You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Tom Hodder <To...@emap.com> on 2006/10/25 16:00:58 UTC

Enforcing per project permissions with groups

Hi,

I am attempting to configure apache/mod_dav_svn to handle per project
group authentication.
I have tried something like;

<Location /repos>
  DAV svn
  SVNPath /data/repos
  #Require group admins
  AuthType Basic
  AuthName "EMAP subversion repository"
  # temporarily using auth text files instead of db backend
  AuthUserFile AuthUserFile
  AuthGroupFile AuthGroupFile
</Location>

<Location /repos/site1>
	Require group site1
</Location>

<Location /repos/site2>
	Require group site2
</Location>

However, this allows users to access the root of the repository. And I
guess do bad things there, as they have write access.

If I include a directive in the <Location /repos> block like;
<Location /repos>
Require group admins

The users cannot get into the sites - and I get a whole bunch of errors
like this;
[Wed Oct 25 16:51:38 2006] [error] [client x.x.x.x] access to
/repos/!svn/vcc/default failed, reason: user user1 not allowed access


Any ideas on how to do this?

(I tried implementing this in the AuthzSVNAccessFile file, but
mod_authz_svn does not include apache groups, and it looks like the
config for this is going to get big, as I have 100 projects/groups and
20 users to configure.)

Thanks,

Tom H




















For information about all Emap magazines, radio, TV, events and digital brands, please visit www.emap.com

** For Emap magazine subscriptions & gift offers visit http://www.greatmagazines.co.uk/emap **

The information in this email is intended only for the addressee(s) named above.  Access to this email by anyone else is unauthorised.

If you are not the intended recipient of this message any disclosure, copying, distribution or any action taken in reliance on it is prohibited and may be unlawful. 

Emap plc and or its subsidiaries do not warrant that any attachments are free from viruses or other defects and accept no liability for any losses resulting from infected email transmissions.

Please note that any views expressed in this email may be those of the originator and do not necessarily reflect those of this organisation.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Enforcing per project permissions with groups

Posted by Reinhard Brandstädter <re...@jku.at>.

On Wednesday 25 October 2006 18:00, Tom Hodder wrote:
> Hi,
>
> I am attempting to configure apache/mod_dav_svn to handle per project
> group authentication.
> I have tried something like;
>
> <Location /repos>
>   DAV svn
>   SVNPath /data/repos
>   #Require group admins
>   AuthType Basic
>   AuthName "EMAP subversion repository"
>   # temporarily using auth text files instead of db backend
>   AuthUserFile AuthUserFile
>   AuthGroupFile AuthGroupFile
> </Location>
>
> <Location /repos/site1>
> 	Require group site1
> </Location>
>
> <Location /repos/site2>
> 	Require group site2
> </Location>
>
> However, this allows users to access the root of the repository. And I
> guess do bad things there, as they have write access.
>
> If I include a directive in the <Location /repos> block like;
> <Location /repos>
> Require group admins
>
> The users cannot get into the sites - and I get a whole bunch of errors
> like this;
> [Wed Oct 25 16:51:38 2006] [error] [client x.x.x.x] access to
> /repos/!svn/vcc/default failed, reason: user user1 not allowed access
>
>
> Any ideas on how to do this?
>
> (I tried implementing this in the AuthzSVNAccessFile file, but
> mod_authz_svn does not include apache groups, and it looks like the
> config for this is going to get big, as I have 100 projects/groups and
> 20 users to configure.)

If you do not use these AuthGroupFile and AuthUserFile for anything else but 
Subversion I'd pass the Authentication to a higher level instance. e.g use 
Apache LDAP authentication. Althoug in your case (only 20 users) I'd create 
local users and use mod_auth_shadow to authenticate agains the local user 
base.
Authorization I'd still handle in SVNAuthzFile like this:
[global]
group1 = user1, user3, user5
group2 =  user2, user4, user6, user1
admins = admin
[:/]
* =
admins = rw 
[:/project1]
group1 = rw
group2 = r

[:/project1]
group1 = 
group2 = rw

This way no user except admins have "rw" access to your repository root (users 
authenticated by apache dont even have read access on root, per default they 
have no access at all even though they are authenticated).
Then you selectively add permissions for groups and projects.

In the production use, once you have defined permissions on projects you only 
have to assign users in the global section.

Reinhard 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org