You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Patricia A Moss <pm...@csc.com> on 2009/10/19 13:48:26 UTC
Read-Only Access
I am attempting to allow a single group access to a repository and to make
that access read-only. Here is my config file; however, it does not seem
to be making the group read-only. The members of the group can still
commit and make changes. Can someone tell me what I am missing? Thanks.
<Location /ProdDev>
dav svn
SVNPath /disk01/home/ProdDev
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthName "CSC Subversion Repository"
AuthLDAPBindDN FCGNET\xxxxxxx
AuthLDAPBindPassword xxxxxxx
AuthLDAPURL
ldap://pant04.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?(objectCategory=person)
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require ldap-group CN=FCG LS Product
Development,OU=U.S.,OU=Groups,DC=fcg,DC=com
</LimitExcept>
</Location>
PATI MOSS
System Engineer Sr. Professional
CSC
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2408970
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: Read-Only Access
Posted by Patricia A Moss <pm...@csc.com>.
>I believe your desire is for ANY user to have read access, but ONLY an
ldap-group to have write access, correct? To configure Apache to >only
restrict write-access, use a <LimitExcept> directive instead, which would
restrict everything *except* read methods:
><LimitExcept GET PROPFIND OPTIONS REPORT>
> Require ldap-group CN=FCG LS Product
>Development,OU=U.S.,OU=Groups,DC=fcg,DC=com
></LimitExcept>
My desire is to have only the LS Product Development group have only
Read-Only access to the repository. Which, if I understand how you
explained it, makes sense. This is so confusing to me.
Perhaps it would be easier if I could just make the repository Read-Only
to everyone. However, I am not sure of the correct way to do this either
>I don't doubt you if you say the LDAP portion works, just wanted to make
sure :)
>An easy way to test is to just copy that "Require ldap-group" directive
to a "<Location>" block to require that LDAP to access a portion of >the
site, and confirm only members of the given LDAP group can access that
area.
>
My repositories are already functioning. That is how I know that the LDAP
portion works. I am about to begin to move the repositories from one
server to another. Before I begin a dump I want to make the repository
Read-Only so that no one, who currently has access, can make any changes
while I dump and move.
PATI MOSS
System Engineer Sr. Professional
CSC
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2409733
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: Read-Only Access
Posted by Jake Stone <ja...@gmail.com>.
Patricia: When sending replies, don't forget to make sure you have
"users@subversion.tigris.org: in the CC: area of your email. Otherwise
you send replies to only me and not the whole list :-)
Actually, the following configuration you provided:
*<Limit GET PROPFIND OPTIONS REPORT>
Require ldap-group CN=FCG LS Product
Development,OU=U.S.,OU=Groups,DC=fcg,DC=com
</Limit>
*
If used by itself, would limit read access methods but NOT write access
methods, so I don't know what that would do if you had a user who didn't
satisfy the ldap-group requirement.
Understanding why requires some understanding of the <Limit> and
<LimitExcept> directives: The <Limit> directive essentially means "these
actions require that the below restrictions be satisfied for use". The
<LimitExcept> means "anything BUT these actions require that the below
restrictions be satisfied for use." So using only the <Limit> only
places a restriction on read-access, not any other methods. This is not
what you want (if I understand you correctly).
Note the svn-book chapter on Apache SVN control (online & free reference):
http://svnbook.red-bean.com/en/1.5/svn-book.html#svn.serverconfig.httpd.authz
I believe your desire is for ANY user to have read access, but ONLY an
ldap-group to have write access, correct? To configure Apache to only
restrict write-access, use a <LimitExcept> directive instead, which
would restrict everything *except* read methods:
*<LimitExcept GET PROPFIND OPTIONS REPORT>
** Require ldap-group CN=FCG LS Product Development,OU=U.S.,OU=Groups,DC=fcg,DC=com*
*</LimitExcept>*
This is an adoption of my own Apache configuration:
*<LimitExcept GET PROPFIND OPTIONS REPORT>
Require [Code-Write]
</LimitExcept>*
I don't doubt you if you say the LDAP portion works, just wanted to make
sure :)
An easy way to test is to just copy that "Require ldap-group" directive
to a "<Location>" block to require that LDAP to access a portion of the
site, and confirm only members of the given LDAP group can access that area.
Incidentally, if your LDAP is a proper Windows Active Directory instance
on the same machine as Apache, you could use the (unmaintained) SSPI module:
http://sourceforge.net/projects/mod-auth-sspi/
Its what I use, and allows me to run Apache authentication against AD
without having a read-only account and all that ldap-group configuration
shenanigans.
If you already have a working LDAP setup, however, it may not be worth
the trouble to investigate.
Hope this helps!
Patricia A Moss wrote:
>
> I already know that the LDAP portion works. I just needed to add more
> of a limitation by only allowing read access. So, according to your
> email, to allow only read access I should have the following in my
> location block; correct?
>
> *<Limit GET PROPFIND OPTIONS REPORT>* *
> Require ldap-group CN=FCG LS Product
> Development,OU=U.S.,OU=Groups,DC=fcg,DC=com* *
> </Limit>*
>
> PATI MOSS
> System Engineer Sr. Professional
> CSC
>
>
>
> From: Jake Stone <ja...@gmail.com>
> To: Patricia A Moss/GIS/CSC@CSC
> Cc: users@subversion.tigris.org
> Date: 10/19/2009 02:56 PM
> Subject: Re: Read-Only Access
>
>
> ------------------------------------------------------------------------
>
>
>
> Patricia A Moss wrote:
>
> I am attempting to allow a single group access to a repository and to
> make that access read-only. Here is my config file; however, it does
> not seem to be making the group read-only. The members of the group
> can still commit and make changes. Can someone tell me what I am
> missing? Thanks.
>
> <Location /ProdDev>
> dav svn
> SVNPath /disk01/home/ProdDev
> AuthType Basic
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative off
> AuthName "CSC Subversion Repository"
> AuthLDAPBindDN FCGNET\xxxxxxx
> AuthLDAPBindPassword xxxxxxx
> AuthLDAPURL
> _ldap://pant04.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?(objectCategory=person)_
> <ldap://pant04.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?%28objectCategory=person%29>
> *
> <LimitExcept GET PROPFIND OPTIONS REPORT>* *
> Require ldap-group CN=FCG LS Product
> Development,OU=U.S.,OU=Groups,DC=fcg,DC=com* *
> </LimitExcept>*
> </Location>
>
>
> PATI MOSS
> System Engineer Sr. Professional
> CSC
> You should first test your config with simple Apache password files;
> trying to debug LDAP and SVN at the same time is a bad idea.
> It seems you have the right LimitExcept, so if you got LDAP working
> correctly that should be right.
>
> I use LDAP for my SVN-Apache instance as well, and the below
> directives accomplish both read and write access control.
> You would need to satisfy [Code-Read] to even read the repository, and
> [Code-Write] to change it.
> Note the difference between LimitExcept and Limit.
>
> <Location /svn>
> .....
> <LimitExcept GET PROPFIND OPTIONS REPORT>
> Require [Code-Write]
> </LimitExcept>
> <Limit GET PROPFIND OPTIONS REPORT>
> Require [Code-Read]
> </Limit>
> </Location>
>
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2409487
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: Read-Only Access
Posted by Jake Stone <ja...@gmail.com>.
Patricia A Moss wrote:
>
> I am attempting to allow a single group access to a repository and to
> make that access read-only. Here is my config file; however, it does
> not seem to be making the group read-only. The members of the group
> can still commit and make changes. Can someone tell me what I am
> missing? Thanks.
>
> <Location /ProdDev>
> dav svn
> SVNPath /disk01/home/ProdDev
> AuthType Basic
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative off
> AuthName "CSC Subversion Repository"
> AuthLDAPBindDN FCGNET\xxxxxxx
> AuthLDAPBindPassword xxxxxxx
> AuthLDAPURL
> ldap://pant04.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?(objectCategory=person)
>
> *<LimitExcept GET PROPFIND OPTIONS REPORT>*
> *Require ldap-group CN=FCG LS Product
> Development,OU=U.S.,OU=Groups,DC=fcg,DC=com*
> *</LimitExcept>*
> </Location>
>
>
> PATI MOSS
> System Engineer Sr. Professional
> CSC
You should first test your config with simple Apache password files;
trying to debug LDAP and SVN at the same time is a bad idea.
It seems you have the right LimitExcept, so if you got LDAP working
correctly that should be right.
I use LDAP for my SVN-Apache instance as well, and the below directives
accomplish both read and write access control.
You would need to satisfy [Code-Read] to even read the repository, and
[Code-Write] to change it.
Note the difference between LimitExcept and Limit.
<Location /svn>
.....
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require [Code-Write]
</LimitExcept>
<Limit GET PROPFIND OPTIONS REPORT>
Require [Code-Read]
</Limit>
</Location>
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2409093
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].