We host a svn repository for multiple projects and business files on apache. This is accessed by multiple programmers and some project folders also by clients. Example layout is:
svn/ourcompany/business
svn/ourcompany/projects
svn/ourcompany/projects/proj1
svn/ourcompany/projects/proj2
svn/ourcompany/projects/proj3
Previously our svn.accessfile looked as follows:
[groups]
admin = jd
programmer = jd,pr1,pr2
[ourcompany:/]
#admin = rw
[ourcompany:/business]
#admin = rw
[ourcompany:/projects]
#admin = rw
#programmer = rw
[ourcompany:/projects/proj1]
client1a = rw
client1b = rw
webclient = rw
Today we found that this setup causes a 403 error for webclient1 on ourcompany:/projects/proj1
After some research a contractor suggested to add
[groups]
admin = jd
programmer = jd,pr1,pr2
[ourcompany:/]
* = r
#admin = rw
[ourcompany:/business]
* =
#admin = rw
[ourcompany:/projects]
#admin = rw
#programmer = rw
[ourcompany:/projects/proj1]
client1a = rw
client1b = rw
webclient = rw
But that now means I need to add
*=
to every single project in the project folder ???
Can someone advice on how permissions in svn.accessfile work in the folder hierarchy?
apache virtual host below
<VirtualHost ipadress:80>
ServerName subversion.ourcompany.com
ServerAdmin webmaster#ourcompany.com
DocumentRoot /var/www/subversion.ourcompany.com
DavLockDB /var/lock/apache2/DavLock
<Location /svn>
DAV svn
SVNParentPath /var/svn
SVNListParentPath on
SVNAutoversioning on
SVNIndexXSLT "/repos-web/view/repos.xsl"
#ModMimeUsePathInfo on
AuthzSVNAccessFile /etc/apache2/svn.accessfile
AuthType Basic
AuthName "SVN"
AuthUserFile /etc/apache2/svn.passwd
Require valid-user
# compress as much as possible
SetOutputFilter DEFLATE
SetInputFilter DEFLATE
# Don't compress images
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
</Location>
<IfModule mpm_itk_module>
AssignUserId www-data www-data
</IfModule>
DeflateFilterNote Input instream
DeflateFilterNote Output outstream
DeflateFilterNote Ratio ratio
LogFormat '"%r" %{outstream}n/%{instream}n (%{ratio}n%%) %s' deflate
CustomLog /var/log/apache2/svn-deflate.log deflate
CustomLog /var/log/apache2/svn-access.log "%t %u %{SVN-ACTION}e" env=SVN-ACTION
ErrorLog /var/log/apache2/svn-error.log
</VirtualHost>
What we want to achieve:
webclient to access ourcompany:/projects/proj1 only and to have no read access to ourcompany:/projects The latter could be achieved by putting a *= into each subfolder of ourcompany:/projects, but that is not practiable.
I would like to give the following advice first:
Try to define groups and use only groups in your rules of the access files. This makes it more easy to change things later and to understand what the rules are.
Use group names that denote what the semantic of the group is. This makes it easier to understand the rules as well.
Try to give every user only one group, so it is easier to understand what the role (and the access rights) of that user are.
I would change / add some parts, so that the complete resulting file is:
[groups]
admin = jd
programmer = jd,pr1,pr2
gr_client1 = client1a,client1b,webclient1
[ourcompany:/]
* =
#programmer = r
#gr_client1 =
#admin = rw
[ourcompany:/projects]
#programmer = rw
[ourcompany:/projects/proj1]
#gr_client1 = rw
This expresses the following
You have three groups of users: admins, programmers and clients of individual projects (here in the example gr_client1).
The overall access rights say that admins may read and write everything. You don't have to repeat that rule in the subdirectories, it is inherited automatically.
The programmers may read anything, and have additionally write access rights in all projects.
The clients may only access their individual directory, and may read and write there.
So as a result you have to add for each new group an additional client group, add the users there, and add one rule for their individual project only.
PS: In your question webclient1 is used, but in the files you give, it is only webclient. Which one do you want to have?
Related
I have an apache based subversion server that hosts multiple repositories that has been working just fine using Location stanza's that make use of Limit and LimitExcept sections as shown below:
<Location "/svn/IAM/">
<Limit GET PROPFIND OPTIONS REPORT>
Require ldap-group CN=LDAP_ReadOnly
</Limit>
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require ldap-group CN=LDAP_ReadWrite
</LimitExcept>
</Location>
Based on this, accounts that are in LDAP_ReadOnly are able to read the entire repo, and accounts that are in LDAP_ReadWrite are able read and write to the entire repo.
Along comes the need to grant group LDAP_LimitedRead Read access to "/svn/IAM/Trunk/Project1 AND no access to /svn/IAM/Trunk/Project1/one.properties and also no access to /svn/IAM/Trunk/Project2 and so on.
I have tried the following with SVNParentPath, and SVNPath
<Location "/svn/IAM/Trunk/Project1/">
Dav svn
SVNParentPath /svn/repos/IAM/Trunk/Project1
AuthzSVNAccessFile IAM.svnAuth
</Location>
with the following in the IAM.svnAuth file
[IAM:Trunk/Project1]
Dev1 = r
[IAM:Trunk/Project1/one.properties]
Dev1 =
As per the redbean book, path based auth only points to the use of AuthzSVNAccessFile. What i'd like to know is if its possible to do both, and how.
Path based authorisation can be done via group/user
Create groups
[groups]
readonly-developers = harry, sally, joe
readwrite-developers = frank, sally, jane
everyone = harry, sally, joe, frank, jane
Groups can be granted access control just like users. Distinguish them with an “at” (#) prefix:
[reponame1:/projects/calc]
#readwrite-developers = rw
[reponame2:/projects/paint]
#readonly-developers = r
frank =rw;
How would I go about creating a link that contains confidential information specific to the user and when clicked, it would open up a tab that requires authorization in order to access the information.
I've been given advice to use Apache and Drupal but I'm not sure how to start things. Any form of advice would be GREATLY appreciated.
You can use Shield module of Drupal for your purpose.
OR
You should be able to do this using the combination of mod_env and the Satisfy any directive. You can use SetEnvIf to check against the Request_URI, even if it's not a physical path. You can then check if the variable is set in an Allow statement. So either you need to log in with password, or the allows you in without password:
//Do the regex check against the URI here, if match, set the "require_auth" var
SetEnvIf Request_URI ^/your/url require_auth=true
// Auth stuff
AuthUserFile /var/www/htpasswd
AuthName "Password Protected"
AuthType Basic
//Setup a deny/allow
Order Deny,Allow
//Deny from everyone
Deny from all
//except if either of these are satisfied
Satisfy any
1. a valid authenticated user
Require valid-user
or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
I am testing SVN user for the read only access: following are is the configuration that I have in apache2 and svn repo conf:
However my test user have read and write access, instead I want read only access.
repo location
/svn/test/
file: /etc/apache2/conf.d/svn.conf
<location /repos>
DAV svn
#svn path
SVNParentPath /svn/
AuthType Basic
AuthName "Authorization Realm"
#password file path
AuthUserFile /etc/subversion/test.users
Require valid-user
</location>
authz conf (only one entry)
file: /svn/test/conf/authz
[test:/svn/test/]
* = r
also tried: following
[groups]
readonly = user1, user2
[/]
*=r
#readonly=r
also tried: following
[groups]
readonly = user1, user2
[10.29.3.238:80/repos/test]
*=r
You have authz-file, but don't use it: you miss at least one directive in SVN-location
AuthzSVNAccessFile /svn/test/conf/authz
You last authz-file is wrongly-formatted: path-section must have format without URL or IP of host, only [repository-name:/path/on/this/repo] ([/]is special case). I.e for [test:/svn/test/] after adding AuthzSVNAccessFile you define folder /svn/test/ in repository test as RO for everybody, second attempt is excessive: * = r will define all repositories RO for everybody, #readonly = r also RO for additional group (which is part of "Everybody" *)
I'm having trouble setting up my Subversion.
I'm currently able to access repository directories within the parent directory. i.e http://server.com/svn/project but I receive a Forbidden error if I try to access the parent directory directly http://server.com/svn/
Ideally, I would like to be able to see all my repositories from a single url so I'm trying to get this configured properly.
I have looked at /etc/apache2/conf.d/subversion.conf and I have set
<Location /svn>
DAV svn
SVNParentPath /usr/local/svn
SVNListParentPath on
AuthType Basic
AuthName "My SVN"
AuthUserFile /etc/apache2/conf/user_authentication.conf
AuthzSVNAccessFile /etc/apache2/conf/svn_authorization.conf
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>
In /etc/apache2/conf/svn_authorization.conf I have configured
[/]
* = r
[project:/]
user1 = rw
etc..
I'm not quite sure why I am getting forbidden on parent since I believe I have read enabled for all users. I have even tried removing the * = r and putting myUsername = r but still forbidden.
What am I doing wrong?
Subversion won't show you the parent path directly. So "out of the box" you can't get the list of repositories this way. When using the web browser to access your repository, you should use viewvc, because that has many advantages to directly pointing the browser at the repository location (i.e. you can browse the history that way). If you're using a bundled SVN installation such as CollabNet, viewvc is automatically configured for your server, too.
I have a directory protected by htaccess. Here is the code I use now:
AuthName "Test Area"
Require valid-user
AuthUserFile "/***/.htpasswd"
AuthType basic
This is working fine. However, I now have a directory inside of this folder that I would like to allow anyone to access, but am not sure how to do it.
I know that it is possible to just move the files outside of the protected directory, but to make a long story short the folder needs to stay inside the protected folder, but be accessible to all.
How can I restrict access to the folder, but allow access to the subfolder?
Just create an .htaccess file in the subdirectory with the content:
Satisfy any
According to this article you can accomplish this by using SetEnvIf. You match each of the folders and files you want to grand access to and define an environment variable 'allow' for them. Then you add a condition that allows access if this environment variable is present.
You need to add the following directives to your .htaccess.
SetEnvIf Request_URI "(path/to/directory/)$" allow
SetEnvIf Request_URI "(path/to/file\.php)$" allow
Order allow,deny
Allow from env=allow
Satisfy any
The accepted answer does not seem to run well with new Apache Versions, since it stopped working as soon as Apache Updates were rolled out on some of my customers servers.
I recommend the following approach:
AuthType Basic
AuthName "NO PUBLIC ACCESS"
AuthUserFile /xxx/.htpasswd
SetEnvIf REQUEST_URI "(path/to/directory/)$" ALLOW
<RequireAny>
Require env ALLOW
Require valid-user
</RequireAny>
I don't have enough reputation to add a comment, but two of these answers use the pattern:
SetEnvIf Request_URI "(path/to/directory/)$" allow
to set an environment variable and then check to see if it exists. The part in the quotes is a regular expression. This statement is saying that any path that ENDS with "path/to/directory/" matches and should set the variable, such as "administrationpath/to/directory/", but not "path/to/directory/index.html". The "$" matches the end of the string.
A better match would be:
SetEnvIf Request_URI "^/path/to/directory/" allow
This means the URI path must begin with "/path/to/directory/" (the caret matches the start of the string) but can have additional content after the trailing slash. Note that this requires the trailing slash. To make it optional you could add two rules:
SetEnvIf Request_URI "^/path/to/directory$" allow
SetEnvIf Request_URI "^/path/to/directory/" allow
or, with more pattern matching:
SetEnvIf Request_URI "^/path/to/directory(/.*)?$" allow
The parenthesis and question mark make an optional group and ".*" means zero or more characters.
Personally, I'd either use require all granted 1 in the subfolder's .htaccess or:
require expr "%{REQUEST_URI} =~ m|^/path/to/directory(/.*)?$|" 2 in the parent's.
For Apache 2.4, create a .htaccess file with the following content:
Require all granted
Place it in the subdirectory you want to allow access to.
There is no need to create a .htaccess in the subdirectory.
Just create as many variables as you need with SetEnvIf directive, and be sure the file or path name you want to allw/deny is part of the URI regex you pass to SetEnvIf, exactly like #Sumurai8 said, but set the regex to fit your needs, for the URI should start/end/contain a set of characters............