Well, After lurking on this list for a year or so, this access system seems to be a problem for many users. It seems that there are all sorts of strange behaviour going on and one has to try all sorts of combinations before you find something working the way you want it to.
We had a situation a bit different from you. We wanted subfolders to be rw access controlled for a group of users, and give no access to the rest of the repository to that group of users. We found out that all users needed r access to topfolder in the repos to be able to create tags (why I don't know?). So the way we ended up setting things up was like this :
[java:/]
*=r
@admin=rw
[java:/xx/yy]
@admin=rw
@yy=rw
~yy =
continuum=r
[java:/xx/zz]
@admin=rw
@zz=rw
~zz =
continuum=r
I have not been able to find a detailed explanation as to how this access system really works, what overrides what etc. so someone with a deep knowledge of this should try and document it properly.
As a matter of fact, the ~construct was only discovered by me looking through the source to try and find out how this really worked. It is not documented in the SVN book!
Geir
-----Original Message-----
From: Gabriel Ricardo [mailto:gabriel.ricardo_at_gmail.com]
Sent: 16. desember 2009 20:36
To: users_at_subversion.apache.org
Subject: restricting sub-directory permissions
I cannot figure out how to restrict permissions on a sub-directory.
What I want is to have anonymous read/write access to everything
except a sub-directory, where only two users have read/write and
everyone else has no access (read or write). I've done a lot of
reading of the manual and googling the users list but can't find
anything that solves my problem.
Much appreciated if someone can point out my mistake.
I'm using Redhat 5.2, which comes with subversion 1.4.2 (r22196). and
apache 2.2.3
I have one repository at /usr/local/vn7/repos
The relevant parts of my httpd.conf looks like this
# SVN setup
<Location /svn>
DAV svn
SVNPath /usr/local/vn7/repos
# our access control policy
AuthzSVNAccessFile /usr/local/vn7/etc/svn_auth_paths
# try anonymous access first, resort to real
# authentication if necessary.
Satisfy Any
Require valid-user
# how to authenticate a user
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /usr/local/vn7/etc/svn_auth_users
</Location>
My AuthUserFile looks like this:
[/]
* = rw
[/Delta/trunk/qsrc/strategies]
mchen = rw
gricardo = rw
* =
I want to restrict the /Delta/trunk/qsrc/strategies directory to only
have the two users mentioned in the file to access it.
What happens is that when I update (svn update) from the
Delta/trunk/qsrc directory of a "working copy" as user gricardo (or
any other user), I do not get the updates for the strategies
directory.
I don't get any prompt asking for password, or any permission error
messages, it just does a normal update but doesn't seem to know
anything about the sub-directory of interest.
I don't get any errors in the httpd log files. The httpd access_log has this
10.10.10.220 - - [16/Dec/2009:11:12:50 -0800] "PROPFIND
/svn/Delta/trunk/qsrc HTTP/1.1" 207 698 "-" "SVN/1.4.2 (r22196)
neon/0.25.5"
10.10.10.220 - - [16/Dec/2009:11:12:50 -0800] "PROPFIND
/svn/!svn/vcc/default HTTP/1.1" 207 390 "-" "SVN/1.4.2 (r22196)
neon/0.25.5"
10.10.10.220 - - [16/Dec/2009:11:12:50 -0800] "PROPFIND
/svn/!svn/bln/376 HTTP/1.1" 207 445 "-" "SVN/1.4.2 (r22196)
neon/0.25.5"
10.10.10.220 - - [16/Dec/2009:11:12:50 -0800] "PROPFIND
/svn/Delta/trunk/qsrc HTTP/1.1" 207 698 "-" "SVN/1.4.2 (r22196)
neon/0.25.5"
10.10.10.220 - - [16/Dec/2009:11:12:50 -0800] "REPORT
/svn/!svn/vcc/default HTTP/1.1" 200 4247 "-" "SVN/1.4.2 (r22196)
neon/0.25.5"
The weird thing is if I change the path in the AuthUserFile to this
(add a forward slash at the end of the path):
[/Delta/trunk/qsrc/strategies/]
...then I can update and get the directory and changes under it, but
as ANY user. It does not restrict access.
I've tried re-ordering the user/anonymous permissions lines, and I
just cannot get the behavior I want.
I can get other types of restricted asses to work. For example, I can
restrict the entire repo to only have user gricardo = rw. This works,
and it prompts user gricardo for a password and then allows
updates/commits, etc....
Please help.
Thanks,
-Gabriel
Received on 2009-12-17 11:46:25 CET