[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion access control

From: Geoff Hoffman <ghoffman_at_cardinalpath.com>
Date: Wed, 20 Jul 2011 08:27:53 -0700

Andy,

I thought you were off Apache and onto svnserve. Anyway, I sent you this
info last week - maybe you missed it. It is pasted again below. I will
grant to you that it is tricky to set up. The david winter blog post below
spells it out perfectly... for a single repo setup, multiple users. For
multi-user, multi-repo setup see my pasted config files below. One thing to
note that is confusing is that if your repos are at /subversion/repos/repo1
your <Location /svn> stays the same. The /svn bit there is what appears in
the URL address bar, its not a filesystem path.

I have 10 repositories, project1 through project10, physically located on
Ubuntu filesystem at
/svn/project1
/svn/project2
...
/svn/project10

Here is my /etc/apache2/mods-available/dav_svn.conf (the comments come with
the file. This was installed using apt-get on Ubuntu 10.04 LTS.)

<Location /svn>
  # Uncomment this to enable the repository
  DAV svn

  # Set this to the path to your repository
  #SVNPath /svn
  # Alternatively, use SVNParentPath if you have multiple repositories under
  # under a single directory (/var/lib/svn/repo1, /var/lib/svn/repo2, ...).
  # You need either SVNPath and SVNParentPath, but not both.
  SVNParentPath /svn
  SVNListParentPath on

  # From
http://www.redmine.org/projects/redmine/wiki/Repositories_access_control_with_apache_mod_dav_svn_and_mod_perl

  #Order deny,allow
  Deny from all
  Satisfy any

  # Access control is done at 3 levels: (1) Apache authentication, via
  # any of several methods. A "Basic Auth" section is commented out
  # below. (2) Apache <Limit> and <LimitExcept>, also commented out
  # below. (3) mod_authz_svn is a svn-specific authorization module
  # which offers fine-grained read/write access control for paths
  # within a repository. (The first two layers are coarse-grained; you
  # can only enable/disable access to an entire repository.) Note that
  # mod_authz_svn is noticeably slower than the other two layers, so if
  # you don't need the fine-grained control, don't configure it.

  # Basic Authentication is repository-wide. It is not secure unless
  # you are using https. See the 'htpasswd' command to create and
  # manage the password file - and the documentation for the
  # 'auth_basic' and 'authn_file' modules, which you will need for this
  # (enable them with 'a2enmod').

  AuthType Basic
  AuthName "Subversion Repository"
  AuthUserFile /etc/apache2/dav_svn.passwd

  # To enable authorization via mod_authz_svn
  AuthzSVNAccessFile /etc/apache2/dav_svn.authz

  # The following three lines allow anonymous read, but make
  # committers authenticate themselves. It requires the 'authz_user'
  # module (enable it with 'a2enmod').
  #<LimitExcept GET PROPFIND OPTIONS REPORT>
     Require valid-user
  #</LimitExcept>
</Location>

Now, here is my /etc/apache2/dav_svn.authz file.

[groups]
group1 = usera, userb, userc, userd, usere
group2 = userc, userb
group3 = userf, userg
group4 = usera, userb, userc, userd, usere, userf
group5 = userh

[/]
@group1 = rw
@group2 =
@group3 =
@group4 =
@group5 =

[project1:/]
@group1 = rw

[project2:/]
@group1 = rw
userg = rw
userf = rw

[project4:/]
@group1 = rw

[project5:/]
@group11 = rw

[project6:/]
@group1 = rw
@group5 = rw

[project7:/]
@group1 = rw

[project8:/]
@group1 = rw

[project9:/]
@group1 = rw

[project10:/]
@group1 = rw
@group4 = rw

There is no need to send you the dav_svn.passwd - it merely lists usera
through userh with their hashed password. You use the htpasswd program to
set your users up.

Here is the email I sent before...

I read (skimmed) all your posts, and I'm a little confused but I think I
know where you're going. I'm not sure if you're using Apache to serve your
repositories. If you are, you should check out this:
http://davidwinter.me/articles/2006/03/03/access-control-for-subversion-with-apache2-and-authz/

and this https://help.ubuntu.com/community/Subversion

I recently followed the blog above and got everything setup how I think you
want it. You can control user access to multiple repos in three ways, the
blog explains it all, except one thing. I found that this is for
folder-level control on one repository:

[/]
@team = r
bob = rw

[/wowapp/trunk]
@team = r
@devteam = rw
brenda = rw

In my authz control file, multiple repositories are done like this (note the
repo name and colon):

[repoA:/]
@team = r
bob = rw

[repoB:/]
@team = r
@devteam = rw
brenda = rw

I also put websvn on it, and use the configuration option

$config->useAuthenticationFile('/path/to/your/authz/file');
which I found on this stackoverflow
QA<http://serverfault.com/questions/13853/how-do-i-restrict-repository-access-via-websvn>
.
http://serverfault.com/questions/13853/how-do-i-restrict-repository-access-via-websvn
Received on 2011-07-20 17:28:34 CEST

This is an archived mail posted to the Subversion Users mailing list.