I have an apache based subversion server that hosts multiple repositories that has been working just fine using Location stanza's that make use of Limit and LimitExcept sections as shown below:
<Location "/svn/IAM/">
<Limit GET PROPFIND OPTIONS REPORT>
Require ldap-group CN=LDAP_ReadOnly
</Limit>
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require ldap-group CN=LDAP_ReadWrite
</LimitExcept>
</Location>
Based on this, accounts that are in LDAP_ReadOnly are able to read the entire repo, and accounts that are in LDAP_ReadWrite are able read and write to the entire repo.
Along comes the need to grant group LDAP_LimitedRead Read access to "/svn/IAM/Trunk/Project1 AND no access to /svn/IAM/Trunk/Project1/one.properties and also no access to /svn/IAM/Trunk/Project2 and so on.
I have tried the following with SVNParentPath, and SVNPath
<Location "/svn/IAM/Trunk/Project1/">
Dav svn
SVNParentPath /svn/repos/IAM/Trunk/Project1
AuthzSVNAccessFile IAM.svnAuth
</Location>
with the following in the IAM.svnAuth file
[IAM:Trunk/Project1]
Dev1 = r
[IAM:Trunk/Project1/one.properties]
Dev1 =
As per the redbean book, path based auth only points to the use of AuthzSVNAccessFile. What i'd like to know is if its possible to do both, and how.
Path based authorisation can be done via group/user
Create groups
[groups]
readonly-developers = harry, sally, joe
readwrite-developers = frank, sally, jane
everyone = harry, sally, joe, frank, jane
Groups can be granted access control just like users. Distinguish them with an “at” (#) prefix:
[reponame1:/projects/calc]
#readwrite-developers = rw
[reponame2:/projects/paint]
#readonly-developers = r
frank =rw;
Related
I am testing SVN user for the read only access: following are is the configuration that I have in apache2 and svn repo conf:
However my test user have read and write access, instead I want read only access.
repo location
/svn/test/
file: /etc/apache2/conf.d/svn.conf
<location /repos>
DAV svn
#svn path
SVNParentPath /svn/
AuthType Basic
AuthName "Authorization Realm"
#password file path
AuthUserFile /etc/subversion/test.users
Require valid-user
</location>
authz conf (only one entry)
file: /svn/test/conf/authz
[test:/svn/test/]
* = r
also tried: following
[groups]
readonly = user1, user2
[/]
*=r
#readonly=r
also tried: following
[groups]
readonly = user1, user2
[10.29.3.238:80/repos/test]
*=r
You have authz-file, but don't use it: you miss at least one directive in SVN-location
AuthzSVNAccessFile /svn/test/conf/authz
You last authz-file is wrongly-formatted: path-section must have format without URL or IP of host, only [repository-name:/path/on/this/repo] ([/]is special case). I.e for [test:/svn/test/] after adding AuthzSVNAccessFile you define folder /svn/test/ in repository test as RO for everybody, second attempt is excessive: * = r will define all repositories RO for everybody, #readonly = r also RO for additional group (which is part of "Everybody" *)
is there a way in Apache, when using the mod_authnz_ldap module, to only have it ask for a login if the IP address is not within a defined, internal range? We have a site that we don't want people to have to log in from when they are in the office but when out of the office - from home or mobile etc they should have to authenticate.
Possible?
yes it is possible.
Asuming you use the LDAP authorization on a per Location basis:
<Location /your/path/here>
Order deny,allow
Deny from all
Allow from 192.168.0.
Auth...
<your complete ldap config here>
# if one of the above matches, go on
Satisfy any
</Location>
You can find the complete documentation for satisfy here
I'm having trouble setting up my Subversion.
I'm currently able to access repository directories within the parent directory. i.e http://server.com/svn/project but I receive a Forbidden error if I try to access the parent directory directly http://server.com/svn/
Ideally, I would like to be able to see all my repositories from a single url so I'm trying to get this configured properly.
I have looked at /etc/apache2/conf.d/subversion.conf and I have set
<Location /svn>
DAV svn
SVNParentPath /usr/local/svn
SVNListParentPath on
AuthType Basic
AuthName "My SVN"
AuthUserFile /etc/apache2/conf/user_authentication.conf
AuthzSVNAccessFile /etc/apache2/conf/svn_authorization.conf
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>
In /etc/apache2/conf/svn_authorization.conf I have configured
[/]
* = r
[project:/]
user1 = rw
etc..
I'm not quite sure why I am getting forbidden on parent since I believe I have read enabled for all users. I have even tried removing the * = r and putting myUsername = r but still forbidden.
What am I doing wrong?
Subversion won't show you the parent path directly. So "out of the box" you can't get the list of repositories this way. When using the web browser to access your repository, you should use viewvc, because that has many advantages to directly pointing the browser at the repository location (i.e. you can browse the history that way). If you're using a bundled SVN installation such as CollabNet, viewvc is automatically configured for your server, too.
We host a svn repository for multiple projects and business files on apache. This is accessed by multiple programmers and some project folders also by clients. Example layout is:
svn/ourcompany/business
svn/ourcompany/projects
svn/ourcompany/projects/proj1
svn/ourcompany/projects/proj2
svn/ourcompany/projects/proj3
Previously our svn.accessfile looked as follows:
[groups]
admin = jd
programmer = jd,pr1,pr2
[ourcompany:/]
#admin = rw
[ourcompany:/business]
#admin = rw
[ourcompany:/projects]
#admin = rw
#programmer = rw
[ourcompany:/projects/proj1]
client1a = rw
client1b = rw
webclient = rw
Today we found that this setup causes a 403 error for webclient1 on ourcompany:/projects/proj1
After some research a contractor suggested to add
[groups]
admin = jd
programmer = jd,pr1,pr2
[ourcompany:/]
* = r
#admin = rw
[ourcompany:/business]
* =
#admin = rw
[ourcompany:/projects]
#admin = rw
#programmer = rw
[ourcompany:/projects/proj1]
client1a = rw
client1b = rw
webclient = rw
But that now means I need to add
*=
to every single project in the project folder ???
Can someone advice on how permissions in svn.accessfile work in the folder hierarchy?
apache virtual host below
<VirtualHost ipadress:80>
ServerName subversion.ourcompany.com
ServerAdmin webmaster#ourcompany.com
DocumentRoot /var/www/subversion.ourcompany.com
DavLockDB /var/lock/apache2/DavLock
<Location /svn>
DAV svn
SVNParentPath /var/svn
SVNListParentPath on
SVNAutoversioning on
SVNIndexXSLT "/repos-web/view/repos.xsl"
#ModMimeUsePathInfo on
AuthzSVNAccessFile /etc/apache2/svn.accessfile
AuthType Basic
AuthName "SVN"
AuthUserFile /etc/apache2/svn.passwd
Require valid-user
# compress as much as possible
SetOutputFilter DEFLATE
SetInputFilter DEFLATE
# Don't compress images
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
</Location>
<IfModule mpm_itk_module>
AssignUserId www-data www-data
</IfModule>
DeflateFilterNote Input instream
DeflateFilterNote Output outstream
DeflateFilterNote Ratio ratio
LogFormat '"%r" %{outstream}n/%{instream}n (%{ratio}n%%) %s' deflate
CustomLog /var/log/apache2/svn-deflate.log deflate
CustomLog /var/log/apache2/svn-access.log "%t %u %{SVN-ACTION}e" env=SVN-ACTION
ErrorLog /var/log/apache2/svn-error.log
</VirtualHost>
What we want to achieve:
webclient to access ourcompany:/projects/proj1 only and to have no read access to ourcompany:/projects The latter could be achieved by putting a *= into each subfolder of ourcompany:/projects, but that is not practiable.
I would like to give the following advice first:
Try to define groups and use only groups in your rules of the access files. This makes it more easy to change things later and to understand what the rules are.
Use group names that denote what the semantic of the group is. This makes it easier to understand the rules as well.
Try to give every user only one group, so it is easier to understand what the role (and the access rights) of that user are.
I would change / add some parts, so that the complete resulting file is:
[groups]
admin = jd
programmer = jd,pr1,pr2
gr_client1 = client1a,client1b,webclient1
[ourcompany:/]
* =
#programmer = r
#gr_client1 =
#admin = rw
[ourcompany:/projects]
#programmer = rw
[ourcompany:/projects/proj1]
#gr_client1 = rw
This expresses the following
You have three groups of users: admins, programmers and clients of individual projects (here in the example gr_client1).
The overall access rights say that admins may read and write everything. You don't have to repeat that rule in the subdirectories, it is inherited automatically.
The programmers may read anything, and have additionally write access rights in all projects.
The clients may only access their individual directory, and may read and write there.
So as a result you have to add for each new group an additional client group, add the users there, and add one rule for their individual project only.
PS: In your question webclient1 is used, but in the files you give, it is only webclient. Which one do you want to have?
I have repositories created in C:\Data\Subversion as well as sub-folders like C:\Data\Subversion\Dev-Mobile.
I can give per project access to users for the repos in the root folder without problems. For that I'm adding those lines in svn-acl:
[Project1:/]
Test = rw
However, I try to give access for a repo in a sub-folder but it doesn't work:
[Test161:/Dev-Mobile]
Test = rw
The project is declared in subversion.conf as:
<Location /Dev-Mobile/Test161>
DAV svn
SVNPath C:/Data/Subversion/Dev-Mobile/Test161
AuthType Basic
AuthName "Test161 Repository"
AuthUserFile c:/Data/Subversion/svn-auth-file
Require valid-user
AuthzSVNAccessFile c:/Data/Subversion/svn-acl
</Location>
What am I doing wrong?
I'm not an expert on the syntax of the svn-acl file. But I think that the syntax
[Test161:/Dev-Mobile]
Test = rw
is meant for configuring the permissions of the sub-folder /Dev-Mobile of an existing repository Test161. That is, it seems you are getting the identification of the repository and the folder within the repository confused.
The problem was that I tried to add the subfolder in the path (after :/) since this was the logical thing to do but I've found out Subversion will automatically scan the subdirs.
So this is the correct sintex no matter if the repo is in the root or a subfolder!
[Test161:/]
Test = rw