I am trying to Setup Server dictated configurations on my Subversion repository which is served by an Apache 2.4 server.
Based on the information I found one has to alter the SVN configuration file on the server but which one is used by the mod_dav_svn module of the Apache Server?
I already tried different ones (Admin, Public) but none worked.
Does anybody know which configuration file is used by this module?
Thanks,
Thomas
As I know the SVN config file is the user and not to the server. The only things you have to do is give apache user write permission on svn repo and config the apache.
Here is a example of apache config file, repo available at http://mysserver/SVN_REPO1
LoadModule dav_svn_module modules/mod_dav_svn.so
<IfModule mod_dav_svn.c>
Alias /SVN_REPO "/PATH_TO/SVN_REPO"
<Location /SVN_REPO1>
DAV svn
SVNPath "/PATH_TO/SVN_REPO"
SVNPathAuthz Off # More faster but don't check permission permission in all parenth path ( - security)
AuthzSVNAccessFile "/path_to_/authz"
require valid-user
Satisfy Any
Options MultiViews
Require all granted
</Location>
Related
I have created SVN host using:
<Location /svn>
DAV svn
SVNParentPath /home/xxx/xxx/xxx/xxx/Main_Folder/company-1
AuthType Basic
SVNListParentPath On
AuthName "Test"
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>`
Although I have specified user privileges in svnserve.conf, it does not seem to "take it" because I can access the repository (see below) without any prompt for user/password.
Can you please point what am I doing wrong?
Thanks!
Read the docs, it seems that you use a wrong configuration file.
Configuration settings in the file svnserve.conf do not have any effect in this particular case. Your server runs Apache and Apache does not process svnserve.conf. This configuration file is used by svnserve custom server only.
Platform: Windows Server 2008 R2
Apache 2.2.23 (win32)/SSL 1.0.0j upgrading to Apache 2.4.23 (win32)/SSL 1.0.2h
CollabNet Subversion Client SVNServe 1.7.8
Trac 1.0.9 (win32)
Python 2.7.1
On a Windows server, I had Subversion and Trac interacting nicely when running Apache 2.2.23, Subversion 1.7.8 with Trac 1.0.9 and the mod_python module. Access to Trac projects was permitted based on access control groups defined in the subversion access control file. The setting of the AuthzSVNAccessFile variable in the httpd.conf file pointed to the subversion access control file, e:/etc/.svnaccess. If the user had access to a subversion repo, then they had access to the associated Trac project, otherwise access was denied.
The httpd.conf file contained the following:
<Location /trac>
SVNParentPath e:/svn_repository
AuthzSVNAccessFile "E:/etc/.svnaccess"
SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonOption TracEnvParentDir e:\trac
PythonOption TracUriRoot /trac
AuthType SSPI
SSPIAuth On
SSPIOfferSSPI Off
SSPIAuthoritative On
SSPIDomain <domaincontroller>
SSPIOmitDomain Off
SSPIUsernameCase lower
SSPIPerRequestAuth On
SSPIOfferBasic On
AuthName "UTAS TRAC Login (Use domain\userid format)"
Require valid-user
</Location>
I then had to upgrade Apache/SSL to 2.4.23, 1.0.2h. With this upgrade, mod_python was obsoleted so I had to switch to use mod_wsgi load module. I added in the mod_wsgi.so load module and modified the config file to remove the Python-related settings (keeping the AuthzSVNAccessFile setting), and adding in mod_wsgi info.
After the Apache upgrade, the httpd.conf file contained:
<Location /trac>
SVNParentPath e:/svn_repository
AuthzSVNAccessFile "E:/etc/.svnaccess"
AuthType SSPI
SSPIAuth On
SSPIOfferSSPI Off
SSPIAuthoritative On
SSPIDomain <domaincontroller>
SSPIOmitDomain Off
SSPIUsernameCase lower
SSPIPerRequestAuth On
SSPIOfferBasic On
AuthName "UTAS TRAC Login (Use domain\userid format)"
Require valid-user
</Location>
WSGIScriptAlias /trac e:/trac/trac.wsgi
<Directory "e:/trac">
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
The e:/trac/trac.wsgi has the following in it:
import os
import trac.web.main
import site
site.addsitedir('e:\Python\Lib\site-packages')
os.environ['PYTHON_EGG_CACHE'] = r'c:\Trac-Python-Egg-Cache'
def application(environ, start_response):
environ['trac.env_parent_dir'] = r'e:\trac'
return trac.web.main.dispatch_request(environ, start_response)
The trac.ini file (for Beth_test project) has these critical sections, same as before the Apache upgrade:
[components]
tracopt.versioncontrol.svn.* = enabled
tracstats.* = enabled
[repositories]
Beth_test.dir = e:\svn_repository\Beth_test
Beth_test.description = This is the ‘Beth_test’ project repository on the Test svn server.
Beth_test.type = svn
Beth_test.url = https://<my_server>/svn/Beth_test
Beth_test.hidden = true
tsvn = tsvn: Interact with TortoiseSvn
[trac]
authz_file = E:\etc\.svnaccess
permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy
permission_store = DefaultPermissionStore
repository_dir = e:\svn_repository\Beth_test
repository_type = svn
…plus a bunch of other settings
My directory structure on the server is:
E:\svn_repository\
Beth_test
SVN_test
E:\trac\
Beth_test
SVN_test
When I bring up the Trac url after entering my active directory credentials, I see the 2 Trac projects listed. However when I click on a project, it gives me access to it even though I have not added my id to the access control group associated with the subversion Beth_test repo. With TortoiseSVN I am properly blocked, but with Trac using the mod_wsgi module, I can (erroneously) access the Trac project and subsequently browse the subversion source.
There is nothing useful in the Apache or Trac log files.
Any idea why Trac no longer follows the subversion access control permissions after upgrading Apache and switching from mod_python to mod_wsgi?
I had been playing with the svn access control file, and my id was in the admin group. The admin group had r/w access to the top-level slash (/) directory. Consequently, my id had access to all repositories since I did not remove permissions in each repo for the admin group. Once I removed my id from the admin directory, both svn and trac followed the repo's groups defined access.
I am trying to setup SVN with APACHE so that each repository has its own set of .access and .passwd files.
Basically lets take this url: http://svn.thissite.com/repo1 is an address of one of the repository
I have one folder in /var/www/svn/ which contains about 20 different repositories and a set of .access and .passwd files
For the repo1 repository there would be 3 paths relevant:
/var/www/svn/repo1 (SVN repository itself)
/var/www/svn/repo1.access (Contains svn access info)
/var/www/svn/repo1.passwd (Contains SVN user and password for that specific repo)
I have about 20 repositories + relevant .access and .passwd files
So my question is:
What do I need to write in my APACHE2 config files so that it uses the repository name to access the proper .access and .passwd files? I would like a way of having it simple and not a simple copy paste of 20 blocks of tags in APACHE if possible.
Thank you!
EDIT:
Content of repo1.access (Starts with [/] for all 20 repos):
[/]
Name1 = rw
Name2 = rw
Name3 = rw
Content of repo1.passwd (password actually hidden):
Name1:XXXXXXXXXX
Name2:XXXXXXXXXX
Name3:XXXXXXXXXX
I have SVN running via Apache on my home server with multiple repositories. I have each repository set up as a Virtual Host, which then lets you specify unique auth and acl files via the AuthUserFile and AuthzSVNAcces parameters in the config file.
An example Virtual Host for my SVN installation:
<VirtualHost 192.168.1.42:80>
ServerName svn.eidola.its
DocumentRoot /Istas/Library/WebRoot/
<Location "/">
DAV svn
SVNPath /Istas/Library/Subversion/eidola.its
SVNPathAuthz off
AuthType Basic
AuthName "Eidola Repository"
AuthUserFile /Istas/Library/Config/Subversion/users.basic
AuthzSVNAccessFile /Istas/Library/Config/Subversion/eidola.acl
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>
Include /Istas/Library/Config/Apache2/svn_rewrite.conf
</VirtualHost>
The svn_rewrite.conf file is used to allow me to access the repository directly at the ServerName, or via WebSVN at a rewritten URL. Obviously, that line would not pertain to your situation. :)
We are using a berkeley-db for authorisation of svn-access.
We have it configured like that:
<Location /svn>
AuthType basic
AuthName "svn Authentication"
AuthBasicProvider dbm
AuthDBMUserFile /****/userDatabase.db
AuthDBMType db
AuthDBMGroupFile /****/userDatabase.db
AuthzDBMType db
SSLRequireSSL
</Location>
Until here everything works fine and people gain access according to their respective groups. No I wanted / need to add some specific users to gain (read-only) access to one repository without changing their groups. I tried the following
<Location /svn/administration>
DAV svn
SVNPath /data/svn/administration
SVNPathAuthz off
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require group svn-admin-readwrite
</LimitExcept>
<Limit GET PROPFIND OPTIONS REPORT>
Require group svn-admin-read
Require user testUser testUser2
</Limit>
</Location>
The modules 'authn_dbm' and 'authz_user' are enabled. Anything (obvious) I am missing here? Any help is appreciated!
Anything (obvious) I am missing here?
Reading (and understanding) some parts of SVN Book, at least "Per-directory access control" (maybe full chapter "httpd, the Apache HTTP Server") and "Path-Based Authorization"
I see at least two weakness in current config
Without DAV svn+SVNParentPath in <Location /svn> container you must to have for N repositories N+1 Location containers and add|remove location for every added|removed repository. Subversion-way is to have single location for parent of repository-dirs
For example, if you know you will be creating multiple Subversion repositories in a directory /var/svn that would be accessed via URLs such as http://my.server.com/svn/repos1, http://my.server.com/svn/repos2, and so on, you could use the httpd.conf configuration syntax in the following example:
<Location /svn>
DAV svn
# Automatically map any "/svn/foo" URL to repository /var/svn/foo
SVNParentPath /var/svn
</Location>
Using this syntax, Apache will delegate the handling of all URLs whose path portions begin with /svn/ to the Subversion DAV provider, which will then assume that any items in the directory specified by the SVNParentPath directive are actually Subversion repositories. This is a particularly convenient syntax in that, unlike the use of the SVNPath directive, you don't have to restart Apache to add or remove hosted repositories.
Path-based ACLs for Subversion in Apache implemented (and used in 99% cases) with authz_svn_module and AuthzSVNAccessFile, in which user's and group's access rights (for any repository in tree or part of repo-tree) defined... and also group's membership, which makes AuthDBMGroupFile obsoleted (and Location without LimitExcept & Limit - more compact and readable)
We're setting up Subversion version control in Dreamweaver CS4 and we'd like to transmit our files over SSL. We have it working without SSL. But, when we select HTTPS as the protocol, it's unable to connect. https://thedevserver.edu, DW fails to connect.
Has anyone gotten this to work? Is there something on the Apache or Subversion sides that we're missing?
We have an SVN configuration include file with the following contents:
LoadModule dav_svn_module modules/mod_dav_svn.so
<Location /repos>
DAV svn
SVNParentPath /folder/folder1/SVN_REPOS_folder
SVNListParentPath on
SSLRequireSSL
AuthType Digest
AuthName webdav
AuthDigestDomain /repos
AuthUserFile /some/where/on/the/server
AuthDigestProvider file
Require valid-user
</Location>
I've Included this file in the virtual host file. But, still, DW can't connect using HTTPS.
If you can connect to http repo, but can't to https: this is obviously Apache part - it must support secure connection for used for repository virtualhost or server.
Subversion (mod_dav_svn) in this case work over base httpd-engine