[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion access control

From: Andy Canfield <andy.canfield_at_pimco.mobi>
Date: Fri, 22 Jul 2011 13:19:42 +0700

Thank you very much

On 07/20/2011 10:27 PM, Geoff Hoffman wrote:
> Andy,
>
> I thought you were off Apache and onto svnserve. Anyway, I sent you
> this info last week - maybe you missed it. It is pasted again below.
> I will grant to you that it is tricky to set up. The david winter blog
> post below spells it out perfectly... for a single repo setup,
> multiple users. For multi-user, multi-repo setup see my pasted config
> files below. One thing to note that is confusing is that if your repos
> are at /subversion/repos/repo1 your <Location /svn> stays the same.
> The /svn bit there is what appears in the URL address bar, its not a
> filesystem path.
>
> I have 10 repositories, project1 through project10, physically located
> on Ubuntu filesystem at
> /svn/project1
> /svn/project2
> ...
> /svn/project10
>
>
> Here is my /etc/apache2/mods-available/dav_svn.conf (the comments come
> with the file. This was installed using apt-get on Ubuntu 10.04 LTS.)
>
> <Location /svn>
> # Uncomment this to enable the repository
> DAV svn
>
> # Set this to the path to your repository
> #SVNPath /svn
> # Alternatively, use SVNParentPath if you have multiple repositories
> under
> # under a single directory (/var/lib/svn/repo1, /var/lib/svn/repo2,
> ...).
> # You need either SVNPath and SVNParentPath, but not both.
> SVNParentPath /svn
> SVNListParentPath on
This was the line missing from my config file; It allows me to see the
overall pictures. Thanks!
>
> # From
> http://www.redmine.org/projects/redmine/wiki/Repositories_access_control_with_apache_mod_dav_svn_and_mod_perl
>
> #Order deny,allow
> Deny from all
> Satisfy any
Makes sense. I changed mine to fit yours.
>
> # Access control is done at 3 levels: (1) Apache authentication, via
> # any of several methods. A "Basic Auth" section is commented out
> # below. (2) Apache <Limit> and <LimitExcept>, also commented out
> # below. (3) mod_authz_svn is a svn-specific authorization module
> # which offers fine-grained read/write access control for paths
> # within a repository. (The first two layers are coarse-grained; you
> # can only enable/disable access to an entire repository.) Note that
> # mod_authz_svn is noticeably slower than the other two layers, so if
> # you don't need the fine-grained control, don't configure it.
>
> # Basic Authentication is repository-wide. It is not secure unless
> # you are using https. See the 'htpasswd' command to create and
> # manage the password file - and the documentation for the
> # 'auth_basic' and 'authn_file' modules, which you will need for this
> # (enable them with 'a2enmod').
>
> AuthType Basic
> AuthName "Subversion Repository"
> AuthUserFile /etc/apache2/dav_svn.passwd
>
> # To enable authorization via mod_authz_svn
> AuthzSVNAccessFile /etc/apache2/dav_svn.authz
>
> # The following three lines allow anonymous read, but make
> # committers authenticate themselves. It requires the 'authz_user'
> # module (enable it with 'a2enmod').
> #<LimitExcept GET PROPFIND OPTIONS REPORT>
> Require valid-user
> #</LimitExcept>
> </Location>
>
>
> Now, here is my /etc/apache2/dav_svn.authz file.
>
>
> [groups]
> group1 = usera, userb, userc, userd, usere
> group2 = userc, userb
> group3 = userf, userg
> group4 = usera, userb, userc, userd, usere, userf
> group5 = userh
>
>
> [/]
> @group1 = rw
> @group2 =
> @group3 =
> @group4 =
> @group5 =
>
> [project1:/]
> @group1 = rw
>
> [project2:/]
> @group1 = rw
> userg = rw
> userf = rw
>
> [project4:/]
> @group1 = rw
>
> [project5:/]
> @group11 = rw
>
> [project6:/]
> @group1 = rw
> @group5 = rw
>
> [project7:/]
> @group1 = rw
>
> [project8:/]
> @group1 = rw
>
> [project9:/]
> @group1 = rw
>
> [project10:/]
> @group1 = rw
> @group4 = rw
>
I notice that you don't have any entries that read "... = r"; everyone
who can read can write also. No need?

> There is no need to send you the dav_svn.passwd - it merely lists
> usera through userh with their hashed password. You use the htpasswd
> program to set your users up.
>
> Here is the email I sent before...
>
> I read (skimmed) all your posts, and I'm a little confused but I think
> I know where you're going. I'm not sure if you're using Apache to
> serve your repositories. If you are, you should check out this:
> http://davidwinter.me/articles/2006/03/03/access-control-for-subversion-with-apache2-and-authz/
>
> and this https://help.ubuntu.com/community/Subversion
>
> I recently followed the blog above and got everything setup how I
> think you want it. You can control user access to multiple repos in
> three ways, the blog explains it all, except one thing. I found that
> this is for folder-level control on one repository:
>
> |[/]
> @team = r
> bob = rw
>
> [/wowapp/trunk]
> @team = r
> @devteam = rw
> brenda = rw|
>
> In my authz control file, multiple repositories are done like this
> (note the repo name and colon):
>
> |[repoA:/]
> @team = r
> bob = rw
>
> [repoB:/]
> @team = r
> @devteam = rw
> brenda = rw|
>
> I also put websvn on it, and use the configuration option
Looks interesting; I installed it. Lots of configuration to do; will do
later.
>
> $config->useAuthenticationFile('/path/to/your/authz/file');
>
> which I found on this stackoverflow QA
> <http://serverfault.com/questions/13853/how-do-i-restrict-repository-access-via-websvn>.
>
> http://serverfault.com/questions/13853/how-do-i-restrict-repository-access-via-websvn
Whoops! I did it, but it doesn't look right. Having recently learned the
difference between 'authentication' (who are you?) and 'authorization'
(what are you allowed to do?), I jumped at setting the authentication
file to an authorization file. Sure, it must work, but why?

Again, thank you for everything.
Received on 2011-07-22 08:20:34 CEST

This is an archived mail posted to the Subversion Users mailing list.