You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Be...@wellsfargo.com on 2010/12/31 17:04:02 UTC
On commit attempt, Server sent unexpected return value (403
Forbidden) in response to CHECKOUT
I'm trying to integrate a SVN Authz authorization file with apache configuration files to provide a solution for not just directory level restrictions, but also file level restrictions. It's my understanding that the SVN Authorization file is not capable of handling file-specific restrictions, only directory level.
The SVN Authz file is set up and i'm able to use it with absolutely no issues what-so-ever. If I switch to using just the Apache Conf file by itself, it works exactly as expected with no issues. But if I combine them I get something very weird. Everything works just fine, except the trying to commit the file that was restricted by the following Location/Limit:
<Location "/subversion/repo/*/*/*/folder/structure/RestrictedFile">
<Limit PUT>
Require user my_username
</Limit>
</Location>
I'm able to view, update, and checkout the file, and am able to do anything (checkout, commit, etc) to other files in the same directory, but when I attempt perform a commit of changes to the "RestrictedFile", I get the following error:
Error: Commit failed (details follow):
Error: Server sent unexpected return value (403 Forbidden) in response to CHECKOUT
Error: request for '/subversion/repo/!svn/ver/110/folder/structure/RestrictedFile'
the apache access log file gives me the following:
ip_address - - [30/Dec/2010:15:49:58 -0600] "OPTIONS /subversion/repo/folder/structure HTTP/1.1" 401 1337
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "OPTIONS /subversion/repo/folder/structure HTTP/1.1" 200 -
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "PROPFIND /subversion/repo/folder/structure HTTP/1.1" 207 816
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "OPTIONS /subversion/repo/folder/structure HTTP/1.1" 200 195
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "MKACTIVITY /subversion/repo/!svn/act/71f51505-a174-8349-ab61-843f80a40f8f HTTP/1.1" 201 234
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "PROPFIND /subversion/repo/!svn/vcc/default HTTP/1.1" 207 414
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "CHECKOUT /subversion/repo/!svn/bln/110 HTTP/1.1" 201 250
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "PROPPATCH /subversion/repo/!svn/wbl/71f51505-a174-8349-ab61-843f80a40f8f/110 HTTP/1.1" 207 469
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "PROPFIND /subversion/repo/folder/structure HTTP/1.1" 207 526
ip_address - - [30/Dec/2010:15:49:59 -0600] "CHECKOUT /subversion/repo/!svn/ver/110/folder/structure/RestrictedFile HTTP/1.1" 403 1021
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "DELETE /subversion/repo/!svn/act/71f51505-a174-8349-ab61-843f80a40f8f HTTP/1.1" 204 -
If I remove the <Location...> entry listed above, i'm able to commit just fine.
My svnauthz file basically has this:
[/]
* =
my_username = rw
If I change "* = " to "* = r", I get the same issue. If I change it to "* = rw", I'm able to commit.
Benjamin Ortega
Benjamin Ortega
----------------------------------------------
Operations Systems Engineer
Wells Fargo Bank, Des Moines, IA
CORE Build & Deploy Team
* : Benjamin.Ortega@WellsFargo.com<ma...@WellsFargo.com>
* : 515-720-2700 (cell)
MAC: X2301-01X
This transmission may contain information that is confidential and/or proprietary. If you are not the individual or entity to which it is addressed, note that any review, disclosure, copying, retransmission, or other use is strictly prohibited. If you received this transmission in error, please notify the sender immediately and delete the material from your system.
RE: On commit attempt, Server sent unexpected return value (403
Forbidden) in response to CHECKOUT
Posted by Be...@wellsfargo.com.
You've definitely given me enough to work off here, thanks!
Benjamin Ortega
-----Original Message-----
From: Mark Phippard [mailto:markphip@gmail.com]
Sent: Monday, January 03, 2011 9:18 AM
To: Ortega, Benjamin
Cc: users@subversion.apache.org
Subject: Re: On commit attempt, Server sent unexpected return value (403 Forbidden) in response to CHECKOUT
On Mon, Jan 3, 2011 at 10:13 AM, <Be...@wellsfargo.com> wrote:
> Wow...for some reason I was under the impression that file level restrictions didn't work...I really don't know why, but there it is.
>
> I don't suppose there's a way to use wild cards in the path as well?
Wild-cards are not supported in authz.
If you only needed this to protect writes, then you can do it with a
pre-commit hook. The SVN repository contains svnperms.py which can do
this:
http://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/
However, if you need to protect read access, you cannot do it via a
hook and the Subversion authz module does not support wildcards.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
Re: On commit attempt, Server sent unexpected return value (403
Forbidden) in response to CHECKOUT
Posted by Johan Corveleyn <jc...@gmail.com>.
On Mon, Jan 3, 2011 at 4:18 PM, Mark Phippard <ma...@gmail.com> wrote:
> On Mon, Jan 3, 2011 at 10:13 AM, <Be...@wellsfargo.com> wrote:
>> Wow...for some reason I was under the impression that file level restrictions didn't work...I really don't know why, but there it is.
>>
>> I don't suppose there's a way to use wild cards in the path as well?
>
> Wild-cards are not supported in authz.
>
> If you only needed this to protect writes, then you can do it with a
> pre-commit hook. The SVN repository contains svnperms.py which can do
> this:
>
> http://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/
>
> However, if you need to protect read access, you cannot do it via a
> hook and the Subversion authz module does not support wildcards.
Also, see:
http://subversion.tigris.org/issues/show_bug.cgi?id=2662 - authz with wildcards
Still an open issue however ...
Cheers,
--
Johan
Re: On commit attempt, Server sent unexpected return value (403
Forbidden) in response to CHECKOUT
Posted by Stephen Connolly <st...@gmail.com>.
a post-commit hook or a crontab coils update the file to keep the security
on newly created branches (top post a result of this stupid phone... sorry)
- Stephen
---
Sent from my Android phone, so random spelling mistakes, random nonsense
words and other nonsense are a direct result of using swype to type on the
screen
On 3 Jan 2011 15:18, "Mark Phippard" <ma...@gmail.com> wrote:
> On Mon, Jan 3, 2011 at 10:13 AM, <Be...@wellsfargo.com> wrote:
>> Wow...for some reason I was under the impression that file level
restrictions didn't work...I really don't know why, but there it is.
>>
>> I don't suppose there's a way to use wild cards in the path as well?
>
> Wild-cards are not supported in authz.
>
> If you only needed this to protect writes, then you can do it with a
> pre-commit hook. The SVN repository contains svnperms.py which can do
> this:
>
> http://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/
>
> However, if you need to protect read access, you cannot do it via a
> hook and the Subversion authz module does not support wildcards.
>
>
> --
> Thanks
>
> Mark Phippard
> http://markphip.blogspot.com/
Re: On commit attempt, Server sent unexpected return value (403
Forbidden) in response to CHECKOUT
Posted by Mark Phippard <ma...@gmail.com>.
On Mon, Jan 3, 2011 at 10:13 AM, <Be...@wellsfargo.com> wrote:
> Wow...for some reason I was under the impression that file level restrictions didn't work...I really don't know why, but there it is.
>
> I don't suppose there's a way to use wild cards in the path as well?
Wild-cards are not supported in authz.
If you only needed this to protect writes, then you can do it with a
pre-commit hook. The SVN repository contains svnperms.py which can do
this:
http://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/
However, if you need to protect read access, you cannot do it via a
hook and the Subversion authz module does not support wildcards.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
RE: On commit attempt, Server sent unexpected return value (403
Forbidden) in response to CHECKOUT
Posted by Be...@wellsfargo.com.
Wow...for some reason I was under the impression that file level restrictions didn't work...I really don't know why, but there it is.
I don't suppose there's a way to use wild cards in the path as well? Like:
[repos:/folder/structure/*/RestrictedFile]
To allow for one entry restricting access to the same file in multiple branches, etc? Just for ease of admin is all.
Benjamin Ortega
-----Original Message-----
From: Mark Phippard [mailto:markphip@gmail.com]
Sent: Monday, January 03, 2011 8:59 AM
To: Ortega, Benjamin
Cc: users@subversion.apache.org
Subject: Re: On commit attempt, Server sent unexpected return value (403 Forbidden) in response to CHECKOUT
On Mon, Jan 3, 2011 at 9:55 AM, <Be...@wellsfargo.com> wrote:
> I suppose another fundamental question in all this -- Is there any other way to provide file level restrictions
> while using the svn authz file for authorization?
Can you explain why you cannot just add a rule to the file like this:
[repos:/folder/structure/RestrictedFile]
* =
my_username = rw
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
Re: On commit attempt, Server sent unexpected return value (403
Forbidden) in response to CHECKOUT
Posted by Mark Phippard <ma...@gmail.com>.
On Mon, Jan 3, 2011 at 9:55 AM, <Be...@wellsfargo.com> wrote:
> I suppose another fundamental question in all this -- Is there any other way to provide file level restrictions
> while using the svn authz file for authorization?
Can you explain why you cannot just add a rule to the file like this:
[repos:/folder/structure/RestrictedFile]
* =
my_username = rw
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
RE: On commit attempt, Server sent unexpected return value (403
Forbidden) in response to CHECKOUT
Posted by Be...@wellsfargo.com.
I suppose another fundamental question in all this -- Is there any other way to provide file level restrictions while using the svn authz file for authorization?
Benjamin Ortega
-----Original Message-----
From: Benjamin.Ortega@wellsfargo.com [mailto:Benjamin.Ortega@wellsfargo.com]
Sent: Monday, January 03, 2011 8:44 AM
To: markphip@gmail.com
Cc: users@subversion.apache.org
Subject: RE: On commit attempt, Server sent unexpected return value (403 Forbidden) in response to CHECKOUT
The /*/*/*/ in the path is to compensate for the temporary location /!svn/ver/<revision>/. This works without the svnauthz file in place.
Is there an internal user that the subversion server utilizes to perform the checkout of the last-committed-revision of the file prior to the put? That seems to be what is holding this up. It doesn't try to use my username to do this. That seems to be the case, as my user should have access to the file, but also to the temporary location. With the "* =" at the beginning of the svnauthz file restricting all users, it fails with a 403, but if I give rw to * it works. Note in the apache access log that the activities using my id are successful, but the activities that just have a - where the username would be are unsuccessful, the first one, of course, triggering a prompt for authentication, but the checkout towards the end just failing with a 403.
ip_address - - [30/Dec/2010:15:49:58 -0600] "OPTIONS /subversion/repo/folder/structure HTTP/1.1" 401 1337
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "OPTIONS /subversion/repo/folder/structure HTTP/1.1" 200 -
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "PROPFIND /subversion/repo/folder/structure HTTP/1.1" 207 816
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "OPTIONS /subversion/repo/folder/structure HTTP/1.1" 200 195
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "MKACTIVITY /subversion/repo/!svn/act/71f51505-a174-8349-ab61-843f80a40f8f HTTP/1.1" 201 234
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "PROPFIND /subversion/repo/!svn/vcc/default HTTP/1.1" 207 414
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "CHECKOUT /subversion/repo/!svn/bln/110 HTTP/1.1" 201 250
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "PROPPATCH /subversion/repo/!svn/wbl/71f51505-a174-8349-ab61-843f80a40f8f/110 HTTP/1.1" 207 469
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "PROPFIND /subversion/repo/folder/structure HTTP/1.1" 207 526
ip_address - - [30/Dec/2010:15:49:59 -0600] "CHECKOUT /subversion/repo/!svn/ver/110/folder/structure/RestrictedFile HTTP/1.1" 403 1021
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "DELETE /subversion/repo/!svn/act/71f51505-a174-8349-ab61-843f80a40f8f HTTP/1.1" 204 -
Benjamin Ortega
-----Original Message-----
From: Mark Phippard [mailto:markphip@gmail.com]
Sent: Monday, January 03, 2011 8:33 AM
To: Ortega, Benjamin
Cc: users@subversion.apache.org
Subject: Re: On commit attempt, Server sent unexpected return value (403 Forbidden) in response to CHECKOUT
On Fri, Dec 31, 2010 at 11:04 AM, <Be...@wellsfargo.com> wrote:
> I'm trying to integrate a SVN Authz authorization file with apache
> configuration files to provide a solution for not just directory level
> restrictions, but also file level restrictions. It's my understanding that
> the SVN Authorization file is not capable of handling file-specific
> restrictions, only directory level.
This is not true. SVN authz manages "paths" and a path can be a
directory or a file. Of course it has to be the full path to the file
as there is no wild-card support.
> <Location "/subversion/repo/*/*/*/folder/structure/RestrictedFile">
> <Limit PUT>
> Require user my_username
> </Limit>
> </Location>
I am not aware of being able to define rules for paths within a
repository this way. When the SVN client does the commit it does so
against a temporary path, so you cannot use paths in your repository.
I do believe there are people that have written rules against the
temporary paths and if you did so properly then it might work.
That said, I am also not confident that you can successfully mix the
Subversion authz file with the other Apache require directives. I
have tried in the past to mix authz with the require-ldap-group
directive and the two just do not mix as these directives become
additive. Meaning if either directive would allow the user access
then they get access and you do not get the restrictive behavior of
authz that is desired.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
RE: On commit attempt, Server sent unexpected return value (403
Forbidden) in response to CHECKOUT
Posted by Be...@wellsfargo.com.
The /*/*/*/ in the path is to compensate for the temporary location /!svn/ver/<revision>/. This works without the svnauthz file in place.
Is there an internal user that the subversion server utilizes to perform the checkout of the last-committed-revision of the file prior to the put? That seems to be what is holding this up. It doesn't try to use my username to do this. That seems to be the case, as my user should have access to the file, but also to the temporary location. With the "* =" at the beginning of the svnauthz file restricting all users, it fails with a 403, but if I give rw to * it works. Note in the apache access log that the activities using my id are successful, but the activities that just have a - where the username would be are unsuccessful, the first one, of course, triggering a prompt for authentication, but the checkout towards the end just failing with a 403.
ip_address - - [30/Dec/2010:15:49:58 -0600] "OPTIONS /subversion/repo/folder/structure HTTP/1.1" 401 1337
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "OPTIONS /subversion/repo/folder/structure HTTP/1.1" 200 -
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "PROPFIND /subversion/repo/folder/structure HTTP/1.1" 207 816
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "OPTIONS /subversion/repo/folder/structure HTTP/1.1" 200 195
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "MKACTIVITY /subversion/repo/!svn/act/71f51505-a174-8349-ab61-843f80a40f8f HTTP/1.1" 201 234
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "PROPFIND /subversion/repo/!svn/vcc/default HTTP/1.1" 207 414
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "CHECKOUT /subversion/repo/!svn/bln/110 HTTP/1.1" 201 250
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "PROPPATCH /subversion/repo/!svn/wbl/71f51505-a174-8349-ab61-843f80a40f8f/110 HTTP/1.1" 207 469
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "PROPFIND /subversion/repo/folder/structure HTTP/1.1" 207 526
ip_address - - [30/Dec/2010:15:49:59 -0600] "CHECKOUT /subversion/repo/!svn/ver/110/folder/structure/RestrictedFile HTTP/1.1" 403 1021
ip_address - my_username [30/Dec/2010:15:49:59 -0600] "DELETE /subversion/repo/!svn/act/71f51505-a174-8349-ab61-843f80a40f8f HTTP/1.1" 204 -
Benjamin Ortega
----------------------------------------------
Operations Systems Engineer
Wells Fargo Bank, Des Moines, IA
CORE Build & Deploy Team
C : Benjamin.Ortega@WellsFargo.com
: 515-720-2700 (cell)
MAC: X2301-01X
This transmission may contain information that is confidential and/or proprietary. If you are not the individual or entity to which it is addressed, note that any review, disclosure, copying, retransmission, or other use is strictly prohibited. If you received this transmission in error, please notify the sender immediately and delete the material from your system.
-----Original Message-----
From: Mark Phippard [mailto:markphip@gmail.com]
Sent: Monday, January 03, 2011 8:33 AM
To: Ortega, Benjamin
Cc: users@subversion.apache.org
Subject: Re: On commit attempt, Server sent unexpected return value (403 Forbidden) in response to CHECKOUT
On Fri, Dec 31, 2010 at 11:04 AM, <Be...@wellsfargo.com> wrote:
> I'm trying to integrate a SVN Authz authorization file with apache
> configuration files to provide a solution for not just directory level
> restrictions, but also file level restrictions. It's my understanding that
> the SVN Authorization file is not capable of handling file-specific
> restrictions, only directory level.
This is not true. SVN authz manages "paths" and a path can be a
directory or a file. Of course it has to be the full path to the file
as there is no wild-card support.
> <Location "/subversion/repo/*/*/*/folder/structure/RestrictedFile">
> <Limit PUT>
> Require user my_username
> </Limit>
> </Location>
I am not aware of being able to define rules for paths within a
repository this way. When the SVN client does the commit it does so
against a temporary path, so you cannot use paths in your repository.
I do believe there are people that have written rules against the
temporary paths and if you did so properly then it might work.
That said, I am also not confident that you can successfully mix the
Subversion authz file with the other Apache require directives. I
have tried in the past to mix authz with the require-ldap-group
directive and the two just do not mix as these directives become
additive. Meaning if either directive would allow the user access
then they get access and you do not get the restrictive behavior of
authz that is desired.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
Re: On commit attempt, Server sent unexpected return value (403
Forbidden) in response to CHECKOUT
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Mark Phippard wrote on Mon, Jan 03, 2011 at 09:32:49 -0500:
> On Fri, Dec 31, 2010 at 11:04 AM, <Be...@wellsfargo.com> wrote:
> > I'm trying to integrate a SVN Authz authorization file with apache
> > configuration files to provide a solution for not just directory level
> > restrictions, but also file level restrictions. It's my understanding that
> > the SVN Authorization file is not capable of handling file-specific
> > restrictions, only directory level.
>
> This is not true. SVN authz manages "paths" and a path can be a
> directory or a file. Of course it has to be the full path to the file
> as there is no wild-card support.
>
> > <Location "/subversion/repo/*/*/*/folder/structure/RestrictedFile">
> > <Limit PUT>
> > Require user my_username
> > </Limit>
> > </Location>
>
Did you mean <LocationMatch>?
(which takes a regex, not a glob, IIRC)
> I am not aware of being able to define rules for paths within a
> repository this way. When the SVN client does the commit it does so
> against a temporary path, so you cannot use paths in your repository.
> I do believe there are people that have written rules against the
> temporary paths and if you did so properly then it might work.
>
> That said, I am also not confident that you can successfully mix the
> Subversion authz file with the other Apache require directives. I
> have tried in the past to mix authz with the require-ldap-group
> directive and the two just do not mix as these directives become
> additive. Meaning if either directive would allow the user access
> then they get access and you do not get the restrictive behavior of
> authz that is desired.
>
> --
> Thanks
>
> Mark Phippard
> http://markphip.blogspot.com/
Re: On commit attempt, Server sent unexpected return value (403
Forbidden) in response to CHECKOUT
Posted by Mark Phippard <ma...@gmail.com>.
On Fri, Dec 31, 2010 at 11:04 AM, <Be...@wellsfargo.com> wrote:
> I'm trying to integrate a SVN Authz authorization file with apache
> configuration files to provide a solution for not just directory level
> restrictions, but also file level restrictions. It's my understanding that
> the SVN Authorization file is not capable of handling file-specific
> restrictions, only directory level.
This is not true. SVN authz manages "paths" and a path can be a
directory or a file. Of course it has to be the full path to the file
as there is no wild-card support.
> <Location "/subversion/repo/*/*/*/folder/structure/RestrictedFile">
> <Limit PUT>
> Require user my_username
> </Limit>
> </Location>
I am not aware of being able to define rules for paths within a
repository this way. When the SVN client does the commit it does so
against a temporary path, so you cannot use paths in your repository.
I do believe there are people that have written rules against the
temporary paths and if you did so properly then it might work.
That said, I am also not confident that you can successfully mix the
Subversion authz file with the other Apache require directives. I
have tried in the past to mix authz with the require-ldap-group
directive and the two just do not mix as these directives become
additive. Meaning if either directive would allow the user access
then they get access and you do not get the restrictive behavior of
authz that is desired.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/