[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: How to control access of a subversion repo subfolder via AD groups

From: Ankush Grover <ankushcentos_at_gmail.com>
Date: Fri, 11 Jul 2014 12:10:15 +0530

Thanks Ben & Eric. I have now configured subversion through mod_authz file
through the script available at
http://thoughtspark.org/2009/01/20/using-ldap-groups-with-subversion-s-authz-file/.
Thank a lot for sharing the link and it is working as per the expectation.

Thanks once a again.

On Thu, Jul 10, 2014 at 3:03 AM, Eric Johnson <eric_at_tibco.com> wrote:

> I'll add that where we've deployed Subversion access controls, we use
> mod_authz_svn, and generate its contents from other sources. Not that hard
> to scan AD, and generate group information that can be stuffed into the
> access file.
>
> Eric
>
>
> On Wed, Jul 9, 2014 at 12:56 PM, Ben Reser <ben_at_reser.org> wrote:
>
>> On 7/7/14 3:56 AM, Ankush Grover wrote:
>> > I am trying to setup Subversion authentication through Active Directory
>> > authentication and authorization through Active Directory
>> groups.Everything is
>> > working fine but the issue I am facing is when I want to restrict
>> access to
>> > subdirectorys of a subversion repository. For ex: there is a repo with
>> a name
>> > "ankushtest" and it has a subdirectory "test", now I want some users
>> which are
>> > in AD group to be able to read or commit to subdirectory "test" only.
>> This
>> > access is working fine through SVN clients like Tortoise etc.. but when
>> I try
>> > to open the same on a browser, the user which has access only to
>> subdirectory
>> > "test" is able to see the all the directorys or files under repo
>> "ankushtest".
>> > How this is working is like that, if a user types the complete url for
>> the
>> > "test" directory like http://svn.example.com/src/ankushtest/test" then
>> browser
>> > is showing the all the files & directorys of a repo.
>> > In the Apache logs I see the below warning whenever I click on the url
>> > http://svn.example.com/src/ankushtest/test" and this test directory on
>> the
>> > browser shows all the files & directorys whereas this directory has
>> only 1 file
>> > and a sub-directory in it.
>> >
>> > Mon Jul 07 14:21:47 2014] [warn] mod_dav_svn: nested Location
>> > '/src/ankushtest/test' hinders access to 'test1' in SVNPath Location
>> > '/src/ankushtest'
>>
>> You should only have a single Location block for your repository. That
>> warning
>> message is telling you as much. When you use multiple Location blocks
>> like
>> this then the "/src/ankushtest" and the "/src/ankushtest/test" both are
>> Locations that point at the root of the repository.
>>
>> The reason you're seeing this work with a Subversion client is because the
>> Subversion client often accesses things under the root of the repository
>> with
>> opaque URLs which still go through the "/src/ankushtest" Location block
>> rather
>> than the "/src/ankushtest/test" Location.
>>
>> If you want to do path based access control within the repository you
>> must use
>> mod_authz_svn to do this. It knows how to handle the opaque URLs and
>> properly
>> provide access control. Beyond opaque URLs there are also requests that
>> provide details for child paths other than just the path the request uses
>> in
>> the HTTP request-line, which is all that would be matched by Location.
>>
>> Setting up mod_authz_svn is generally described in the SVN Book here:
>>
>> http://svnbook.red-bean.com/en/1.7/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir
>>
>> Unfortunately, using mod_authz_svn is complicated by your desire to use AD
>> groups. The group membership that Apache httpd uses is not available to
>> mod_authz_svn, this is just a limitation of the way Apache httpd
>> authentication
>> and authorization works.
>>
>> So in order to do what you want you need to provide the group membership
>> information to mod_authz_svn separately. This is done by adding the
>> [groups]
>> section to the AccessFile. Obviously maintaining this by hand is tedious
>> so
>> people usually automate this.
>>
>> It's popular to use this tool to do that automation:
>>
>> http://thoughtspark.org/2009/01/20/using-ldap-groups-with-subversion-s-authz-file/
>>
>> Though there are also commercial products that can do this and much more
>> such
>> as WANDisco's Access Control product:
>> http://wandisco.com/subversion/accesscontrol
>>
>> I suspect there are other commercial products that can manage this for
>> you as
>> well though I'm not as familiar with their features (full disclosure I
>> work for
>> WANdisco).
>>
>> If you don't go the route of a commercial product to manage this I'd
>> suggest
>> that you do the following things beyond just using mod_authz_svn.
>>
>> * Include the "SVNPathAuthz short_circuit" directive in your Location
>> blocks
>> for SVN. This avoids running authentication/authorization processing as
>> sub-requests for paths that aren't in the request-line but that must be
>> accessed to service the request. The default uses much more expensive
>> sub-requests, which while secure for any configuration are much more
>> expensive.
>> Almost not configurations actually need the default setting.
>>
>> * You mention that you're using Subversion 1.7, but Subversion 1.8 adds
>> the
>> AuthzSVNGroupsFile directive that permits this group data to be in a
>> separate
>> file from your access configuration. This should make it easier to
>> configure.
>>
>
>
Received on 2014-07-11 08:40:45 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.