You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Todd, David" <dt...@irobot.com> on 2008/02/05 15:58:11 UTC

[users@httpd] Viewvc, kerberos and Location directives, an ordering problem?

I am trying to use viewvc to let my users browse the code base in our svn
repositories. We have a number of them.

Some of them must have restricted access, but at the same time, want to be
in a hierarchy with others that have a different access group.

The authentication takes place using kerberos. I doubt that's involved, but
I mention it just in case.

This is on an apache 2.0.52 server, on RHEL4.

I have two locations:

   <Location ~ "/viewvc/gni/?.*">
     AllowOverride None
     AuthType Kerberos
     AuthGroupFile /svn/conf/htgroup
     KrbAuthRealms WARDROBE.IROBOT.COM
     KrbSaveCredentials On
     KrbVerifyKDC Off
     KrbAppendRealm Off
     Krb5Keytab /svn/www/http.keytab
     KrbServiceName HTTP
     AuthName "iRobot Subversion Repository"
         Order deny,allow
     Satisfy All
     Require group gniuser
   </Location>     

   <Location ~ "/viewvc/gni/res/?.*">
     AllowOverride None
     AuthType Kerberos
     AuthGroupFile /svn/conf/htgroup
     KrbAuthRealms WARDROBE.IROBOT.COM
     KrbSaveCredentials On
     KrbVerifyKDC Off
     KrbAppendRealm Off
     Krb5Keytab /svn/www/http.keytab
     KrbServiceName HTTP
     AuthName "iRobot Subversion Repository"
         Order deny,allow
     Satisfy All
     Require group res
   </Location>     


I have two groups gniuser, and res, which is a subset of gniuser. Everyone
in res is in gniuser.

If I have these in the order presented (General, then specific), people on
the res group have no access at all. If I reverse the order, they have total
access, like others in gniuser.

I'm using locations because the actual access is via viewvc, a cgi script.

How do I set it up so that res can be in the the gni directory, but have a
restricted set of users?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Viewvc, kerberos and Location directives, an ordering problem?

Posted by "Todd, David" <dt...@irobot.com>.

On 2008Feb05 9:58 , "Todd, David" <dt...@irobot.com> wrote:

> I am trying to use viewvc to let my users browse the code base in our svn
> repositories. We have a number of them.
> 
> Some of them must have restricted access, but at the same time, want to be
> in a hierarchy with others that have a different access group.
> 
> The authentication takes place using kerberos. I doubt that's involved, but
> I mention it just in case.
> 
> This is on an apache 2.0.52 server, on RHEL4.
> 
> I have two locations:
> 
>    <Location ~ "/viewvc/gni/?.*">
>      AllowOverride None
>      AuthType Kerberos
>      AuthGroupFile /svn/conf/htgroup
>      KrbAuthRealms WARDROBE.IROBOT.COM
>      KrbSaveCredentials On
>      KrbVerifyKDC Off
>      KrbAppendRealm Off
>      Krb5Keytab /svn/www/http.keytab
>      KrbServiceName HTTP
>      AuthName "iRobot Subversion Repository"
>          Order deny,allow
>      Satisfy All
>      Require group gniuser
>    </Location>   
> 
>    <Location ~ "/viewvc/gni/res/?.*">
>      AllowOverride None
>      AuthType Kerberos
>      AuthGroupFile /svn/conf/htgroup
>      KrbAuthRealms WARDROBE.IROBOT.COM
>      KrbSaveCredentials On
>      KrbVerifyKDC Off
>      KrbAppendRealm Off
>      Krb5Keytab /svn/www/http.keytab
>      KrbServiceName HTTP
>      AuthName "iRobot Subversion Repository"
>          Order deny,allow
>      Satisfy All
>      Require group res
>    </Location>   
> 
> 
> I have two groups gniuser, and res, which is a subset of gniuser. Everyone
> in res is in gniuser.
> 
> If I have these in the order presented (General, then specific), people on
> the res group have no access at all. If I reverse the order, they have total
> access, like others in gniuser.
> 
> I'm using locations because the actual access is via viewvc, a cgi script.
> 
> How do I set it up so that res can be in the the gni directory, but have a
> restricted set of users?
> 
> 
Once more into the breach!

Does anyone have an idea or opinion on what I might do to resolve this
problem?

If I get no answer, I fear I shall have to go bother some developers.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org