[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Path-Based Authorization behaves differently with SVNParentPath vs. SVNPath

From: Chris Dailey <darcmarc_at_gmail.com>
Date: Mon, 30 Mar 2020 17:27:09 -0400

Hello all,

I'm attempting to move a set of repositories over to using SVNParentPath
for some much needed organization. Currently with our setup, we've got a
separate <Location>, each with it's own SVNPath, basic auth, and
AuthzSVNAccessFile, and everything works like I'd expect. However, moving
to a single <Location>, using SVNParentPath, users with limited permissions
get different responses to the same requests.

I apologize for being verbose, but I'm trying to be thorough and believe
I've checked each spot I might have gone wrong.

My old svn locations are /svn/svn1oldname/, /svn/svn2/. I'm moving them to
/repos/(svn1|svn2)/

Currently, the setup looks like this:
<Location /svn/svn1/>
    DAV svn
    SVNPath /home/user/repos/svn1
    SVNReposName svn1oldname
    AuthzSVNAccessFile /home/user/repos/authz
    # basic auth omitted for brevity
</Location>
<Location /svn/svn2/>
    DAV svn
    SVNPath /home/user/repos/svn2
    # no SVNReposName, name isn't changing.
    AuthzSVNAccessFile /home/user/repos/authz
    # basic auth omitted for brevity
</Location>

The setup I'm attempting to move to (and actually have going side-by-side
at the moment, though removing the others help,) is:

<Location /repos/>
    DAV svn
    SVNParentPath /home/user/repos
    SVNListParentPath On
    # basic auth omitted for brevity
    AuthzSVNAccessFile /home/eaiuser/repos/authz
</Location>

Both repos are sharing the same AuthUserFile and AuthzSVNAccessFile. authz
looks as such:

[groups]
admin = userS
one = userA, userB
two = userA, userB, userC
two-readonly = userRO

[/]
$anonymous =
@admin = rw

[svn1:/]
@one = rw

[svn1oldname:/]
@one= rw

[svn2:/]
@two = rw
@two-readonly =

[svn2:/AllowedPathA]
@two-readonly = r

[svn2:/AllowedPathB]
@firmware-readonly = r

Now, the behavior.

userS: Can GET all urls as you'd expect.
userA: Can GET /svn/svn1oldname/, /svn/svn2/, /repos/ (sees both
repositories in the list), /repos/svn1/, /repos/svn2/, as expected.
Effectively the same as userS, but only listed in @one and @two.

userRO is where things get funny.

userRO: Can GET /svn/svn1oldname/ but sees only the repo name and revision
userRO: Can GET /svn/svn2/ and sees repo name, revision, AllowedPathA, and
AllowedPathB. This is the behavior I expect.
userRO: Can GET /repos/ (the 'collection list), but sees *no* repositories.
userRO: Attempting to GET /repos/svn1/ gets a 403 response. Not the same
behavior as on /svn/svn1oldname/, but completely acceptable (and honestly
would be preferred, I think.)
userRO: Attempting to GET /repos/svn2/ ... also gets a 403 response. This
was unexpected to me, based on how /svn/svn2/ behaved.
userRO: Attempting to GET /repos/svn2/AllowedPathA/ Works. Responds as
expected, so the permission *does* seem to be getting applied properly, but
the visibility of higher requests isn't working in the same way, so unless
I actually tell userRO to act individually on each of the allowed paths,
they'll never know what they have access too through this manner.

I have confirmed this is the behavior using subversion 1.9.7. As that was
the latest available from my distro's repo, I had to build 1.13.0 myself,
and the behavior is the same across the versions. I haven't yet tried on
the 1.14.x branch, as I don't see any notes about behavior such as this.

Thanks everyone.

Cheers,

Chris
Received on 2020-03-31 00:59:45 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.