[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Trouble with authorization

From: K F <cmkforce_at_yahoo.com>
Date: Fri, 7 May 2010 08:43:03 -0700 (PDT)

> > From: K F [mailto:cmkforce_at_yahoo.com]
> > Sent: 05 May 2010 20:43
> >
> > The repo in on a Unix box located at svnrepo/sandbox
> > accessing via tortoise on a windows machine with the latest
> > releases. When I try to do a commit as user dev1, psswd dev1,
> > I get the following error:
> > 
> > Command: Commit
> > Error: Commit failed (details follow): 
> > Error: Authorization failed 
> > Finished!:   
> > 
> > I am not sure what is wrong. I did some searching on the web
> > and can't find anything wrong with what I am doing. Here is
> > what I have in the pertinent files.
> > 
> > passwd file:
> > dev1 = dev1
> > dev2 = dev2
> > dev3 = dev3
> > 
> > authz file:
> > [aliases]
> > 
> > [groups]
> > deva = dev1, dev2
> > devb = dev3
> > 
> > [svnrepo/sandbox:/]
> > deva = rw
> > devb = r
>
> Personally I had some issues with using [groups] that I
> unfotunately did
> not have time to resolve.  I suggest that you start by using the
> usernames (dev1 etc) directly in the authz file to test:
>
> Also, I think that [svnrepo/sandbox:/] is wrong.  I would only ever
> expect to see one name before the slash (a specific repo in a
> parentpath
> setup) then the path within the repo comes after the ":/". 
>
> [sandbox:/]
> dev1 = rw
> dev2 = rw
> dev3 = r
>
> If you only have one repo / are not using parentpath then you can just
> set the default global access level:
>
> [/]
> dev1 = rw
> dev2 = rw
> dev3 = r
>
> Are you using parentpath in your setup?  Unless your client
> is 1.6.11+,
> you need to grant read access to the root (you do seem to be
> doing that,
> just thought it worth mentioning).
>
> Finally, a link to path-based authorization in the nightly red book:
>
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.h  
tml
>
>
> ~ mark c
>
> > svnserve.conf file:
> > [general]
> > anon-access=none
> > auth-access=write
> > 
> > password-db=passwd
> > 
> > authz-db=authz
> >

> From: K F [mailto:cmkforce_at_yahoo.com]
> Sent: 06 May 2010 13:36
>
> Mark,
>
> I looked at the link you offered for Path-Based Authorization
> and really didn't see anything that I haven't tried. Based on
> your suggestions, to get it to work I am not using groups and
> am simply using the usernames.
>
> [/]
> dev1 = rw
> dev2 = rw
> dev3 = r
>
> As you can see I am also using the global level access. This
> all seems to work. I would still like to try and get the
> groups to work if anyone has any other ideas.
>
> Thanks,
> Rich
>
Dang!  I missed the obvious problem which is that according to the Red
Book link you need to prefix group names with '@' which gives:-

> authz file:
> [aliases]

> [groups]
> deva = dev1, dev2
> devb = dev3

> [svnrepo/sandbox:/]
> @deva = rw
> @devb = r

...let me know if it works!

(and for completeness: Aliases need to be prefixed by '&' which does
work for me)  Hmm, perhaps my problem with groups was trying to create
groups just of aliases e.g.

[aliases]
user1=joe90
user2=adameve
user3=spod

[groups]
devs=&user1, &user2
test=&user2, &user3

[/]
@devs = rw
@test = r

Can anyone else confirm if this should /does (not) work?

~ mark c

Mark,

I had seen that in the book also and tried it with no luck. My latest try was:

[aliases]
dev10 = dev1
dev20 = dev2
dev30 = dev3

[groups]
deva = &dev10, &dev20
devb = &dev30

[/]
&deva = rw
&devb = r

This returns an error on commit of:
Error: Commit failed (details follow): 
Error: An authz rule refers to alias '&deva', which is undefined 

Still looking at it to see if it something I am just missing sometjhing or doing something wrong.

Rich

===========

So I inserted an & instead of a @ at the bottom and that fixed things.

@deva = rw
@devb = r

Just to clarify, in order to use authz you need to set up aliases? Unless I set aliases up it doesn't appear to work. Looking at the book, I do not see why aliases are required. If anyone can explain the reasoning or explain why I am wrong I would appreciate it.

Thanks,
Rich
Received on 2010-05-07 17:43:34 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.