You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Tankko <ta...@gmail.com> on 2006/06/13 00:05:16 UTC
svnserve authx problems...
I just upgraded my subversion server from 1.2 to 1.3.2 (FreeBSD) and
am having some problems setting up the new authz-db stuff.
I am using svnserve, not apache.
My svnserve.conf is:
------------------
[General]
anon-access = none
auth-access = write
password-db = passwd
realm = MyProject
authz-db = authfile
------------------
My authfile is
------------------
[/]
tankko = rw
[/trunk/Data]
richp = rw
[/trunk/Source]
richp = rw
------------------
I want the user richp to only have access to the Data and Source
directories, but nothing else in /trunk, /release, /tags, or the other
directoies in /trunk.
When he tries to do an update he gets:
Error: Not authorized to open root of edit operation
He can't get any access at all unless I add him to the [/] block as rw.
I've tried giving him access to [/], but then blocking access to
[/trunk], then granting to [/trunk/Data], but nothing works.
What am I doing wrong? Everything works fine if I remove the authz-db
= authfile line as well, so svnserve is function correctly without
authz.
Tankko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authx problems...
Posted by Tankko <ta...@gmail.com>.
> This really sounds like issue #2486, but it was fixed in 1.3.2 -- are
> you certain you're at 1.3.2 and not, e.g., 1.3.1?
>
> From the 1.3.2 changelog:
> * fixed: authz requires read access for root for writes (issue #2486)
>
> -Nathan
Yes, I'm sure and double checked:
subversion-1.3.2 (on FreeBSD)
The problem I am experiencing isn't with writes, it's with doing an
update, so I don't know that it's this issue anyway.
I'm kind of desperate to get this working. I need to get some users
access without their ability to read other areas. It seems like what
I'm doing should work.
Tankko
On 6/12/06, Nathan Kidd <na...@spicycrypto.ca> wrote:
>
> > I want the user richp to only have access to the Data and Source
> > directories, but nothing else in /trunk, /release, /tags, or the other
> > directoies in /trunk.
> ...
> > When he tries to do an update he gets:
> >
> > Error: Not authorized to open root of edit operation
>
> This really sounds like issue #2486, but it was fixed in 1.3.2 -- are
> you certain you're at 1.3.2 and not, e.g., 1.3.1?
>
> From the 1.3.2 changelog:
> * fixed: authz requires read access for root for writes (issue #2486)
>
> -Nathan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authx problems...
Posted by Nathan Kidd <na...@spicycrypto.ca>.
> I want the user richp to only have access to the Data and Source
> directories, but nothing else in /trunk, /release, /tags, or the other
> directoies in /trunk.
...
> When he tries to do an update he gets:
>
> Error: Not authorized to open root of edit operation
This really sounds like issue #2486, but it was fixed in 1.3.2 -- are
you certain you're at 1.3.2 and not, e.g., 1.3.1?
From the 1.3.2 changelog:
* fixed: authz requires read access for root for writes (issue #2486)
-Nathan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authx problems...
Posted by Tankko <ta...@gmail.com>.
> Checked out revision 59.
>
> It works as expected.
>
> Some random thoughts:
> - this was indeed a bug in svn 1.3.1 (as another reply already pointed out),
> so that would be me first guess too.
> - you say that the user can't update, but if he's trying an update he must
> have already succeeded in doing a checkout. where did he get the working
> copy from then? Can you try checking out a new working copy?
> - before trying, make sure you clear svn's authentication cache (or use
> --username and --password), then you're sure which account you're using.
>
> If this doesn't succeed, please give me an exact recipe of reproduction and
> I'll try it on my Linux or Mac box.
Interesting. The user had already checked out a version (before the
addition of the authz-db), and was trying do to an update over the
top.
But it now works as advertised, so that fixed it.
Good to know: When you add authorzation, users will need to do a
clean checkout. I wonder why?
Thanks for your help!
Tankko
On 6/13/06, Lieven Govaerts <lg...@mobsol.be> wrote:
>
>
> > -----Original Message-----
> > From: Tankko [mailto:tankko@gmail.com]
> > Sent: dinsdag 13 juni 2006 18:22
> ..
> > He is not trying to check out the /trunk, he is checking out
> > /trunk/Data and /trunk/Source separately and being denied access.
> >
> > I am running svnserve, not apache, so I don't know if that
> > matters to your execute comment. I did not see anything
> > about execute permissions in the docs about the authz-db file
> > for svnserve.
> >
> > This seems like a very basic thing: give someone access to
> > only one folder in a repository, but I just can't see what I
> > am doing wrong.
> > Have other people gotten this to work (no read access!, just
> > the ability to checkout, update and commit one folder)? Is
> > so, can you post your authzfile?
> >
> Hi,
>
> what you want to do is definitely possible with svnserve 1.3.2, I can
> simulate it right here on my Windows pc.
>
> I have a repository called repos, located in c:\devel\lgo\svn\repos. It
> contains a trunk branch in which I created a folder 't'.
>
> This is my configuration for repos:
> == svnserve.conf
> [general]
> anon-access = none
> auth-access = write
> password-db = passwd
> authz-db = authz
> realm = My First Repository
>
> == authz
> [/]
> lgo = rw
>
> [/trunk/t]
> test = rw
>
> == passwd
> [users]
> lgo = lgo
> test = test
>
> I start up svnserve like this:
> C:\svn-win32-1.3.2>svnserve -d -r C:\devel\lgo\svn
>
> and then checkout my t folder (I specify username & password so I'm this
> username is used, not the cached one):
>
> C:\svn-win32-1.3.2>svn checkout --username test --password test
> svn://localhost/repos/trunk/t ./wc
> A wc\file
> A wc\test.txt
> Checked out revision 59.
>
> It works as expected.
>
> Some random thoughts:
> - this was indeed a bug in svn 1.3.1 (as another reply already pointed out),
> so that would be me first guess too.
> - you say that the user can't update, but if he's trying an update he must
> have already succeeded in doing a checkout. where did he get the working
> copy from then? Can you try checking out a new working copy?
> - before trying, make sure you clear svn's authentication cache (or use
> --username and --password), then you're sure which account you're using.
>
> If this doesn't succeed, please give me an exact recipe of reproduction and
> I'll try it on my Linux or Mac box.
>
> regards,
>
> Lieven.
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svnserve authx problems...
Posted by Lieven Govaerts <lg...@mobsol.be>.
> -----Original Message-----
> From: Tankko [mailto:tankko@gmail.com]
> Sent: dinsdag 13 juni 2006 18:22
..
> He is not trying to check out the /trunk, he is checking out
> /trunk/Data and /trunk/Source separately and being denied access.
>
> I am running svnserve, not apache, so I don't know if that
> matters to your execute comment. I did not see anything
> about execute permissions in the docs about the authz-db file
> for svnserve.
>
> This seems like a very basic thing: give someone access to
> only one folder in a repository, but I just can't see what I
> am doing wrong.
> Have other people gotten this to work (no read access!, just
> the ability to checkout, update and commit one folder)? Is
> so, can you post your authzfile?
>
Hi,
what you want to do is definitely possible with svnserve 1.3.2, I can
simulate it right here on my Windows pc.
I have a repository called repos, located in c:\devel\lgo\svn\repos. It
contains a trunk branch in which I created a folder 't'.
This is my configuration for repos:
== svnserve.conf
[general]
anon-access = none
auth-access = write
password-db = passwd
authz-db = authz
realm = My First Repository
== authz
[/]
lgo = rw
[/trunk/t]
test = rw
== passwd
[users]
lgo = lgo
test = test
I start up svnserve like this:
C:\svn-win32-1.3.2>svnserve -d -r C:\devel\lgo\svn
and then checkout my t folder (I specify username & password so I'm this
username is used, not the cached one):
C:\svn-win32-1.3.2>svn checkout --username test --password test
svn://localhost/repos/trunk/t ./wc
A wc\file
A wc\test.txt
Checked out revision 59.
It works as expected.
Some random thoughts:
- this was indeed a bug in svn 1.3.1 (as another reply already pointed out),
so that would be me first guess too.
- you say that the user can't update, but if he's trying an update he must
have already succeeded in doing a checkout. where did he get the working
copy from then? Can you try checking out a new working copy?
- before trying, make sure you clear svn's authentication cache (or use
--username and --password), then you're sure which account you're using.
If this doesn't succeed, please give me an exact recipe of reproduction and
I'll try it on my Linux or Mac box.
regards,
Lieven.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authx problems...
Posted by Tankko <ta...@gmail.com>.
On 6/13/06, Lieven Govaerts <lg...@mobsol.be> wrote:
> Quoting Tankko <ta...@gmail.com>:
>
> [..]
> > Error: Not authorized to open root of edit operation
> >
> > He can't get any access at all unless I add him to the [/] block as rw.
> >
> > I've tried giving him access to [/], but then blocking access to
> > [/trunk], then granting to [/trunk/Data], but nothing works.
> >
> > What am I doing wrong? Everything works fine if I remove the authz-db
> > = authfile line as well, so svnserve is function correctly without
> > authz.
>
> Is the user trying to checkout trunk directly? So you expect him to only
> receive:
> /trunk/Source
> /trunk/Data
>
> With this configuration, he has to checkout trunk/Source and trunk/Data one by
> one. One has to have read access on the folder to be able to checkout that
> folder!
>
> Maybe read also this issue, it talks about setting execute rights on a folder
> (instead of read rights):
> http://subversion.tigris.org/issues/show_bug.cgi?id=2298
>
> hope this helps,
>
> Lieven.
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
He is not trying to check out the /trunk, he is checking out
/trunk/Data and /trunk/Source separately and being denied access.
I am running svnserve, not apache, so I don't know if that matters to
your execute comment. I did not see anything about execute
permissions in the docs about the authz-db file for svnserve.
This seems like a very basic thing: give someone access to only one
folder in a repository, but I just can't see what I am doing wrong.
Have other people gotten this to work (no read access!, just the
ability to checkout, update and commit one folder)? Is so, can you
post your authzfile?
On 6/13/06, Lieven Govaerts <lg...@mobsol.be> wrote:
> Quoting Tankko <ta...@gmail.com>:
>
> [..]
> > Error: Not authorized to open root of edit operation
> >
> > He can't get any access at all unless I add him to the [/] block as rw.
> >
> > I've tried giving him access to [/], but then blocking access to
> > [/trunk], then granting to [/trunk/Data], but nothing works.
> >
> > What am I doing wrong? Everything works fine if I remove the authz-db
> > = authfile line as well, so svnserve is function correctly without
> > authz.
>
> Is the user trying to checkout trunk directly? So you expect him to only
> receive:
> /trunk/Source
> /trunk/Data
>
> With this configuration, he has to checkout trunk/Source and trunk/Data one by
> one. One has to have read access on the folder to be able to checkout that
> folder!
>
> Maybe read also this issue, it talks about setting execute rights on a folder
> (instead of read rights):
> http://subversion.tigris.org/issues/show_bug.cgi?id=2298
>
> hope this helps,
>
> Lieven.
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve authx problems...
Posted by Lieven Govaerts <lg...@mobsol.be>.
Quoting Tankko <ta...@gmail.com>:
[..]
> Error: Not authorized to open root of edit operation
>
> He can't get any access at all unless I add him to the [/] block as rw.
>
> I've tried giving him access to [/], but then blocking access to
> [/trunk], then granting to [/trunk/Data], but nothing works.
>
> What am I doing wrong? Everything works fine if I remove the authz-db
> = authfile line as well, so svnserve is function correctly without
> authz.
Is the user trying to checkout trunk directly? So you expect him to only
receive:
/trunk/Source
/trunk/Data
With this configuration, he has to checkout trunk/Source and trunk/Data one by
one. One has to have read access on the folder to be able to checkout that
folder!
Maybe read also this issue, it talks about setting execute rights on a folder
(instead of read rights):
http://subversion.tigris.org/issues/show_bug.cgi?id=2298
hope this helps,
Lieven.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org