You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Matt Smith <ma...@forsetti.com> on 2008/02/28 15:29:37 UTC

Not able to co from repo with no anon read: REPORT request failed on ..., Not authorized to open root of edit operation

I found a number of similar reports in the archives, but no definitive
answers.  When checking out from a repo that does not allow anonymous read
access ("* = "), I get the following error at the client:
  svn: REPORT request failed on '/svn/myproject/!svn/vcc/default'
  svn: Not authorized to open root of edit operation

The Apache error log shows:
  A failure occurred while driving the update report editor  [500, #220000]
  Not authorized to open root of edit operation  [500, #220000]

Adding "*=r" to the repo entry in the authz file allows this to succeed
fine.  This leads me to suspect that the svn client is attempting to do
"something" anonymously, before authenticating.

Some detail:
Client: Ubuntu Gutsy, using the stock  subversion (1.4.4dfsg1-1ubuntu3)
package.
Server: Debian Etch, using the stock libapache2-svn (1.4.2dfsg1-2) package.
Authentication:  libapache2-mod-auth-kerb (5.3-1) package, using negotiate
(not simple passwd!)

Relevant Apache configuration block:
SSLCertificateFile /etc/apache2/certificate.pem
SSLCertificateKeyFile /etc/apache2/certificate.pem
SSLEngine on

<Location /svn/>
 AuthType Kerberos
 KrbMethodNegotiate on
 KrbMethodK5Passwd off
 KrbVerifyKDC on
 Krb5Keytab /etc/apache2/HTTP.keytab

  Satisfy Any
 require valid-user

 DAV svn
 SVNParentPath /srv/svn
 SVNListParentPath on
 AuthzSVNAccessFile /srv/svn/authz
</Location>

Relevant snippet from authz file:
  [myproject:/]
  myuser = rw
  * =

This repository must not be anonymously accessible, so setting "*=r" is not
an option.  Does anyone have any insight to the cause of my problem?

Thank you,
-Matt

-- 
matt@forsetti.com
Key ID:D6EEC5B5

Re: Not able to co from repo with no anon read: REPORT request failed on ..., Not authorized to open root of edit operation

Posted by Matt Smith <ma...@forsetti.com>.

All-
  Through trial and error, it looks like my problem may be the use of
"Satisfy Any" in Apache's location block to allow anonymous or authenticated
access.  So, my workaround for now is to force anonymous access and
authenticated access through two different URLs.

  But, I would still be interested if anyone has any insight into my problem
as described below.

Thanks all,
-Matt

On Thu, Feb 28, 2008 at 10:29 AM, Matt Smith <ma...@forsetti.com> wrote:

> I found a number of similar reports in the archives, but no definitive
> answers.  When checking out from a repo that does not allow anonymous read
> access ("* = "), I get the following error at the client:
>   svn: REPORT request failed on '/svn/myproject/!svn/vcc/default'
>   svn: Not authorized to open root of edit operation
>
> The Apache error log shows:
>   A failure occurred while driving the update report editor  [500,
> #220000]
>   Not authorized to open root of edit operation  [500, #220000]
>
> Adding "*=r" to the repo entry in the authz file allows this to succeed
> fine.  This leads me to suspect that the svn client is attempting to do
> "something" anonymously, before authenticating.
>
> Some detail:
> Client: Ubuntu Gutsy, using the stock  subversion (1.4.4dfsg1-1ubuntu3)
> package.
> Server: Debian Etch, using the stock libapache2-svn (1.4.2dfsg1-2)
> package.
> Authentication:  libapache2-mod-auth-kerb (5.3-1) package, using negotiate
> (not simple passwd!)
>
> Relevant Apache configuration block:
> SSLCertificateFile /etc/apache2/certificate.pem
> SSLCertificateKeyFile /etc/apache2/certificate.pem
> SSLEngine on
>
> <Location /svn/>
>  AuthType Kerberos
>  KrbMethodNegotiate on
>  KrbMethodK5Passwd off
>  KrbVerifyKDC on
>  Krb5Keytab /etc/apache2/HTTP.keytab
>
>   Satisfy Any
>  require valid-user
>
>  DAV svn
>  SVNParentPath /srv/svn
>  SVNListParentPath on
>  AuthzSVNAccessFile /srv/svn/authz
> </Location>
>
> Relevant snippet from authz file:
>   [myproject:/]
>   myuser = rw
>   * =
>
> This repository must not be anonymously accessible, so setting "*=r" is
> not an option.  Does anyone have any insight to the cause of my problem?
>
> Thank you,
> -Matt
>
> --
> matt@forsetti.com
> Key ID:D6EEC5B5




-- 
matt@forsetti.com
Key ID:D6EEC5B5