I was wondering if it is possible to use groups specified in e.g., an apache authgroup file in allow_read and/or allow_push etc.
So basically what I do is I am using apache with an authfile and authgroup file to authenticate users.
Now I want to restrict some repositories using allow_read from being shown to users in a specific group specified in the authgroup file.
Let's say I have sam, frodo and sauron in my auth file and I have a group hobbits containing sam and frodo in the authgroup file.
So instead of writing:
allow_read = frodo, sam
I tried
allow_read = #hobbits
but that does not seem to work. Does anybody know whether this is actually supported? The idea is if I have say 10 Repositories only readable for hobbits and I add a hobbit I only have to change the authgroup and auth file and not each repository hgrc file.
Thanks in advance
Mercurial does not have any builtin support for groups. There is a patch from a user that adds group support, but the coders seemed hesitant to include it by default, they want the contributor to make a plugin out of it instead. As of April 2013 they seem to have accepted it, but I still see no trace of it in the version currently shipped with Ubuntu (2.7).
Controlling groups in Apache, as suggested by Joel, doesn't give you any fine granular control when you have more than one repository, so it's no use (at least not for me).
I ended up using the open source tool SCM-Manager for it. SCM-Manager acts as a frontend for SVN, Git and Mercurial and has support for various user directories (including LDAP and Crowd) as well as its own user directory.
I'm using mod_proxy to integrate it in my Apache configuration and it works quite well.
It appears you'll need to do your group controlling in Apache rather than in hgrc files, as the documentation for hgrc mentions only user names.
You'll want to have a read of Configuring Apache on the Publishing Repositories page. Section 7.4 seems to contain the information you'll need to set up what you want.
Related
I am trying to configure Apache Brooklyn to use the LDAPSecurityProvider against a Windows Active Directory.
I am testing the connection with Apache Directory Studio and it works with the provided credentials.
Screenshot of Apache Directory Studio and the LDAP tree
But when I Configure Apache Brooklyn to use LDAP against the AD it does not work and creates no error logs.
My brooklyn property file is here:
brooklyn.webconsole.security.provider=org.apache.brooklyn.rest.security.provider.LdapSecurityProvider
brooklyn.webconsole.security.ldap.url=ldap://10.0.20.10:389/????X-BIND-USER=uid=StackAdmin%2cou=users,X-BIND-PASSWORD=Password123,X-COUNT-LIMIT=1000
brooklyn.webconsole.security.ldap.realm=example.com
The LDAP support is documented at http://brooklyn.apache.org/v/latest/ops/brooklyn_properties.html#ldap - your example configuration looks good (very similar to that).
However, the docs say it will then construct something like:
LDAP://cn=John Smith,ou=Users,dc=example,dc=com
(With the "ou" value being configurable).
Looking at your screenshot, it seems you'd need something like that below (though it isn't expanded to see a full user example):
LDAP://cn=John Smith,cn=Users,dc=example,dc=com
Unfortunately that isn't currently supported in Brooklyn.
The workaround would be store your users under "ou" intead.
The LDAP integration code is pretty simple (and low on logging):
https://github.com/apache/incubator-brooklyn/blob/master/brooklyn-server/rest/rest-server/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java
It would be reasonably easy to update the Java to support your use-case.
Do you want to either have a go at creating a pull request for that (https://github.com/apache/incubator-brooklyn/), or opening a jira issue at https://issues.apache.org/jira/browse/BROOKLYN to describe the requirements and someone can take a look?
I had the same problem and solved it by creating my own LdapSecurityProvider for ActiveDirectory. Create a new Class which extends the org.apache.brooklyn.rest.security.provider.LdapSecurityProvider and override the getUserDN Method.
Brooklyn uses the com.sun.jndi.ldap.LdapCtxFactory so you can find a detailed documentation under http://docs.oracle.com/javase/7/docs/technotes/guides/jndi/jndi-ldap.html
Im currently working on a big project with more then one team.
Lets say in the project there are some modules that each team working on.
In addition we are using gerrit for sometime now and there is something i couldn't find out.
My question is the following:
Is there a way to tell Gerrit that only specific people/group(on Gerrit) will have permission to review code (+2) on specific path/module on the project?
This is possible, and can be achieved by using the Gerrit OWNERS Plugin. I haven't configured this plugin myself, but we use this in our codebase to protect certain areas of code.
Every folder that needs protection contains a file named OWNERS that has the following structure.
inherited: true
owners:
- user-a#example.com
- user-b#example.com
Here is the link to a readme for the plugin. Hope you can figure out how to configure it.
https://gerrit.googlesource.com/plugins/owners/+/refs/heads/master/README.md
I think you can do this by making two separate commits. You can later add the group that you want to review the code on that specific path using gerrit interface.
I am doing some reverse engineering on a website.
We are using LAMP stack under CENTOS 5, without any commercial/open source framework (symfony, laravel, etc). Just plain PHP with an in-house framework.
I wonder if there is any way to know which files in the server have been used to produce a request.
For example, let's say I am requesting http://myserver.com/index.php.
Let's assume that 'index.php' calls other PHP scripts (e.g. to connect to the database and retrieve some info), it also includes a couple of other html files, etc
How can I get the list of those accessed files?
I already tried to enable the server-status directive in apache, and although it is working I can't get what I want (I also passed the 'refresh' parameter)
I also used lsof -c httpd, as suggested in other forums, but it is producing a very big output and I can't find what I'm looking for.
I also read the apache logs, but I am only getting the requests that the server handled.
Some other users suggested to add the PHP directives like 'self', but that means I need to know which files I need to modify to include that directive beforehand (which I don't) and which is precisely what I am trying to find out.
Is that actually possible to trace the internal activity of the server and get those file names and locations?
Regards.
Not that I tried this, but it looks like mod_log_config is the answer to my own question
I am writing a set of svn hooks to allow remote management of the SVN repository, just like gitolite does with GIT.
I created the script that generates the AuthzSVNAccessFile for each repository I have, now I need to tell Apache to look for each of them depending on the repository.
I cannot have a apache config file for each repository, because it would need to restart the apache server.
I know I can use a single AuthzSVNAccessFile to manage multiple repository, but the script that build the file takes time (need to discover the full path of every dir inside the repository), and would make the commit take too long.
I tried to use mod_rewrite, but it did not work, maybe I used it wrong.
Basically I need to have a rule in my apache configuration file that reads different file depending on the URL requested, is that possible? How?
Or I need a script able to rewrite a block of a file. I am using sed to replace the strings I have in my template, but do not know how to use it to replace multiple lines.
Thanks for your time
No idea why you're trying to use mod_rewrite unless I'm entirely misunderstanding your question. But it sounds like you are using SVNParentPath and are having trouble figuring out how to configure the authz settings for all the repositories.
You have a couple of options.
Use one authz file
You can actually generate a single authz file and specify which repositories the rules apply to. The syntax is of the form [repos-name:path] (as you can find in the Path-Based Authorization section of the Subversion Book). One disadvantage of this is that if you have a lot of repositories and a lot of paths with rules it can slow things down. Which it sounds like you've run into. One thing that can help mitigate this some is using the following configuration
SVNPathAuthz short_circuit
SVNPathAuthz controls how requests for paths other than the URI are authorized when other paths need to be accessed than the URI of the request (e.g. log, commit, etc). The default behavior is to issue a sub-request. This generates a new GET request in httpd and sends it through all of the authorization infrastructure for httpd. However, in almost all cases this is not needed since the only authorization configuration that can vary with the path under the Location being used to serve SVN is the mod_authz_svn configuration. short_circuit, tells Subversion to avoid all of this and simply send the authorization info straight to mod_authz_svn who provides the answer directly limiting the delay.
That may still not be enough so there are a couple of alternatives, but you'll need at least 1.7 to use them.
AuthzSVNReposRelativeAccessFile
Subversion 1.7 added a new configuration directive that lets you specify a path relative to the conf subdirectory of the repository. For instance if you have a repo named foo you can put the authz file in /path/to/foo/conf/authz and then set the following configuration value:
AuthzSVNReposRelativeAccessFile authz
The directive prior to 1.7 that was used AuthzSVNAccessFile was relative to the server root path.
In Repository Authz*
Subversion 1.8 allows you to store the authz file in the repository itself. So for instance if you committed the file in the repo in a directory named conf as the file authz then you'd do:
AuthzSVNAccessFile ^/authz
The ^/ syntax is replaced with the full path to the repository.
You probably want to read the details on the linked release notes for 1.8 if you decide to use this.
We have multiple projects in svn repo.And for each project there are many users.As number of users is large so its troublesome to manage their commit rights using "Auth file".
I have read somewhere that we can delegate user's rights to their managers by creating a text file.But i am not sure how to achieve this and perhaps hOOKS need to be configured for this .As i am new to SVN so need your expert advice.Please guide me how to achieve this and if you have hook already confgiured p,kindly provide.
How to setup access control in SVN?
I have seen this link and answer by VonC is great and perfect for me.But i dont know how to start .. can anybody help me out here as i am not pro in svn and unix .
Thanks in advance
Preface
Using single repository for multiple projects is Bad Idea (tm): one repo - one project
Forget immediately about old as mammoth's shit SVN 1.5 - use at least 1.6 on client and server (1.8 may be best choice)
Face
Simplified user-management for SVN-users can be reached using LDAP-based authentication instead of ordinary file (in case of "repository per project" <location> from answer will be location of each repo with SVNPath, in case of old structure <location> must be linked to every root of project) and having different groups for different repositories in Require ldap-group directive - read also Apache 2.2 docs in Apache Module mod_authnz_ldap part. From management POV, LDAP-auth and permissions means: each developer must be in LDAP-tree, included in one or more related to repositories groups
In case of additional requirement for Path-Based Authorization within repositories and using groups inside authz-file, you may find useful LDAP Groups to Subversion Authz Groups Bridge, which allow you to regenerate authz-groups from LDAP-data
As result, most (if not all) SVN-related ACLs can be managed in LDAP-side only