detecting AuthzSVNAccessFile errors

["Todd C. Gleason" <tg...@impac.com>]

I recently encountered a problem where a badly formatted
AuthzSVNAccessFile went undetected and we struggled to figure out why
some users could not commit to the repository.

 

The server is a Windows 2003 Server running Apache 2.2 and Subversion
1.5.2.  To install an updated configuration I basically do this:

*	Run httpd -t to test httpd-ssl.conf.
*	Run httpd -n "[service name]" -k restart to do a graceful
restart
*	Run net start | find /I "[service name]" > NUL and check
ERRORLEVEL to determine whether the server is started.
*	Run an svn ls command to verify the AuthZSVNAccessFile.
*	On any error, roll back the configuration, restart the server
again, and re-test to determine whether the roll back succeeded.

 

With some AuthzSVNAccessFile parsing errors, the svn ls command will
fail after the restart.  However, in one case I just found out about,
the server appears to restart, and svn ls runs, but the new auth file
doesn't really seem to be active, because any subsequent changes don't
seem to be recognized.

 

The parsing error we had was in the [groups] section.  Our ordinary
format would look like this:

 

[groups]

GroupName = one, two, three, four

 

The bad edit left it like this:

 

[groups]

GroupName = one, two twob, three, four

 

Note the missing comma.

 

I realize I can install a command-line grep to detect this specific case
if nothing else, but is there a better way to detect this problem and
maybe other syntax errors at the same time?  I'd really like something
like httpd -t for the AuthzSVNAccessFile but I haven't heard of such a
thing.  I also scanned all the Apache logs and found nothing helpful.

 

Some more configuration information:

*	We have users authenticating from multiple domains
*	SSPIOmitDomain On
*	For some reason we had to specify an SSPIDomain and doing this
with one of our domains would let it work with the other, but the
reverse was not true.  Users are specified in the auth file without
domains (though initially I tried, and failed, to get it to work
including domains).
*	We use an SVNParentPath to allow multiple repositories under a
single <Location>
*	SSPIOfferBasic On
*	SSPIPerRequestAuth Off
*	SSPIUsernameCase lower
*	We use <LimitExcept GET PROPFIND OPTIONS REPORT> containing:
Require Group [Domain\\GroupName]
*	The auth file has [/] * = r for now, so as long as a user is in
the above-named group, they should be able to read everything.

 

--Todd

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2356909

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

RE: detecting AuthzSVNAccessFile errors

["Todd C. Gleason" <tg...@impac.com>]

________________________________

From: shantanu vibhore [mailto:shantanu.vibhore@gmail.com] 
Sent: Sunday, June 07, 2009 6:47 AM
To: Gleason, Todd
Cc: users@subversion.tigris.org
Subject: Re: detecting AuthzSVNAccessFile errors

 

Hello Todd,

Maybe you are looking for this.

http://svn.collab.net/repos/svn/trunk/tools/server-side/svnauthz-validat
e.c

Regards,
Shantanu



Thank you Shantanu, that looks like exactly what I need.

 

--Todd

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2360355

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: detecting AuthzSVNAccessFile errors

[shantanu vibhore <sh...@gmail.com>]

Hello Todd,

Maybe you are looking for this.

http://svn.collab.net/repos/svn/trunk/tools/server-side/svnauthz-validate.c

Regards,
Shantanu


On Fri, May 29, 2009 at 11:56 PM, Todd C. Gleason <tg...@impac.com>wrote:

>  I recently encountered a problem where a badly formatted
> AuthzSVNAccessFile went undetected and we struggled to figure out why some
> users could not commit to the repository.
>
>
>
> The server is a Windows 2003 Server running Apache 2.2 and Subversion
> 1.5.2.  To install an updated configuration I basically do this:
>
>    - Run httpd –t to test httpd-ssl.conf.
>    - Run httpd –n “*[service name]*” –k restart to do a graceful restart
>    - Run net start | find /I “*[service name]*” > NUL and check ERRORLEVELto determine whether the server is started.
>    - Run an svn ls command to verify the AuthZSVNAccessFile.
>    - On any error, roll back the configuration, restart the server again,
>    and re-test to determine whether the roll back succeeded.
>
>
>
> With some AuthzSVNAccessFile parsing errors, the svn ls command will fail
> after the restart.  However, in one case I just found out about, the server
> appears to restart, and svn ls runs, but the new auth file doesn’t really
> seem to be active, because any subsequent changes don’t seem to be
> recognized.
>
>
>
> The parsing error we had was in the [groups] section.  Our ordinary format
> would look like this:
>
>
>
> [groups]
>
> GroupName = one, two, three, four
>
>
>
> The bad edit left it like this:
>
>
>
> [groups]
>
> GroupName = one, two twob, three, four
>
>
>
> Note the missing comma.
>
>
>
> I realize I can install a command-line grep to detect this specific case
> if nothing else, but is there a better way to detect this problem and maybe
> other syntax errors at the same time?  I’d really like something like httpd
> –t for the AuthzSVNAccessFile but I haven’t heard of such a thing.  I also
> scanned all the Apache logs and found nothing helpful.
>
>
>
> Some more configuration information:
>
>    - We have users authenticating from multiple domains
>    - SSPIOmitDomain On
>    - For some reason we had to specify an SSPIDomain and doing this with
>    one of our domains would let it work with the other, but the reverse was not
>    true.  Users are specified in the auth file without domains (though
>    initially I tried, and failed, to get it to work including domains).
>    - We use an SVNParentPath to allow multiple repositories under a single
>    <Location>
>    - SSPIOfferBasic On
>    - SSPIPerRequestAuth Off
>    - SSPIUsernameCase lower
>    - We use <LimitExcept GET PROPFIND OPTIONS REPORT> containing:  Require
>    Group *[Domain\\GroupName]*
>    - The auth file has [/] * = r for now, so as long as a user is in the
>    above-named group, they should be able to read everything.
>
>
>
> --Todd
>
>
>

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2360094

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].