subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Canfield <andy.canfi...@pimco.mobi>
Subject Re: Subversion access control
Date Fri, 22 Jul 2011 06:19:42 GMT
Thank you very much

On 07/20/2011 10:27 PM, Geoff Hoffman wrote:
> Andy,
>
> I thought you were off Apache and onto svnserve. Anyway, I sent you 
> this info last week - maybe you missed it.  It is pasted again below. 
> I will grant to you that it is tricky to set up. The david winter blog 
> post below spells it out perfectly... for a single repo setup, 
> multiple users. For multi-user, multi-repo setup see my pasted config 
> files below. One thing to note that is confusing is that if your repos 
> are at /subversion/repos/repo1 your <Location /svn> stays the same. 
> The /svn bit there is what appears in the URL address bar, its not a 
> filesystem path.
>
> I have 10 repositories, project1 through project10, physically located 
> on Ubuntu filesystem at
> /svn/project1
> /svn/project2
> ...
> /svn/project10
>
>
> Here is my /etc/apache2/mods-available/dav_svn.conf (the comments come 
> with the file. This was installed using apt-get on Ubuntu 10.04 LTS.)
>
> <Location /svn>
>   # Uncomment this to enable the repository
>   DAV svn
>
>   # Set this to the path to your repository
>   #SVNPath /svn
>   # Alternatively, use SVNParentPath if you have multiple repositories 
> under
>   # under a single directory (/var/lib/svn/repo1, /var/lib/svn/repo2, 
> ...).
>   # You need either SVNPath and SVNParentPath, but not both.
>   SVNParentPath /svn
>   SVNListParentPath on
This was the line missing from my config file; It allows me to see the 
overall pictures. Thanks!
>
>   # From 
> http://www.redmine.org/projects/redmine/wiki/Repositories_access_control_with_apache_mod_dav_svn_and_mod_perl
>
>   #Order deny,allow
>   Deny from all
>   Satisfy any
Makes sense. I changed mine to fit yours.
>
>   # Access control is done at 3 levels: (1) Apache authentication, via
>   # any of several methods.  A "Basic Auth" section is commented out
>   # below.  (2) Apache <Limit> and <LimitExcept>, also commented out
>   # below.  (3) mod_authz_svn is a svn-specific authorization module
>   # which offers fine-grained read/write access control for paths
>   # within a repository.  (The first two layers are coarse-grained; you
>   # can only enable/disable access to an entire repository.)  Note that
>   # mod_authz_svn is noticeably slower than the other two layers, so if
>   # you don't need the fine-grained control, don't configure it.
>
>   # Basic Authentication is repository-wide.  It is not secure unless
>   # you are using https.  See the 'htpasswd' command to create and
>   # manage the password file - and the documentation for the
>   # 'auth_basic' and 'authn_file' modules, which you will need for this
>   # (enable them with 'a2enmod').
>
>   AuthType Basic
>   AuthName "Subversion Repository"
>   AuthUserFile /etc/apache2/dav_svn.passwd
>
>   # To enable authorization via mod_authz_svn
>   AuthzSVNAccessFile /etc/apache2/dav_svn.authz
>
>   # The following three lines allow anonymous read, but make
>   # committers authenticate themselves.  It requires the 'authz_user'
>   # module (enable it with 'a2enmod').
>   #<LimitExcept GET PROPFIND OPTIONS REPORT>
>      Require valid-user
>   #</LimitExcept>
> </Location>
>
>
> Now, here is my /etc/apache2/dav_svn.authz file.
>
>
> [groups]
> group1 = usera, userb, userc, userd, usere
> group2 = userc, userb
> group3 = userf, userg
> group4 = usera, userb, userc, userd, usere, userf
> group5 = userh
>
>
> [/]
> @group1 = rw
> @group2 =
> @group3 =
> @group4 =
> @group5 =
>
> [project1:/]
> @group1 = rw
>
> [project2:/]
> @group1 = rw
> userg = rw
> userf = rw
>
> [project4:/]
> @group1 = rw
>
> [project5:/]
> @group11 = rw
>
> [project6:/]
> @group1 = rw
> @group5 = rw
>
> [project7:/]
> @group1 = rw
>
> [project8:/]
> @group1 = rw
>
> [project9:/]
> @group1 = rw
>
> [project10:/]
> @group1 = rw
> @group4 = rw
>
I notice that you don't have any entries that read "... = r"; everyone 
who can read can write also. No need?

> There is no need to send you the dav_svn.passwd - it merely lists 
> usera through userh with their hashed password. You use the htpasswd 
> program to set your users up.
>
> Here is the email I sent before...
>
> I read (skimmed) all your posts, and I'm a little confused but I think 
> I know where you're going. I'm not sure if you're using Apache to 
> serve your repositories. If you are, you should check out this: 
> http://davidwinter.me/articles/2006/03/03/access-control-for-subversion-with-apache2-and-authz/

>
> and this https://help.ubuntu.com/community/Subversion
>
> I recently followed the blog above and got everything setup how I 
> think you want it. You can control user access to multiple repos in 
> three ways, the blog explains it all, except one thing. I found that 
> this is for folder-level control on one repository:
>
> |[/]
> @team = r
> bob = rw
>
> [/wowapp/trunk]
> @team = r
> @devteam = rw
> brenda = rw|
>
> In my authz control file, multiple repositories are done like this 
> (note the repo name and colon):
>
> |[repoA:/]
> @team = r
> bob = rw
>
> [repoB:/]
> @team = r
> @devteam = rw
> brenda = rw|
>
> I also put websvn on it, and use the configuration option
Looks interesting; I installed it. Lots of configuration to do; will do 
later.
>
> $config->useAuthenticationFile('/path/to/your/authz/file');
>
> which I found on this stackoverflow QA 
> <http://serverfault.com/questions/13853/how-do-i-restrict-repository-access-via-websvn>.

>
> http://serverfault.com/questions/13853/how-do-i-restrict-repository-access-via-websvn
Whoops! I did it, but it doesn't look right. Having recently learned the 
difference between 'authentication' (who are you?) and 'authorization' 
(what are you allowed to do?), I jumped at setting the authentication 
file to an authorization file. Sure, it must work, but why?

Again, thank you for everything.


Mime
View raw message