[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Limiting permission's

From: Patricia A Moss <pmoss4_at_csc.com>
Date: Wed, 17 Jun 2009 08:27:07 -0400

> -----Oorspronkelijk bericht-----
> Van: Patricia [mailto:]
> Verzonden: woensdag 17 juni 2009 12:36
> Aan: Johan Corveleyn
> Onderwerp: RE: Limiting permission's
>
>
> >I think you misunderstand the Limit and LimitExcept directives. These
> are Apache directives, and you can >find what they mean at
> http://httpd.apache.org/docs/2.2/ <http://httpd.apache.org/docs/2.2/> .
> They can be used to limit access (read/write) for >groups of people to
> the repository as a whole (you can't use them to do "path-based
> authorization")
> >
> >You have to understand that the HTTP (WEBDAV) methods GET, OPTIONS,
> PROPFIND and REPORT are the ones that >SVN uses to read stuff. To write
> stuff it also needs access to other methods, like PUT, DELETE, ...
> >
> >The Limit section literally says: apply the underlying restrictions to
> the listed methods.
> >The LimitExcept section literally says: apply the underlying
> restrictions to any http method, *except* to >the listed methods.
> >
> >The way you have it configured, you really say:
> >- restrict access to SVN's read methods to group CN=PRJ FP-
> Development,...
> >- restrict access to all other methods to that same group
> >
> >That's why the post of Jason Malinowski is correct: you could just as
> well put the restriction of this group >in the Location block itself.
> >
> >So I guess in the end, I don't understand what you're trying to do,
> and what is going wrong (not as >expected).
> >If you want everyone to have read access, but only your special group
> to have write access, you should just >remove the "Limit" block from
> the config sample you posted. The "LimitExcept" block with the "Require
> >ldap-group" will make sure that all write methods (i.e. all of them
> except get, propfind, options and >report) are restricted to that
> group.
>
> >Hope this helps...
> >Regards,
> >Johan
>
>
> Johan -
> This TOTALLY helps me. Thank you.
> What I want to do is to allow r/w access to only FP-Development. So, if
> I understand what you are telling me above, I should only have one line
> and that should be:
> <LimitExcept GET PROPFIND OPTIONS REPORT>
> Require ldap-group CN=PRJ FP-
> Development,OU=U.S.,OU=Groups,DC=domainname,DC=com
> </LimitExcept>
> And this is saying limit read access to everyone except FP-Development,
> correct?

Close, but not exactly accurate. It's really saying "Limit write access
(i.e. everything except the read actions GET, PROPFIND, OPTIONS and
REPORT) to the group FP-Development". It doesn't impose any additional
restrictions on the read actions (get, propfind, ...). Those fall back on
any restrictions that you've already put in your Location block, as
general restrictions (in this case "Require valid-user", i.e. you have to
be authenticated to be able to read).

> I checked out the url that you sent; thank you. I didn't see anything
> about "GET, PROPFIND...etc". So I am not sure if my above line is
> allowing read and write or just read.

>It's saying nothing about read (that's done by the Require valid-user in
the Location block), only >restricting write access to that group.
>
>GET, PROPFIND, ... are HTTP and WEBDAV "methods". You'd have to read some
articles or rfc's to get to know >them thoroughly, and to find out how SVN
uses them. Anyway, in this case all you need to know is that those >4
methods are the "read" ones for SVN. And by limiting all the others (the
"non-read"=write ones), you >effectively limit write access. It's more or
less described (with an example Apache config) in the SVN book:
>http://svnbook.red-bean.com/en/1.5/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.blanket

>
>Maybe one more caveat you might run into: your ldap-group has a space in
it. I'm not exactly sure, but you >might have to put it between double
quotes after the "Require ldap-group" directive to make it work. Some
>experimentation will help you figure that out. If it doesn't work as
expected, be sure to take a look at the >apache error logs to find out
why...
>
>(oh and one more thing: best to keep the list in cc when replying, so
others can follow in case anyone's >still interested)
>
>Regards,
>Johan

I apologize that it is taking me forever to understand this. I am getting
confused and the more that I read the more that I am not sure.
Currently everyone, with a domain account, has access to the repository.
That is not what I want. I want only the members of the development group
to have access to the repository.
So, if I want just the development group to have write access to the
repository (and no one else can read),I need to remove the Require
valid-user from my location block as well as put quotation marks around my
group name. My config file should, then, look like this:

<Location /zorch>
 dav svn
 SVNPath /disk01/home/zorch
 AuthType Basic
 AuthBasicProvider ldap
 AuthzLDAPAuthoritative off
 AuthName "Subversion Repository"
 AuthLDAPBindDN CSCNET\svnaccount
 AuthLDAPBindPassword svnpasswd
 AuthLDAPURL
ldap://servername:3268/DC=domainname,DC=com?samAccountName?sub?(objectCategory=person)
 <LimitExcept GET PROPFIND OPTIONS REPORT>
       Require ldap-group CN="PRJ
FP-Development",OU=U.S.,OU=Groups,DC=domainname,DC=com
 </LimitExcept>
</Location>

Or is this still allowing everyone to read, but only the group members can
write?

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2362778

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-06-17 14:28:21 CEST

This is an archived mail posted to the Subversion Users mailing list.