You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by p karthik <ka...@gmail.com> on 2007/08/29 19:12:06 UTC
Restrict Read Access at Branch Level
Hello!
We are using subversion-1.3.2 and apache2 on Solaris platform in our
project.
We are trying to restrict read access on a branch level in repository.
Already the write access has been controlled with the help of "pre-commit"
hook script.
But we are not able to find a way to restrict users from reading.
We have tried to check whether apache2 offers any thing here. But we
couldn't find any sort of that feature.
It would be of great help if somebody can point how to restrict read access
too on directory level.
Thanks,
Karthik
Re: Restrict Read Access at Branch Level
Posted by Rainer Sokoll <R....@intershop.de>.
On Thu, Aug 30, 2007 at 05:02:39PM +0100, p karthik wrote:
> AuthzSVNAccessFile /workarea/svn/svn-acl
> AuthUserFile /export/home/svn/svn-auth-file
> AuthGroupFile /workarea/svn/svn_grp_file
Are these files readable for the webserver user?
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Restrict Read Access at Branch Level
Posted by p karthik <ka...@gmail.com>.
Hi Hari,
Thanks a lot for responding to my mail.
But I have tried what was there in the svnbook earlier and I got the below
error while accessing the repository through the Tortoise repository
browser.
Error * REPORT request failed on 'http://<IP:Port>/dummy' REPORT of
'http://<IP:Port>/dummy': 403 Forbidden (http://<IP:Port>)
I have removed the IP and Port in the above error for security reasons.
The contents of the httpd.conf file is as follows:
<Location /dummy>
DAV svn
SVNPath /subversion/dummy
SVNReposName "NEO Dummy Repository"
AuthType Basic
AuthName "Subversion repository"
AuthzSVNAccessFile /workarea/svn/svn-acl
AuthUserFile /export/home/svn/svn-auth-file
AuthGroupFile /workarea/svn/svn_grp_file
<Limit POST PUT>
Require group mygrp
</Limit>
<Limit PROPFIND GET>
Require group mygrp nopegroup
</Limit>
</Location>
My physical path of the repository is: /subversion/dummy.
The access file /workarea/svn/svn-acl content is:
[dummy:/]
karthikp = wr
I have given it as "wr" instead of "rw" as it was giving the same error and
I have read that giving "wr" resolves the problem. But it is not the case
here.
The group file /workarea/svn/svn_grp_file has the following content:
mygrp: karthikp dummy admin
nopegroup: testuser
Its working fine for me without this "AuthzSVNAccessFile" thing.
Please let me know if I am giving anything wrong or missing anything. Thanks
a lot in anticipation.
Thanks,
Karthik
On 8/30/07, Hari Kodungallur <hk...@gmail.com> wrote:
>
>
> On 8/29/07, p karthik <ka...@gmail.com> wrote:
> >
> >
> > Hello!
> >
> > We are using subversion-1.3.2 and apache2 on Solaris platform in our
> > project.
> > We are trying to restrict read access on a branch level in repository.
> > Already the write access has been controlled with the help of
> > "pre-commit" hook script.
> > But we are not able to find a way to restrict users from reading.
> >
> > We have tried to check whether apache2 offers any thing here. But we
> > couldn't find any sort of that feature.
> > It would be of great help if somebody can point how to restrict read
> > access too on directory level.
> >
>
> Please read about per directory access control in the subversion book: http://svnbook.red-bean.com/en/1.4/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir
>
>
> Let us know if you encounter any issue setting up the configuration files
> for access control.
>
> regards,
> -Hari Kodungallur
>
Re: Restrict Read Access at Branch Level
Posted by p karthik <ka...@gmail.com>.
Hi All,
The per-directory access control is working fine now using the svn-acl file.
But now I have a different problem.
I have around 20 branches on which I need to impose read restriction.
For that I have explictly written the name of the branch and then gave no
permission to the group.
Is there any way that I can minimize this explicit mentioning of the name by
any means like a regular expression?
I need this because I need to restrict the same group of people if I am
creating a new branch. And this creation is very frequent as we are
following agile methodology and I need to add each entry in the svn-acl file
when ever I create the branch.
Thanks in anticipation.
Karthik.
On 8/30/07, p karthik <ka...@gmail.com> wrote:
>
> Hi Hari/Ranier,
>
> Thanks a ton for your inputs.
>
> Yes Ranier, the files have read permissions for other users.
>
> Hari,
>
> As you suggested I have tried with the basic authentication, Require
> valid-user and then AuthzSVNAccessFile. The httpd.conf has the entry as:
>
>
>
> <Location /dummy>
> DAV svn
> SVNPath /subversion/dummy
> SVNReposName "NEO Dummy Repository"
> AuthType Basic
> AuthName "Subversion repository"
> AuthzSVNAccessFile /workarea/svn/svn-acl
> AuthUserFile /export/home/svn/svn-auth-file
> Require valid-user
> </Location>
>
> The contents of svn-acl file are as follows:
> [dummy:/]
> karthikp = wr
> dummy = r
> admin = wr
> [dummy:/core/branches/core_final_bugfix]
> karthikp = r
> dummy =
> admin = wr
>
> It seems to work now. I think I need to remove the pre-commit hook script
> which I have written in PERL if this comes in to picture.
>
> But I have a query regarding this. Can I have the list of users in a file
> and reference that so that I can only change that file instead of changing
> the svn-acl file?
>
> Thanks a lot once again.
>
> Karthik.
>
>
> On 8/30/07, Hari Kodungallur <hkodungallur@gmail.com > wrote:
> >
> >
> >
> > On 8/30/07, p karthik <karthik1212@gmail.com > wrote:
> > >
> > > Hi Hari/All,
> > >
> > > I have noticied "access denied" message in the error log of apache.
> > >
> > > [Thu Aug 30 16:50:07 2007] [error] [client <IP>] Access denied: -
> > > REPORT dummy:/
> > >
> > > This shows that I am not configuring properly my httpd.conffile/svn-acl file.
> > > Please help me in this regard.
> > >
> > >
> >
> > In this case, it looks like it is because you have limited the access to
> > POST, PUT, GET and PROPFIND. You should also have one for REPORT and OPTIONS
> > (they can be grouped with GET and PROPFIND).
> >
> > There can be other reasons for 403 -- incorrect password, incorrect
> > configuration file that results in apache not knowing about the access etc.
> > If the issue persists, my suggestion will be to start off with very basic
> > authentication for everyone and then add the userfile, then the groupfile
> > etc. If you have everything in place and if you get the error, any one of
> > them could be the problem. So, try doing it one step at a time.
> >
> > Hope this helps.
> >
> > regards,
> > -Hari Kodungallur
> >
> >
> >
> >
>
Re: Restrict Read Access at Branch Level
Posted by p karthik <ka...@gmail.com>.
Hi Hari/Ranier,
Thanks a ton for your inputs.
Yes Ranier, the files have read permissions for other users.
Hari,
As you suggested I have tried with the basic authentication, Require
valid-user and then AuthzSVNAccessFile. The httpd.conf has the entry as:
<Location /dummy>
DAV svn
SVNPath /subversion/dummy
SVNReposName "NEO Dummy Repository"
AuthType Basic
AuthName "Subversion repository"
AuthzSVNAccessFile /workarea/svn/svn-acl
AuthUserFile /export/home/svn/svn-auth-file
Require valid-user
</Location>
The contents of svn-acl file are as follows:
[dummy:/]
karthikp = wr
dummy = r
admin = wr
[dummy:/core/branches/core_final_bugfix]
karthikp = r
dummy =
admin = wr
It seems to work now. I think I need to remove the pre-commit hook script
which I have written in PERL if this comes in to picture.
But I have a query regarding this. Can I have the list of users in a file
and reference that so that I can only change that file instead of changing
the svn-acl file?
Thanks a lot once again.
Karthik.
On 8/30/07, Hari Kodungallur <hkodungallur@gmail.com > wrote:
>
>
>
> On 8/30/07, p karthik <karthik1212@gmail.com > wrote:
> >
> > Hi Hari/All,
> >
> > I have noticied "access denied" message in the error log of apache.
> >
> > [Thu Aug 30 16:50:07 2007] [error] [client <IP>] Access denied: - REPORT
> > dummy:/
> >
> > This shows that I am not configuring properly my httpd.conf file/svn-acl
> > file.
> > Please help me in this regard.
> >
> >
>
> In this case, it looks like it is because you have limited the access to
> POST, PUT, GET and PROPFIND. You should also have one for REPORT and OPTIONS
> (they can be grouped with GET and PROPFIND).
>
> There can be other reasons for 403 -- incorrect password, incorrect
> configuration file that results in apache not knowing about the access etc.
> If the issue persists, my suggestion will be to start off with very basic
> authentication for everyone and then add the userfile, then the groupfile
> etc. If you have everything in place and if you get the error, any one of
> them could be the problem. So, try doing it one step at a time.
>
> Hope this helps.
>
> regards,
> -Hari Kodungallur
>
>
>
>
Re: Restrict Read Access at Branch Level
Posted by Hari Kodungallur <hk...@gmail.com>.
On 8/30/07, p karthik <ka...@gmail.com> wrote:
>
> Hi Hari/All,
>
> I have noticied "access denied" message in the error log of apache.
>
> [Thu Aug 30 16:50:07 2007] [error] [client <IP>] Access denied: - REPORT
> dummy:/
>
> This shows that I am not configuring properly my httpd.conf file/svn-acl
> file.
> Please help me in this regard.
>
>
In this case, it looks like it is because you have limited the access to
POST, PUT, GET and PROPFIND. You should also have one for REPORT and OPTIONS
(they can be grouped with GET and PROPFIND).
There can be other reasons for 403 -- incorrect password, incorrect
configuration file that results in apache not knowing about the access etc.
If the issue persists, my suggestion will be to start off with very basic
authentication for everyone and then add the userfile, then the groupfile
etc. If you have everything in place and if you get the error, any one of
them could be the problem. So, try doing it one step at a time.
Hope this helps.
regards,
-Hari Kodungallur
Re: Restrict Read Access at Branch Level
Posted by p karthik <ka...@gmail.com>.
Hi Hari/All,
I have noticied "access denied" message in the error log of apache.
[Thu Aug 30 16:50:07 2007] [error] [client <IP>] Access denied: - REPORT
dummy:/
This shows that I am not configuring properly my httpd.conf file/svn-acl
file.
Please help me in this regard.
Thanks,
Karthik.
On 8/30/07, Hari Kodungallur <hk...@gmail.com> wrote:
>
>
> On 8/29/07, p karthik <ka...@gmail.com> wrote:
> >
> >
> > Hello!
> >
> > We are using subversion-1.3.2 and apache2 on Solaris platform in our
> > project.
> > We are trying to restrict read access on a branch level in repository.
> > Already the write access has been controlled with the help of
> > "pre-commit" hook script.
> > But we are not able to find a way to restrict users from reading.
> >
> > We have tried to check whether apache2 offers any thing here. But we
> > couldn't find any sort of that feature.
> > It would be of great help if somebody can point how to restrict read
> > access too on directory level.
> >
>
> Please read about per directory access control in the subversion book: http://svnbook.red-bean.com/en/1.4/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir
>
>
> Let us know if you encounter any issue setting up the configuration files
> for access control.
>
> regards,
> -Hari Kodungallur
>
Re: Restrict Read Access at Branch Level
Posted by Hari Kodungallur <hk...@gmail.com>.
On 8/29/07, p karthik <ka...@gmail.com> wrote:
>
>
> Hello!
>
> We are using subversion-1.3.2 and apache2 on Solaris platform in our
> project.
> We are trying to restrict read access on a branch level in repository.
> Already the write access has been controlled with the help of "pre-commit"
> hook script.
> But we are not able to find a way to restrict users from reading.
>
> We have tried to check whether apache2 offers any thing here. But we
> couldn't find any sort of that feature.
> It would be of great help if somebody can point how to restrict read
> access too on directory level.
>
Please read about per directory access control in the subversion book:
http://svnbook.red-bean.com/en/1.4/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir
Let us know if you encounter any issue setting up the configuration files
for access control.
regards,
-Hari Kodungallur