Authentication Questions

[JT...@L-3com.com]

Debugging other issues, I turned on verbose logging and was curious if the below traffic was typical. This may well be correct, as we have path-based authentication requiring valid NTLM users. Server is Windows 2008 R2, Apache 2.4, NTLM, and SVN 1.8. 

[Tue Jan 06 15:18:28.378306 2015] [authz_core:debug] [pid 15392:tid 16884] mod_authz_core.c(799): [client USER_IP:55559] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Jan 06 15:18:28.378306 2015] [authz_core:debug] [pid 15392:tid 16884] mod_authz_core.c(799): [client USER_IP:55559] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Jan 06 15:18:28.378306 2015] [authnz_sspi:debug] [pid 15392:tid 16884] mod_authnz_sspi_authentication.c(439): [client USER_IP:55559] SSPI00001: Entering authenticate_sspi_user()
[Tue Jan 06 15:18:28.378306 2015] [authnz_sspi:debug] [pid 15392:tid 16884] mod_authnz_sspi_authentication.c(544): [client USER_IP:55559] SSPI00009: Authenticated user: USER_NAME
[Tue Jan 06 15:18:28.378306 2015] [authz_svn:debug] [pid 15392:tid 16884] mod_authz_svn.c(400): [client USER_IP:55559] Path to authz file is D:/svn/config/svnaccess.conf
[Tue Jan 06 15:18:28.378306 2015] [authz_svn:info] [pid 15392:tid 16884] [client USER_IP:55559] Access granted: 'USER_NAME' GET REPO:/PATH_TO_FILE

There are hundreds to thousands of the above entry pattern for each user as they browse the repository (over 6 hours log is ~420MB with ~2.4M entries). 

I guess there's no caching of credentials since the path-based authentication file can change at any time?

Regards,

JT Miller
L-3 Mustang Technology

RE: Authentication Questions

[JT...@L-3com.com]

Thanks Philip, what you explained for the authz/authn caching makes sense. We recently performed a major upgrade of our IT infrastructure and I took the opportunity to upgrade our very old Subversion configuration (old physical server with Apache 2.2/SVN 1.4 to virtual server with 2.4/1.8). We have had some pretty significant latency issues (due to my ignorance of a proper configuration). I was searching for performance bottlenecks and was (unduly) concerned by what I saw in the logs with debug enabled. Mostly I wanted to verify that the traffic pattern I showed was typical, and it doesn't sound like it's anything out of the ordinary.

I think the culprit for us was the default AcceptFilter directive. Changing this to AcceptFilter http none seems to have cleared up all the latency issues.

Thanks again for your explanation.

-----Original Message-----
From: Philip Martin [mailto:philip.martin@wandisco.com] 
Sent: Thursday, January 08, 2015 9:17 AM
To: Miller, JT @ SSG - PE - MT
Cc: users@subversion.apache.org
Subject: Re: Authentication Questions

JT.Miller@L-3com.com writes:

> I guess there's no caching of credentials since the path-based 
> authentication file can change at any time?

I'm not clear what you mean by "caching of credentials".  Subversion typically sends multiple HTTP requests over a single connection.  Each HTTP request has its own authn credentials and caching those would not make sense, although Apache may cache any data used to validate the credentials.  Subversion's authz file is parsed when first needed and cached for use by any subsequent HTTP requests on the same connection.

--
Philip Martin | Subversion Committer
WANdisco // *Non-Stop Data*

Re: Authentication Questions

[Philip Martin <ph...@wandisco.com>]

JT.Miller@L-3com.com writes:

> I guess there's no caching of credentials since the path-based
> authentication file can change at any time?

I'm not clear what you mean by "caching of credentials".  Subversion
typically sends multiple HTTP requests over a single connection.  Each
HTTP request has its own authn credentials and caching those would not
make sense, although Apache may cache any data used to validate the
credentials.  Subversion's authz file is parsed when first needed and
cached for use by any subsequent HTTP requests on the same connection.

-- 
Philip Martin | Subversion Committer
WANdisco // *Non-Stop Data*