You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Norbert Thek <no...@thek.at> on 2006/02/24 14:17:34 UTC

Problem with SVN & Windows

Hello
I'm using svnserver under Windows
so far so good

The problem is, that I cannot authenticate my user?
I think I have an error in my authz file
*****
[groups]
theMasters = user1
[x:/xxxx/svn_repos/]
user1 = rw
[repositroy:/da]
user1 = rw
@theMasters = rw
*****
Is there some more detailed example or description of the authorization 
file?

I also post my svnserve.conf file, probalby my error is here
******
[general]
anon-access = read
auth-access = write
password-db = passwd
authz-db = authz
******


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Problem with SVN & Windows

Posted by Norbert Thek <th...@sbox.tugraz.at>.

Hello again

Norbert Thek schrieb:
> I also post my svnserve.conf file, probalby my error is here
> ******
> [general]
> anon-access = read
> auth-access = write
> password-db = passwd
> authz-db = authz
> ******
I changed the anon-access to "write"
but I still not able to checkin over svnserve
I always get following error:

x:\xxxxxxxxtest\Doc>svn ci -m "helloworld" diplom.bib
Sending        diplom.bib
Transmitting file data .svn: Commit failed (details follow):
svn: Access denied



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Anonymous access to root of edit operation fails ( was RE: Problem with SVN & Windows )

Posted by Lieven Govaerts <lg...@mobsol.be>.

Hi Michael, 

> -----Original Message-----
> From: Michael Hertling [mailto:hertling@ikp.tu-darmstadt.de] 
> 
...
> 
> (4) Nothing for [/] in authz and 'anon-access=read' in svnserve.conf:
>      --> Challenge for authentication and failure with the line:
>          "svn: Not authorized to open root of edit operation"
> 
> To me, cases (1-3) seem to be absolutely correct, but case 
> (4) - imho - reveals erroneous behaviour: Even if anonymous 
> access is prohibited by the default effect of the authz file, 
> i.e. no access at all, svnserve should be able to perform the 
> requested checkout when it receives a valid authentication. 
> Moreover, svn leaves an empty working directory with just the 
> .svn subdirectory in it; normally, it doesn't do that if an 
> authentication simply fails.

I was a bit surprised by this behaviour, so I stepped through the code to
check what exactly happens ( code on svn trunk, but I think behaviour is the
same as svn 1.3 ). I checked read behaviour by doing an update of the trunk
folder of my test repository.

Authentication works in three steps:
1. Repository wide check, will allow anonymous access if possible, otherwise
request credentials. This check is based purely on the anon-access property.
2. Opens the root folder of your request ( not the root of the repository!
). If anon-access=read but path-based authz fails, no credentials are asked!
3. CD's recursively in the subfolders. If anonymous access fails for one of
these folders, request credentials. That user will be used for all other
authz checks.

Step 2 is the check which fails with an 'Not authorized to open root of edit
operation' error. I'm not sure why it isn't asking for credentials here. I
suppose it should, because the current result is that an action on a working
copy fails or succeeds depending on which folder you start the action.
I try to get some more information whether or not this is expected behaviour
( but I'm already working on another authz issue, so this might take some
time ).

I think this is not only Windows specific either, just a consequence of the
new path-based authz mechanism in svn 1.3 .
> > [..] You have to give users
> > read rights on the root of your repository of you want to 
> allow them 
> > write access somewhere deeper in the repository ( bug in 
> svnserve 1.3 )!
> 
> Is that bug perhaps related to the behaviour mentioned above? 
> The user in case (4) has full access to the whole repository, 
> and the failure already appears at the checkout, i.e. reading stage.

The bug I was talking about is issue 2486, it only shows up in the commit
stage. 

Lieven.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

RE: Problem with SVN & Windows

Posted by Michael Hertling <he...@ikp.tu-darmstadt.de>.

On Sat, 25 Feb 2006, Lieven Govaerts wrote:

> The correct syntax would be ( example access rights )
>
> [groups]
> theMasters = user1
> admins = admin1, admin2
>
> [/]    # <- root folder of your repository
> * = r
> @admins = rw
>
> [/da]  # da subfolder in your repository
> @theMasters = rw

[...]

> If you want to specify access per folders with the authz file, put this in
> your svnserve.conf:
>
> anon-access = none
> auth-access = write
>
> You cannot use anonymous access when using authz! [...]

Hi Lieven, hi everybody,

does this mean there's no way to operate anonymously on a repository for 
which the authz-db directive is set in svnserve.conf? The release notes 
for Subversion 1.3 states under "Path-based authorization for svnserve":

'[...] In order to access a path, both the "blanket" directives and 
per-path authz file must allow access.'

For this reason, your suggestion '* = r' for [/] in authz should be 
without any effect when 'anon-access=none' in svnserve.conf forbids 
anonymous access in general.

This aspect is rather interesting for me, but I don't fully understand 
it. Particularly the combination of access rules in svnserve.conf and 
the authz file seems somewhat obscure to me. E.g., I can observe the 
following cases with an account having full read/write access to a 
repository's root:

(1) '* = r' for [/] in authz and 'anon-access=none' in svnserve.conf:
     --> Challenge for authentication and subsequent checkout.

(2) Nothing for [/] in authz and 'anon-access=none' in svnserve.conf:
     --> Challenge for authentication and subsequent checkout.

(3) '* = r' for [/] in authz and 'anon-access=read' in svnserve.conf:
     --> Anonymous checkout leaving out paths with '* = ' in effect.
         The user wasn't authenticated at the repository afore.

(4) Nothing for [/] in authz and 'anon-access=read' in svnserve.conf:
     --> Challenge for authentication and failure with the line:
         "svn: Not authorized to open root of edit operation"

To me, cases (1-3) seem to be absolutely correct, but case (4) - imho - 
reveals erroneous behaviour: Even if anonymous access is prohibited by 
the default effect of the authz file, i.e. no access at all, svnserve 
should be able to perform the requested checkout when it receives a 
valid authentication. Moreover, svn leaves an empty working directory 
with just the .svn subdirectory in it; normally, it doesn't do that if 
an authentication simply fails.

> [..] You have to give users
> read rights on the root of your repository of you want to allow them write
> access somewhere deeper in the repository ( bug in svnserve 1.3 )!

Is that bug perhaps related to the behaviour mentioned above? The user 
in case (4) has full access to the whole repository, and the failure 
already appears at the checkout, i.e. reading stage.

Any clarifications will be greatly appreciated, thanks in advance.

Regards,

Michael

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Problem with SVN & Windows

Posted by Norbert Thek <th...@sbox.tugraz.at>.

Thanks it helped

Right know I don' understand what I was thinking

regards
Norbert

Lieven Govaerts schrieb:
> Norbert, 
>
> I don't really understand what you're trying to do in the authz file, 
> so let's try to see what's going wrong there.
>
>   
>> -----Original Message-----
>> From: Norbert Thek [mailto:norbert@thek.at] 
>>
>> Hello
>> I'm using svnserver under Windows
>> so far so good
>>     
>
> You're using svnserve, so that means you have one authz per repository. 
> The authz file contains a section per folder in your repository for
> which you want to specify the access rights. 
>
>   
>> The problem is, that I cannot authenticate my user?
>> I think I have an error in my authz file
>> *****
>> [groups]
>> theMasters = user1
>> [x:/xxxx/svn_repos/]
>> user1 = rw
>> [repositroy:/da]
>> user1 = rw
>> @theMasters = rw
>> *****
>> Is there some more detailed example or description of the 
>> authorization file?
>>     
>
> The correct syntax would be ( example access rights )
>
> [groups]
> theMasters = user1
> admins = admin1, admin2
>
> [/]    # <- root folder of your repository
> * = r
> @admins = rw
>
> [/da]  # da subfolder in your repository
> @theMasters = rw
>
>   
>> I also post my svnserve.conf file, probalby my error is here
>> ******
>> [general]
>> anon-access = read
>> auth-access = write
>> password-db = passwd
>> authz-db = authz
>> ******
>>     
>
> If you want to specify access per folders with the authz file, put this in 
> your svnserve.conf:
>
> anon-access = none
> auth-access = write
>
> You cannot use anonymous access when using authz! You have to give users
> read rights on the root of your repository of you want to allow them write
> access somewhere deeper in the repository ( bug in svnserve 1.3 )!
>
> Hope this makes thing a litte bit more clear,
>
> Lieven.
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

RE: Problem with SVN & Windows

Posted by Lieven Govaerts <lg...@mobsol.be>.

Norbert, 

I don't really understand what you're trying to do in the authz file, 
so let's try to see what's going wrong there.

> -----Original Message-----
> From: Norbert Thek [mailto:norbert@thek.at] 
> 
> Hello
> I'm using svnserver under Windows
> so far so good

You're using svnserve, so that means you have one authz per repository. 
The authz file contains a section per folder in your repository for
which you want to specify the access rights. 

> The problem is, that I cannot authenticate my user?
> I think I have an error in my authz file
> *****
> [groups]
> theMasters = user1
> [x:/xxxx/svn_repos/]
> user1 = rw
> [repositroy:/da]
> user1 = rw
> @theMasters = rw
> *****
> Is there some more detailed example or description of the 
> authorization file?

The correct syntax would be ( example access rights )

[groups]
theMasters = user1
admins = admin1, admin2

[/]    # <- root folder of your repository
* = r
@admins = rw

[/da]  # da subfolder in your repository
@theMasters = rw

> 
> I also post my svnserve.conf file, probalby my error is here
> ******
> [general]
> anon-access = read
> auth-access = write
> password-db = passwd
> authz-db = authz
> ******

If you want to specify access per folders with the authz file, put this in 
your svnserve.conf:

anon-access = none
auth-access = write

You cannot use anonymous access when using authz! You have to give users
read rights on the root of your repository of you want to allow them write
access somewhere deeper in the repository ( bug in svnserve 1.3 )!

Hope this makes thing a litte bit more clear,

Lieven.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org