You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by trevor obba <tr...@yahoo.co.uk> on 2012/05/24 20:36:38 UTC
SVN Permission problem
I am running subversion 1.6.6 on Ubuntu 10.04 (Lucid), Viewvc
1.0.9 and apache2 (2.2.14) and LDAP authentication.
I have multiple repositories on my SVN server and it all
working fine, however I am unable to set access control (permissions) using AuthzSVNAccessFile.
“SVNParentPath /abc/svn”
The directories to my repositories are:
/abc/svn/repo1
/abc/svn/repo2
/abc/svn/repo3
/abc/svc/repo4
Users log-in with their LDAP account to https://www.test.com/viewvc or https://www.test.com/svn and can see all
repositories however when users drill down or click on repository only specific
users should be able to read and write to repository.
I tried to set up permission on repository but it does not
seem to work, where specific group of users are given read write access a
repository like
[groups]
developer1 = john, matthew, trevor
developer2 = john, monika, nick, Andrew
developer3 = john, victor, brown,
[/]
* = r
[repo1:/]
@developer1 = rw
[repo2:/]
@developer2 = rw
[repo3:/]
@developer3 = rw
The above permission does not work; users are still able to
drill down repositories regardless of permission, unless I explicitly state
that other groups have no permission to repository then it work like
[/]
* = r
[repo1:/]
@developer1 = rw
@developer2 =
@developer3 =
[repo2:/]
@developer2 = rw
@developer1 =
@developer3 =
[repo3:/]
@developer3 = rw
@developer1 =
@developer2 =
However if any users, that are not a member of developer1,
developer2 and developer3
Logs-in he can drill down to every repositories and read any
files.
How do I restrict access to repository to specify group?
Here is my dav_svn.conf
<Location /svn/>
DAV svn
SVNParentPath /abc/svn
SVNListParentPath On
AuthType Basic
AuthName
"Subversion Repository"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPBindDN
"o=bindme"
AuthLDAPURL ldap://x.x.x.x:389/ STARTTLS
AuthzSVNAccessFile /etc/apache2/acl
Require valid-user
</Location>
What am I doing wrong? Can help please
What am I doing wrong? Can help please
Re: SVN Permission problem
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Michael P. Reilly wrote on Thu, May 24, 2012 at 15:13:33 -0400:
> On Thu, May 24, 2012 at 2:36 PM, trevor obba <tr...@yahoo.co.uk>wrote:
>
> > I am running subversion 1.6.6 on Ubuntu 10.04 (Lucid), Viewvc
> > 1.0.9 and apache2 (2.2.14) and LDAP authentication.
> >
> >
> > I have multiple repositories on my SVN server and it all
> > working fine, however I am unable to set access control (permissions)
> > using AuthzSVNAccessFile.
> >
> > “SVNParentPath /abc/svn”
> >
> >
> > The directories to my repositories are:
> > /abc/svn/repo1
> > /abc/svn/repo2
> > /abc/svn/repo3
> > /abc/svc/repo4
> >
> > Users log-in with their LDAP account to https://www.test.com/viewvc or
> > https://www.test.com/svn and can see all
> > repositories however when users drill down or click on repository only
> > specific
> > users should be able to read and write to repository.
> >
> > I tried to set up permission on repository but it does not
> > seem to work, where specific group of users are given read write access a
> > repository like
> >
> > [groups]
> > developer1 = john, matthew, trevor
> > developer2 = john, monika, nick, Andrew
> > developer3 = john, victor, brown,
> >
> >
> > [/]
> > * = r
> >
> > [repo1:/]
> > @developer1 = rw
> >
> > [repo2:/]
> > @developer2 = rw
> >
> > [repo3:/]
> > @developer3 = rw
> >
> > The above permission does not work; users are still able to
> > drill down repositories regardless of permission, unless I explicitly state
> > that other groups have no permission to repository then it work like
> >
> > [/]
> > * = r
> >
> > [repo1:/]
> > @developer1 = rw
> > @developer2 =
> > @developer3 =
> >
> > [repo2:/]
> > @developer2 = rw
> > @developer1 =
> > @developer3 =
> >
> > [repo3:/]
> > @developer3 = rw
> > @developer1 =
> > @developer2 =
> >
> >
> > However if any users, that are not a member of developer1,
> > developer2 and developer3
> > Logs-in he can drill down to every repositories and read any
> > files.
> >
> > How do I restrict access to repository to specify group?
> >
> > Here is my dav_svn.conf
> > <Location /svn/>
> > DAV svn
> > SVNParentPath /abc/svn
> > SVNListParentPath On
> > AuthType Basic
> > AuthName
> > "Subversion Repository"
> > AuthBasicProvider ldap
> > AuthzLDAPAuthoritative on
> > AuthLDAPBindDN
> > "o=bindme"
> > AuthLDAPURL ldap://x.x.x.x:389/ STARTTLS
> > AuthzSVNAccessFile /etc/apache2/acl
> > Require valid-user
> > </Location>
> >
> > What am I doing wrong? Can help please
> >
> > What am I doing wrong? Can help please
> >
>
> Try removing the lines:
>
> [/]
> * = r
>
>
> This is a catch-all that says "anyone accessing '/' or below has read-only
> access.
>
> What I do is have a 'catch-all' group and give global access to that group.
> Then I just moving users in and out of that group as needed to give or
> remove permissions.
>
When both [repo:/foo] and [/foo] exist, and the repository
${SVNParentPath}/foo is access, the section [/foo] is not used.
I think this is even documented in recent versions of the book.
> -Arcege
> --
> What comes after the O-nut?
> The P-nut
> What comes after the P-nut?
> The elephant
> *joke told by my sons*
Re: SVN Permission problem
Posted by "Michael P. Reilly" <ar...@gmail.com>.
On Thu, May 24, 2012 at 2:36 PM, trevor obba <tr...@yahoo.co.uk>wrote:
> I am running subversion 1.6.6 on Ubuntu 10.04 (Lucid), Viewvc
> 1.0.9 and apache2 (2.2.14) and LDAP authentication.
>
>
> I have multiple repositories on my SVN server and it all
> working fine, however I am unable to set access control (permissions)
> using AuthzSVNAccessFile.
>
> “SVNParentPath /abc/svn”
>
>
> The directories to my repositories are:
> /abc/svn/repo1
> /abc/svn/repo2
> /abc/svn/repo3
> /abc/svc/repo4
>
> Users log-in with their LDAP account to https://www.test.com/viewvc or
> https://www.test.com/svn and can see all
> repositories however when users drill down or click on repository only
> specific
> users should be able to read and write to repository.
>
> I tried to set up permission on repository but it does not
> seem to work, where specific group of users are given read write access a
> repository like
>
> [groups]
> developer1 = john, matthew, trevor
> developer2 = john, monika, nick, Andrew
> developer3 = john, victor, brown,
>
>
> [/]
> * = r
>
> [repo1:/]
> @developer1 = rw
>
> [repo2:/]
> @developer2 = rw
>
> [repo3:/]
> @developer3 = rw
>
> The above permission does not work; users are still able to
> drill down repositories regardless of permission, unless I explicitly state
> that other groups have no permission to repository then it work like
>
> [/]
> * = r
>
> [repo1:/]
> @developer1 = rw
> @developer2 =
> @developer3 =
>
> [repo2:/]
> @developer2 = rw
> @developer1 =
> @developer3 =
>
> [repo3:/]
> @developer3 = rw
> @developer1 =
> @developer2 =
>
>
> However if any users, that are not a member of developer1,
> developer2 and developer3
> Logs-in he can drill down to every repositories and read any
> files.
>
> How do I restrict access to repository to specify group?
>
> Here is my dav_svn.conf
> <Location /svn/>
> DAV svn
> SVNParentPath /abc/svn
> SVNListParentPath On
> AuthType Basic
> AuthName
> "Subversion Repository"
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative on
> AuthLDAPBindDN
> "o=bindme"
> AuthLDAPURL ldap://x.x.x.x:389/ STARTTLS
> AuthzSVNAccessFile /etc/apache2/acl
> Require valid-user
> </Location>
>
> What am I doing wrong? Can help please
>
> What am I doing wrong? Can help please
>
Try removing the lines:
[/]
* = r
This is a catch-all that says "anyone accessing '/' or below has read-only
access.
What I do is have a 'catch-all' group and give global access to that group.
Then I just moving users in and out of that group as needed to give or
remove permissions.
-Arcege
--
What comes after the O-nut?
The P-nut
What comes after the P-nut?
The elephant
*joke told by my sons*