You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Philippe Andersson <pa...@iba-group.com> on 2013/05/28 09:52:10 UTC
Authentication proxy for slave Subversion repos
Hello list,
We're starting to create slave Subversion repos for installation on
remote sites. All of them will svnsync against a single central master
at headquarters.
Now the question: we would like all users on the remote sites to
authenticate against the master (to avoid having replicating that info
as well to the slave servers). The authentication on the master is
handled through Apache.
Is it possible to configure the slave servers to proxy the
authentication requests against the master ?
Any hint is welcome.
TIA
Cheers. Bye.
Ph. A.
--
*Philippe Andersson*
Unix System Administrator
IBA Particle Therapy |
Tel: +32-10-475.983
Fax: +32-10-487.707
eMail: pan@iba-group.com
<http://www.iba-worldwide.com>
Re: Authentication proxy for slave Subversion repos
Posted by Branko Čibej <br...@wandisco.com>.
On 29.05.2013 13:54, Nico Kadel-Garcia wrote:
> On Tue, May 28, 2013 at 7:19 PM, Daniel Shahaf <d....@daniel.shahaf.name> wrote:
>> Philippe Andersson wrote on Tue, May 28, 2013 at 09:52:10 +0200:
>>> Hello list,
>>>
>>> We're starting to create slave Subversion repos for installation on
>>> remote sites. All of them will svnsync against a single central master
>>> at headquarters.
>>>
>>> Now the question: we would like all users on the remote sites to
>>> authenticate against the master (to avoid having replicating that info
>>> as well to the slave servers). The authentication on the master is
>>> handled through Apache.
>>>
>>> Is it possible to configure the slave servers to proxy the
>>> authentication requests against the master ?
>> It's certainly possible (e.g., if you use LDAP authentication you could
>> configure an LDAPAuthURL that points to HQ), but whoever has access to
>> the slave's httpd.conf will be able to disable/change those settings.
> If I may suggest? You're re-inventing yet another in a whole set of
> wheels for high availability support. Why not just buy the whole Land
> Rover to start with, talk to our friends and colleagues over at
> www.wandisco.com, and check out their commercial support for
> multi-master setups for Subversion?
There are valid reasons for not doing that. :)
For example, the ASF uses a setup very similar to what was proposed: we
have a master repository server in the US, and a slave in the EU, which
runs mod_dav_svn in its master/slave proxy mode and uses svnsync (driven
by svnpubsub) to keep in step with the master. Both servers authenticate
against the same replicated LDAP.
-- Brane
--
Branko Čibej
Director of Subversion | WANdisco | www.wandisco.com
Re: Authentication proxy for slave Subversion repos
Posted by Nico Kadel-Garcia <nk...@gmail.com>.
On Tue, May 28, 2013 at 7:19 PM, Daniel Shahaf <d....@daniel.shahaf.name> wrote:
> Philippe Andersson wrote on Tue, May 28, 2013 at 09:52:10 +0200:
>> Hello list,
>>
>> We're starting to create slave Subversion repos for installation on
>> remote sites. All of them will svnsync against a single central master
>> at headquarters.
>>
>> Now the question: we would like all users on the remote sites to
>> authenticate against the master (to avoid having replicating that info
>> as well to the slave servers). The authentication on the master is
>> handled through Apache.
>>
>> Is it possible to configure the slave servers to proxy the
>> authentication requests against the master ?
>
> It's certainly possible (e.g., if you use LDAP authentication you could
> configure an LDAPAuthURL that points to HQ), but whoever has access to
> the slave's httpd.conf will be able to disable/change those settings.
If I may suggest? You're re-inventing yet another in a whole set of
wheels for high availability support. Why not just buy the whole Land
Rover to start with, talk to our friends and colleagues over at
www.wandisco.com, and check out their commercial support for
multi-master setups for Subversion? With all the work they've done to
provide genuine multi-master support, I'm sure they've devoted good
support to shared authentication. In fact, I'm sure the shared
authentication is built into numerous Apache modules such as mirrored
flat text file account management distrikbuted through cfengine or
chef, LDAP with Kerberos, NIS, or a dozen other services.
Re: Authentication proxy for slave Subversion repos
Posted by Nico Kadel-Garcia <nk...@gmail.com>.
On Wed, May 29, 2013 at 3:03 AM, Philippe Andersson <pa...@iba-group.com> wrote:
> Hello Daniel,
>
> Thanks a lot for your reply, first of all.
>
> On 29/05/13 01:19, Daniel Shahaf wrote:
>> Philippe Andersson wrote on Tue, May 28, 2013 at 09:52:10 +0200:
>>> Hello list,
>>>
>>> We're starting to create slave Subversion repos for installation on
>>> remote sites. All of them will svnsync against a single central master
>>> at headquarters.
>>>
>>> Now the question: we would like all users on the remote sites to
>>> authenticate against the master (to avoid having replicating that info
>>> as well to the slave servers). The authentication on the master is
>>> handled through Apache.
>>>
>>> Is it possible to configure the slave servers to proxy the
>>> authentication requests against the master ?
>>
>> It's certainly possible (e.g., if you use LDAP authentication you could
>> configure an LDAPAuthURL that points to HQ),
> In our case, we use "AuthType Basic" on the master server, so there is
> no URL, just paths to the users and groups file. The password file for
> the Subversion users is generated by a script based on the NIS password
> file. Would it work in this case as well ?
>
>> but whoever has access to
>> the slave's httpd.conf will be able to disable/change those settings.
> This is of no real consequence to us, as we can trust the sysadmins for
> the remote replicas.
>
> Cheers. Bye.
>
> Ph. A.
As long as you've got consistent NIS services int he reomte site,
sure. You can even run an NIS slave remotely to stay mirrored to
upstream, and consider running the lemote repositories as read-only
repositories. But NIS is becoming really seriously outdated. And its
support for local root users to do "ypcat shadow" and then run
best-guess password crackers against the encrypted passwords is a long
standing security risk.
Re: Authentication proxy for slave Subversion repos
Posted by Philippe Andersson <pa...@iba-group.com>.
Hello Daniel,
Thanks a lot for your reply, first of all.
On 29/05/13 01:19, Daniel Shahaf wrote:
> Philippe Andersson wrote on Tue, May 28, 2013 at 09:52:10 +0200:
>> Hello list,
>>
>> We're starting to create slave Subversion repos for installation on
>> remote sites. All of them will svnsync against a single central master
>> at headquarters.
>>
>> Now the question: we would like all users on the remote sites to
>> authenticate against the master (to avoid having replicating that info
>> as well to the slave servers). The authentication on the master is
>> handled through Apache.
>>
>> Is it possible to configure the slave servers to proxy the
>> authentication requests against the master ?
>
> It's certainly possible (e.g., if you use LDAP authentication you could
> configure an LDAPAuthURL that points to HQ),
In our case, we use "AuthType Basic" on the master server, so there is
no URL, just paths to the users and groups file. The password file for
the Subversion users is generated by a script based on the NIS password
file. Would it work in this case as well ?
> but whoever has access to
> the slave's httpd.conf will be able to disable/change those settings.
This is of no real consequence to us, as we can trust the sysadmins for
the remote replicas.
Cheers. Bye.
Ph. A.
--
*Philippe Andersson*
Unix System Administrator
IBA Particle Therapy |
Tel: +32-10-475.983
Fax: +32-10-487.707
eMail: pan@iba-group.com
<http://www.iba-worldwide.com>
Re: Authentication proxy for slave Subversion repos
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Philippe Andersson wrote on Tue, May 28, 2013 at 09:52:10 +0200:
> Hello list,
>
> We're starting to create slave Subversion repos for installation on
> remote sites. All of them will svnsync against a single central master
> at headquarters.
>
> Now the question: we would like all users on the remote sites to
> authenticate against the master (to avoid having replicating that info
> as well to the slave servers). The authentication on the master is
> handled through Apache.
>
> Is it possible to configure the slave servers to proxy the
> authentication requests against the master ?
It's certainly possible (e.g., if you use LDAP authentication you could
configure an LDAPAuthURL that points to HQ), but whoever has access to
the slave's httpd.conf will be able to disable/change those settings.