You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by David Resnick <ab...@gmail.com> on 2006/01/25 13:35:41 UTC
Limiting access to only commit messages
I asked this question on the users list but didn't get any replies.
I need to secure an Apache hosted Subversion repository so that it can be
accessed off-site by a JIRA (bug tracking) server.
What I need to know is if there are a set of Apache access methods (like
OPTIONS, PROPFIND, etc.) that can be used to allow a user to be limited to
getting only log commit messages, without allowing access to the actual
contents of the repository.
The Blanket Access Control section of the Subversion book
(http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serv
erconfig.httpd.authz.blanket) hints that this might be possible, but doesn't
describe what the connection is between Apache access methods and Subversion
actions.
Thanks in advance,
David Resnick
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
RE: Limiting access to only commit messages
Posted by David Resnick <ab...@gmail.com>.
Thanks for your reply! Sorry about not getting back to this for so long.
I've finally had the chance to try and check this out though I have been
unable to check, due to a problem I'm having with Apache security. I have
the following block to allow limited access to Subversion, though for
unknown reasons this allows GET methods to the /svn-test path:
<Location /svn-test>
Satisfy all
<LimitExcept PROPFIND>
Require valid-user
</LimitExcept>
DAV svn
SVNParentPath "E:\."
# how to authenticate a user
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain <domaincontroller>
SSPIOfferBasic On
SSPIOmitDomain On
</Location>
I will continue to try to get this working in order to test the ability of
limiting the Subversion access.
-David Resnick
> -----Original Message-----
> From: sussman@gmail.com [mailto:sussman@gmail.com] On Behalf Of Ben
> Collins-Sussman
> Sent: Wednesday, January 25, 2006 15:59
> To: David Resnick
> Cc: dev@subversion.tigris.org
> Subject: Re: Limiting access to only commit messages
>
> On 1/25/06, David Resnick <ab...@gmail.com> wrote:
> > doesn't
> > describe what the connection is between Apache access methods and
> Subversion
> > actions.
>
> That's because the mapping of HTTP methods to Subversion actions is
> insanely complex. Typically several methods are required to achieve a
> single subversion action. You can see a description here, though it's
> only a very high-level view:
>
> http://svn.collab.net/repos/svn/trunk/subversion/libsvn_ra_dav/protocol
>
> From the user's standpoint, then, the only things that exist are
>
> * blanket read/write control using apache <Limit> or <LimitExcept>
> directives
> * per-path read/write control using mod_authz_svn
>
> You can *try* telling apache to allow nothing but PROPFIND requests,
> and that *might* do what you want, but I'm skeptical it will work.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Limiting access to only commit messages
Posted by Ben Collins-Sussman <su...@red-bean.com>.
On 1/25/06, David Resnick <ab...@gmail.com> wrote:
> doesn't
> describe what the connection is between Apache access methods and Subversion
> actions.
That's because the mapping of HTTP methods to Subversion actions is
insanely complex. Typically several methods are required to achieve a
single subversion action. You can see a description here, though it's
only a very high-level view:
http://svn.collab.net/repos/svn/trunk/subversion/libsvn_ra_dav/protocol