> -----Oorspronkelijk bericht-----
> Van: Patricia A Moss [mailto:pmoss4_at_csc.com]
> Verzonden: woensdag 17 juni 2009 12:36
> Aan: Johan Corveleyn
> Onderwerp: RE: Limiting permission's
>
>
> >I think you misunderstand the Limit and LimitExcept directives. These
> are Apache directives, and you can >find what they mean at
> http://httpd.apache.org/docs/2.2/ <http://httpd.apache.org/docs/2.2/> .
> They can be used to limit access (read/write) for >groups of people to
> the repository as a whole (you can't use them to do "path-based
> authorization")
> >
> >You have to understand that the HTTP (WEBDAV) methods GET, OPTIONS,
> PROPFIND and REPORT are the ones that >SVN uses to read stuff. To write
> stuff it also needs access to other methods, like PUT, DELETE, ...
> >
> >The Limit section literally says: apply the underlying restrictions to
> the listed methods.
> >The LimitExcept section literally says: apply the underlying
> restrictions to any http method, *except* to >the listed methods.
> >
> >The way you have it configured, you really say:
> >- restrict access to SVN's read methods to group CN=PRJ FP-
> Development,...
> >- restrict access to all other methods to that same group
> >
> >That's why the post of Jason Malinowski is correct: you could just as
> well put the restriction of this group >in the Location block itself.
> >
> >So I guess in the end, I don't understand what you're trying to do,
> and what is going wrong (not as >expected).
> >If you want everyone to have read access, but only your special group
> to have write access, you should just >remove the "Limit" block from
> the config sample you posted. The "LimitExcept" block with the "Require
> >ldap-group" will make sure that all write methods (i.e. all of them
> except get, propfind, options and >report) are restricted to that
> group.
>
> >Hope this helps...
> >Regards,
> >Johan
>
>
> Johan -
> This TOTALLY helps me. Thank you.
> What I want to do is to allow r/w access to only FP-Development. So, if
> I understand what you are telling me above, I should only have one line
> and that should be:
> <LimitExcept GET PROPFIND OPTIONS REPORT>
> Require ldap-group CN=PRJ FP-
> Development,OU=U.S.,OU=Groups,DC=domainname,DC=com
> </LimitExcept>
> And this is saying limit read access to everyone except FP-Development,
> correct?
Close, but not exactly accurate. It's really saying "Limit write access (i.e. everything except the read actions GET, PROPFIND, OPTIONS and REPORT) to the group FP-Development". It doesn't impose any additional restrictions on the read actions (get, propfind, ...). Those fall back on any restrictions that you've already put in your Location block, as general restrictions (in this case "Require valid-user", i.e. you have to be authenticated to be able to read).
> I checked out the url that you sent; thank you. I didn't see anything
> about "GET, PROPFIND...etc". So I am not sure if my above line is
> allowing read and write or just read.
It's saying nothing about read (that's done by the Require valid-user in the Location block), only restricting write access to that group.
GET, PROPFIND, ... are HTTP and WEBDAV "methods". You'd have to read some articles or rfc's to get to know them thoroughly, and to find out how SVN uses them. Anyway, in this case all you need to know is that those 4 methods are the "read" ones for SVN. And by limiting all the others (the "non-read"=write ones), you effectively limit write access. It's more or less described (with an example Apache config) in the SVN book:
http://svnbook.red-bean.com/en/1.5/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.blanket
Maybe one more caveat you might run into: your ldap-group has a space in it. I'm not exactly sure, but you might have to put it between double quotes after the "Require ldap-group" directive to make it work. Some experimentation will help you figure that out. If it doesn't work as expected, be sure to take a look at the apache error logs to find out why...
(oh and one more thing: best to keep the list in cc when replying, so others can follow in case anyone's still interested)
Regards,
Johan
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2362757
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-06-17 13:09:27 CEST