You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Brian Brophy <br...@email.com> on 2006/07/17 02:56:35 UTC
mod_authz_svn: Failed Authorization During COPY, RENAME, MOVE
Hello,
We are using mod_authz_ldap to authenticate our users and mod_authz_svn
to authorize them. Subversion 1.3.1 running on Red Hat Enterprise Linux
3 and Apache 2.0.46.
What I can see is that authentication is working fine and the user is
being identified by mod_authz_svn correctly. Authorization is working
fine for everything except the COPY operation, and thus MOVE and RENAME
as well (since these attempt copies at some point).
Here is the attempt:
svn copy -m 'testing' --username user123 --password mySecret
"https://server.abc.com/svn/repo/Common/Architecture/Publish/Working/hotBackup"
"https://server.abc.com/svn/repo/Common/Architecture/Publish/Working/hotBackup2"
Here is an excerpt from a failed COPY (note how the user is correctly
identified and then failed as 'null' when SVN tries to copy the new
files name to itself ... weird ...):
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:/Common/Architecture/Publish/Working
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.18) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.19) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted:
'user123' CHECKOUT repo:
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.20) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted:
'user123' PROPPATCH repo:
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.21) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:/Common/Architecture/Publish/Working
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.22) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted:
'user123' CHECKOUT repo:/Common/Architecture/Publish/Working
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.23) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:/Common/Architecture/Publish/Working/hotBackup2
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
GET repo:/Common/Architecture/Publish/Working/hotBackup2
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.24) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:/Common/Architecture/Publish/Working/hotBackup
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.25) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.26) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:15 2006] [info] [client 127.0.0.1] Access granted:
'user123' COPY repo:/Common/Architecture/Publish/Working/hotBackup
repo:/Common/Architecture/Publish/Working/hotBackup2
[Sun Jul 16 22:45:15 2006] [error] [client 127.0.0.1] Access denied:
'(null)' COPY repo:/Common/Architecture/Publish/Working/hotBackup2
repo:/Common/Architecture/Publish/Working/hotBackup2
[Sun Jul 16 22:45:15 2006] [info] Subsequent (No.27) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:15 2006] [info] [client 127.0.0.1] Access granted:
'user123' DELETE repo:
[Sun Jul 16 22:45:15 2006] [info] Connection to child 2 closed with
standard shutdown(server server.abc.com:443, client 127.0.0.1)
And here is the corresponding mod_authz_svn ACL file:
# Last Updated 07/11/2006 11:30:02 from ldap://127.0.0.1:10636
[groups]
repo_SVN Administrator = user123, user789
repo_SVN Architecture = user123, user456
[repo:/]
* = r
@repo_SVN Administrator = rw
[repo:/Common/Architecture]
@repo_SVN Architecture = rw
Additionally, here is the apache subversion.conf file:
# Load Subversion Modules
LoadModule authz_ldap_module modules/mod_authz_ldap.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
<Location /svn/repo>
DAV svn
SVNPath /shared/subversion/repos/abc
SVNIndexXSLT "/arch-svnindex.xsl"
SSLRequireSSL
AuthzLDAPMethod ldap
AuthzLDAPAuthoritative off
AuthzSVNAuthoritative on
AuthType Basic
AuthName "LDAP"
AuthzLDAPServer 127.0.0.1:10636
AuthzLDAPLogLevel debug
AuthzLDAPUserBase cn=users,ou=org,dc=abc,dc=com
AuthzLDAPUserKey uid
AuthzLDAPUserScope base
AuthzLDAPGroupBase cn=groups,ou=org,dc=abc,dc=com
AuthzLDAPGroupKey cn
AuthzLDAPGroupScope base
AuthzLDAPMemberKey uniquemember
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
AuthzSVNAccessFile /shared/subversion/repos/abc/conf/subversion.acl
</Location>
Please note that the log excerpt above is the result of the single copy
command ... why does it attempt to copy from old to new (expected) but
then also after that from new to new?
Thanks,
Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: mod_authz_svn: Failed Authorization During COPY, RENAME, MOVE
Posted by Brian Brophy <br...@email.com>.
I have not heard any responses yet. Should I be perhaps posting this to
an alternate location?
Thanks again,
Brian
Brian Brophy wrote:
> Hello,
>
> We are using mod_authz_ldap to authenticate our users and
> mod_authz_svn to authorize them. Subversion 1.3.1 running on Red Hat
> Enterprise Linux 3 and Apache 2.0.46.
>
> What I can see is that authentication is working fine and the user is
> being identified by mod_authz_svn correctly. Authorization is working
> fine for everything except the COPY operation, and thus MOVE and
> RENAME as well (since these attempt copies at some point).
>
> Here is the attempt:
> svn copy -m 'testing' --username user123 --password mySecret
> "https://server.abc.com/svn/repo/Common/Architecture/Publish/Working/hotBackup"
> "https://server.abc.com/svn/repo/Common/Architecture/Publish/Working/hotBackup2"
>
>
> Here is an excerpt from a failed COPY (note how the user is correctly
> identified and then failed as 'null' when SVN tries to copy the new
> files name to itself ... weird ...):
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND repo:/Common/Architecture/Publish/Working
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.18) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND repo:
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.19) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted:
> 'user123' CHECKOUT repo:
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.20) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted:
> 'user123' PROPPATCH repo:
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.21) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND repo:/Common/Architecture/Publish/Working
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.22) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted:
> 'user123' CHECKOUT repo:/Common/Architecture/Publish/Working
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.23) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND repo:/Common/Architecture/Publish/Working/hotBackup2
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
> GET repo:/Common/Architecture/Publish/Working/hotBackup2
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.24) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND repo:/Common/Architecture/Publish/Working/hotBackup
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.25) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND repo:
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.26) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:15 2006] [info] [client 127.0.0.1] Access granted:
> 'user123' COPY repo:/Common/Architecture/Publish/Working/hotBackup
> repo:/Common/Architecture/Publish/Working/hotBackup2
> [Sun Jul 16 22:45:15 2006] [error] [client 127.0.0.1] Access denied:
> '(null)' COPY repo:/Common/Architecture/Publish/Working/hotBackup2
> repo:/Common/Architecture/Publish/Working/hotBackup2
> [Sun Jul 16 22:45:15 2006] [info] Subsequent (No.27) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:15 2006] [info] [client 127.0.0.1] Access granted:
> 'user123' DELETE repo:
> [Sun Jul 16 22:45:15 2006] [info] Connection to child 2 closed with
> standard shutdown(server server.abc.com:443, client 127.0.0.1)
>
> And here is the corresponding mod_authz_svn ACL file:
> # Last Updated 07/11/2006 11:30:02 from ldap://127.0.0.1:10636
> [groups]
> repo_SVN Administrator = user123, user789
> repo_SVN Architecture = user123, user456
>
> [repo:/]
> * = r
> @repo_SVN Administrator = rw
>
> [repo:/Common/Architecture]
> @repo_SVN Architecture = rw
>
> Additionally, here is the apache subversion.conf file:
> # Load Subversion Modules
> LoadModule authz_ldap_module modules/mod_authz_ldap.so
> LoadModule dav_svn_module modules/mod_dav_svn.so
> LoadModule authz_svn_module modules/mod_authz_svn.so
>
> <Location /svn/repo>
> DAV svn
> SVNPath /shared/subversion/repos/abc
> SVNIndexXSLT "/arch-svnindex.xsl"
> SSLRequireSSL
> AuthzLDAPMethod ldap
> AuthzLDAPAuthoritative off
> AuthzSVNAuthoritative on
> AuthType Basic
> AuthName "LDAP"
> AuthzLDAPServer 127.0.0.1:10636
> AuthzLDAPLogLevel debug
> AuthzLDAPUserBase cn=users,ou=org,dc=abc,dc=com
> AuthzLDAPUserKey uid
> AuthzLDAPUserScope base
> AuthzLDAPGroupBase cn=groups,ou=org,dc=abc,dc=com
> AuthzLDAPGroupKey cn
> AuthzLDAPGroupScope base
> AuthzLDAPMemberKey uniquemember
> <LimitExcept GET PROPFIND OPTIONS REPORT>
> Require valid-user
> </LimitExcept>
> AuthzSVNAccessFile /shared/subversion/repos/abc/conf/subversion.acl
> </Location>
>
> Please note that the log excerpt above is the result of the single
> copy command ... why does it attempt to copy from old to new
> (expected) but then also after that from new to new?
>
> Thanks,
> Brian
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org