would let it work with the other, but the
reverse was not true. Users are specified in the auth file without
domains (though initially I tried, and failed, to get it to work
including domains).
* We use an SVNParentPath to allow multiple repositories under a
single <Location>
* SSPIOfferBasic On
* SSPIPerRequestAuth Off
* SSPIUsernameCase lower
* We use <LimitExcept GET PROPFIND OPTIONS REPORT> containing:
Require Group [Domain\\GroupName]
* The auth file has [/] * = r for now, so as long as a user is in
the above-named group, they should be able to read everything.

 

--Todd

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2356909

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-05-29 20:28:40 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.