You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Robert Spier <rs...@pobox.com> on 2003/05/27 04:00:05 UTC
mod_dav_svn: apache authentication
I've hunted through the archives and the documentation, and I've come
to the unhappy conclusion that when using apache (mod_dav_svn), the
only way to selectively control write access is with a pre-commit
hook.
The reason: operations that modify the repository tend to use a URL
such as: /repos/!svn/act/90790d4d-32be-0310-9aa5-d593d764d6b9 -- which
could be modifying almost anything, and there's no way for apache to
tell.
So, <Limit> can be used to granularly control _read_ access to the
repository, (because those happen at recognizable paths,) but not
write access.
A big hammer could be used,
<Location /repos/!svn/>
<Limit>
require group svncommit
</Limit>
</Location>
But, that means that anyone in the svncommit group can write to any
part of the repository.
Am I missing something obvious, or is this the way of the world? If I
want granular commit controls, I have to use a pre-commit hook?
Thanks!
-R
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: mod_dav_svn: apache authentication
Posted by Robert Spier <rs...@pobox.com>.
> Which leads to the question (to the original poster): what's wrong with
> using a hook script?
Nothing is _wrong_ with it, but, as we're attempting to keep a unified
authentication system, it will be easier to maintain something that is
inside Apache, as opposed to "yet another" external system to
integrate with and synchronize.
-R
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: mod_dav_svn: apache authentication
Posted by Ask Bjørn Hansen <as...@develooper.com>.
On Tuesday, May 27, 2003, at 11:21 US/Pacific, Brian Denny wrote:
> Which leads to the question (to the original poster): what's wrong with
> using a hook script?
One of the advantages of using SVN is that it otherwise integrates in
the httpd environment. We would like to use standard Apache modules
to query our user database without having to export the users and
passwords like we do with CVS.
- ask
--
http://www.askbjoernhansen.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: mod_dav_svn: apache authentication
Posted by Brian Denny <br...@briandenny.net>.
On Tue, May 27, 2003 at 08:17:31PM +0200, Michael Süß wrote:
>
> I could be wrong, but isnt this what the commit-access-control.pl hook script
> (located in the tools/hook-scripts subdir) is for?
The original poster indicated he knew about the hook script but was
hoping he could accomplish the access control through Apache
configuration.
Which leads to the question (to the original poster): what's wrong with
using a hook script?
-brian
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: mod_dav_svn: apache authentication
Posted by Michael Süß <mi...@suessnetz.de>.
On Tuesday 27 May 2003 19:55, Robert Spier wrote:
> > | I've hunted through the archives and the documentation, and I've come
> > | to the unhappy conclusion that when using apache (mod_dav_svn), the
> > | only way to selectively control write access is with a pre-commit
> > | hook.
> >
> > There is some information in the SVN book about how to make the Apache
> > HTTP server require authorization for write-access while providing world
> > read-access.
> > http://svnbook.red-bean.com/book.html#svn-ch-5-sect-4.1
> > Read under "Permissions, Authentication, and Authorization".
>
> Mukund,
>
> As I mentioned in my original message, the chapter in the book
> doesn't deal with selective permissions. It allows
> whole-repository commits (or not.)
[snip]
I could be wrong, but isnt this what the commit-access-control.pl hook script
(located in the tools/hook-scripts subdir) is for?
Michael
--
"What we do in life, echos in eternity..."
Michael Suess
GPG-Key: http://www.suessnetz.de/michael/michaelsuess.gpg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
RE: mod_dav_svn: apache authentication
Posted by Sander Striker <st...@apache.org>.
> From: Robert Spier [mailto:rspier@pobox.com]
> Sent: Tuesday, May 27, 2003 7:55 PM
...
> does not work, because SVN performs write operations using URL's
> like this:
>
> /svn/!svn/act/90790d4d-32be-0310-9aa5-d593d764d6b9
>
> which obviously doesn't match the /svn/project/trunk location.
Take a look at subversion/mod_dav_svn/dav_svn.h*. It lists a the
exported functions in mod_dav_svn. The dav_svn_split_uri function
is of particular interest (read the docstring). I've been meaning
to dedicate some time to mod_authz_svn, but I just can't seem to be
able to allocate some to this. Taking one of the httpd authz
modules as the basis, you should be able to implement this in very
little time though.
And FWIW, the url you pasted above needs to be accessible to all
users, read or write. This is due to how svn up works.
HTH,
Sander
*) We should really move the dav_svn.h to include/mod_dav_svn.h, since
this is clearly a public header file which (authz) module authors
can use.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: mod_dav_svn: apache authentication
Posted by Robert Spier <rs...@pobox.com>.
> | I've hunted through the archives and the documentation, and I've come
> | to the unhappy conclusion that when using apache (mod_dav_svn), the
> | only way to selectively control write access is with a pre-commit
> | hook.
> There is some information in the SVN book about how to make the Apache HTTP
> server require authorization for write-access while providing world
> read-access.
> http://svnbook.red-bean.com/book.html#svn-ch-5-sect-4.1
> Read under "Permissions, Authentication, and Authorization".
Mukund,
As I mentioned in my original message, the chapter in the book
doesn't deal with selective permissions. It allows
whole-repository commits (or not.)
Re: mod_dav_svn: apache authentication
Posted by Mukund <mu...@tessna.com>.
On Mon, May 26, 2003 at 09:00:05PM -0700, Robert Spier wrote:
|
| I've hunted through the archives and the documentation, and I've come
| to the unhappy conclusion that when using apache (mod_dav_svn), the
| only way to selectively control write access is with a pre-commit
| hook.
|
Hi Robert
There is some information in the SVN book about how to make the Apache HTTP
server require authorization for write-access while providing world
read-access.
http://svnbook.red-bean.com/book.html#svn-ch-5-sect-4.1
Read under "Permissions, Authentication, and Authorization".
Mukund
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org