[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Problem implementing path-based authorization with authz

From: Brian Topping <topping_at_codehaus.org>
Date: Sat, 9 Jan 2010 01:19:05 -0500

Hello all,

I've been wrestling with getting authz setup in a way that must be somewhat unconventional all week and was hoping someone here on the list might be able to offer some insight. The environment is Apache httpd 2.2.3, mod_dav_svn 1.6.6, and Subversion 1.6.6. My configs follow.

So far, most of the docs that I've seen on authz start by granting read access to everyone at the root of the tree, then subtracting authorizations to specific sensitive directories. My concern with this is that this allows people to lazily create directories without considering that they might be granting access to any valid user.

Instead, I would like to configure path-based access to deny access to all non-root directories, then rely on specific grants to individual directories based on group.

I have groups working fine, but as soon as I lock down the root directory, my svn client gets the following problem:

> Username: svn: PROPFIND of '/repos/project/!svn/vcc/default': authorization failed: Could not authenticate to server: rejected Basic challenge (https://dev.host.net)

I understand about the metadata located at !svn. So I added:

> [/project/!svn]
> * = r

But this doesn't seem to do anything. I still get the first error.

Is there a way to do what I am trying to do?

I have exhaustively tested that the AuthHandler is doing asking the right questions of the authentication broker and is able to recover the correct user and group mappings.

Note that I am using Atlassian's Crowd-based auth. This is a fork of standard authz to patch Crowd users and groups in, but it would be easy for me to convert to direct LDAP if necessary.

/etc/httpd/conf.d/subversion.conf:

> <Location /repos>
>
> LoadModule perl_module modules/mod_perl.so
> LoadModule dav_svn_module modules/mod_dav_svn.so
>
> # Uncomment this to enable the repository
> DAV svn
>
> # Set this to the path to your repository
> SVNParentPath /var/www/svn/
>
> SSLRequireSSL
>
> AuthName crowd
> AuthType Basic
>
> PerlAuthenHandler Apache::CrowdAuth
> PerlSetVar CrowdAppName subversion
> PerlSetVar CrowdAppPassword xxx
> PerlSetVar CrowdSOAPURL https://dev.host.net/crowd/services/SecurityServer
>
> PerlAuthzHandler Apache::CrowdAuthz
> PerlSetVar CrowdAuthzSVNAccessFile /var/www/svn/access
>
> require valid-user
>
>
> </Location>
>

/var/www/svn/access
> [/project/!svn]
> * = r
>
> [/project/trunk/project-web]
> @project-web-developer = rw

Cheers, Brian
Received on 2010-01-09 07:19:44 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.