You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Todd, David" <dt...@irobot.com> on 2008/02/05 15:58:11 UTC
[users@httpd] Viewvc, kerberos and Location directives, an ordering problem?
I am trying to use viewvc to let my users browse the code base in our svn
repositories. We have a number of them.
Some of them must have restricted access, but at the same time, want to be
in a hierarchy with others that have a different access group.
The authentication takes place using kerberos. I doubt that's involved, but
I mention it just in case.
This is on an apache 2.0.52 server, on RHEL4.
I have two locations:
<Location ~ "/viewvc/gni/?.*">
AllowOverride None
AuthType Kerberos
AuthGroupFile /svn/conf/htgroup
KrbAuthRealms WARDROBE.IROBOT.COM
KrbSaveCredentials On
KrbVerifyKDC Off
KrbAppendRealm Off
Krb5Keytab /svn/www/http.keytab
KrbServiceName HTTP
AuthName "iRobot Subversion Repository"
Order deny,allow
Satisfy All
Require group gniuser
</Location>
<Location ~ "/viewvc/gni/res/?.*">
AllowOverride None
AuthType Kerberos
AuthGroupFile /svn/conf/htgroup
KrbAuthRealms WARDROBE.IROBOT.COM
KrbSaveCredentials On
KrbVerifyKDC Off
KrbAppendRealm Off
Krb5Keytab /svn/www/http.keytab
KrbServiceName HTTP
AuthName "iRobot Subversion Repository"
Order deny,allow
Satisfy All
Require group res
</Location>
I have two groups gniuser, and res, which is a subset of gniuser. Everyone
in res is in gniuser.
If I have these in the order presented (General, then specific), people on
the res group have no access at all. If I reverse the order, they have total
access, like others in gniuser.
I'm using locations because the actual access is via viewvc, a cgi script.
How do I set it up so that res can be in the the gni directory, but have a
restricted set of users?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Viewvc, kerberos and Location directives, an
ordering problem?
Posted by "Todd, David" <dt...@irobot.com>.
On 2008Feb05 9:58 , "Todd, David" <dt...@irobot.com> wrote:
> I am trying to use viewvc to let my users browse the code base in our svn
> repositories. We have a number of them.
>
> Some of them must have restricted access, but at the same time, want to be
> in a hierarchy with others that have a different access group.
>
> The authentication takes place using kerberos. I doubt that's involved, but
> I mention it just in case.
>
> This is on an apache 2.0.52 server, on RHEL4.
>
> I have two locations:
>
> <Location ~ "/viewvc/gni/?.*">
> AllowOverride None
> AuthType Kerberos
> AuthGroupFile /svn/conf/htgroup
> KrbAuthRealms WARDROBE.IROBOT.COM
> KrbSaveCredentials On
> KrbVerifyKDC Off
> KrbAppendRealm Off
> Krb5Keytab /svn/www/http.keytab
> KrbServiceName HTTP
> AuthName "iRobot Subversion Repository"
> Order deny,allow
> Satisfy All
> Require group gniuser
> </Location>
>
> <Location ~ "/viewvc/gni/res/?.*">
> AllowOverride None
> AuthType Kerberos
> AuthGroupFile /svn/conf/htgroup
> KrbAuthRealms WARDROBE.IROBOT.COM
> KrbSaveCredentials On
> KrbVerifyKDC Off
> KrbAppendRealm Off
> Krb5Keytab /svn/www/http.keytab
> KrbServiceName HTTP
> AuthName "iRobot Subversion Repository"
> Order deny,allow
> Satisfy All
> Require group res
> </Location>
>
>
> I have two groups gniuser, and res, which is a subset of gniuser. Everyone
> in res is in gniuser.
>
> If I have these in the order presented (General, then specific), people on
> the res group have no access at all. If I reverse the order, they have total
> access, like others in gniuser.
>
> I'm using locations because the actual access is via viewvc, a cgi script.
>
> How do I set it up so that res can be in the the gni directory, but have a
> restricted set of users?
>
>
Once more into the breach!
Does anyone have an idea or opinion on what I might do to resolve this
problem?
If I get no answer, I fear I shall have to go bother some developers.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org