You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Victor Sudakov <su...@sibptus.tomsk.ru> on 2011/02/10 16:14:24 UTC
Combining public and private paths
Dear Colleagues,
I am trying to setup the following policy: a private repository with
some public paths. Is such configuration supported at all?
The following configuration:
========== conf/svnserve.conf:
anon-access = read
auth-access = write
authz-db = authz
========== conf/authz:
[/]
@noc = rw
[/foo]
$anonymous = r
$authenticated = rw
does not work. A valid user from the noc group receives the following reply:
$ svn diff -c2237 www.txt
svn: Unreadable path encountered; access denied
If I change "anon-access = read" to "anon-access = none", it begins to
work for the valid user, but there is no anonymous access to anyone
even to svn://myserver/foo despite the "$anonymous = r" clause.
What am I doing wrong?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru
Re: Combining public and private paths
Posted by Victor Sudakov <su...@sibptus.tomsk.ru>.
What the "anon-access = none" option does is remove the ANONYMOUS
mech from the list of SASL mechs offered by svnserve (I see this in
tcpflow). If this mech is present in the mech list, the svn client
does not bother to authenticate even if a valid Kerberos ticket is
available.
If the svn client had an option to enforce authentication even if
offered the ANONYMOUS mech by the server, the problem would be solved
IMHO.
Which boils down to another problem I stated here about SASL mech
selection: http://tinyurl.com/4ntesca
John Conrad wrote:
> For what it's worth, I have run into the same problem and the only
> solution I have found is to switch to a different access method. As
> best as I can tell svnserve is simply not an option when trying to set
> up a repository with path based authentication when select areas are
> flagged inaccessible to anonymous users. I have recently switched from
> a svnserve to apache based setup and using the exact same authz-db
> file, svnserve failed to return "svn log" results for protected paths
> while apache worked correctly.
>
> The below issue on the SVN tracker I think refers to this issue and it
> has been open since Oct. 2009:
> http://subversion.tigris.org/issues/show_bug.cgi?id=3516
>
> Anyway, I could be totally wrong here, but I do not think what you
> want to do is possible with svnserve. I hope I am mistaken, but if
> not, sorry to be the bearer of bad news.
>
> On Thu, Feb 10, 2011 at 9:30 PM, Victor Sudakov
> <su...@sibptus.tomsk.ru> wrote:
> > The problem is probably in the following. When anon-access is other
> > than "none", svnserve does not request authentication for some
> > important operations like "svn log", and I have found no way to force
> > it to request authentication. This effectively breaks path based
> > authorization.
> >
> > I have found some tricky solutions for the http access method (like
> > defining two aliases for the same repository), but none for the
> > svnserve method. Any help?
> >
> > Victor Sudakov wrote:
> >>
> >> I am trying to setup the following policy: a private repository with
> >> some public paths. Is such configuration supported at all?
> >>
> >> The following configuration:
> >>
> >> ========== conf/svnserve.conf:
> >> anon-access = read
> >> auth-access = write
> >> authz-db = authz
> >>
> >> ========== conf/authz:
> >> [/]
> >> @noc = rw
> >>
> >> [/foo]
> >> $anonymous = r
> >> $authenticated = rw
> >>
> >> does not work. A valid user from the noc group receives the following reply:
> >>
> >> $ svn diff -c2237 www.txt
> >> svn: Unreadable path encountered; access denied
> >>
> >> If I change "anon-access = read" to "anon-access = none", it begins to
> >> work for the valid user, but there is no anonymous access to anyone
> >> even to svn://myserver/foo despite the "$anonymous = r" clause.
> >>
> >> What am I doing wrong?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru
Re: Combining public and private paths
Posted by Victor Sudakov <su...@sibptus.tomsk.ru>.
What the "anon-access = none" option does is remove the ANONYMOUS
mech from the list of SASL mechs offered by svnserve (I see this in
tcpflow). If this mech is present in the mech list, the svn client
does not bother to authenticate even if a valid Kerberos ticket is
available.
If the svn client had an option to enforce authentication even if
offered the ANONYMOUS mech by the server, the problem would be solved
IMHO.
Which boils down to another problem I stated here about SASL mech
selection: http://tinyurl.com/4ntesca
John Conrad wrote:
> For what it's worth, I have run into the same problem and the only
> solution I have found is to switch to a different access method. As
> best as I can tell svnserve is simply not an option when trying to set
> up a repository with path based authentication when select areas are
> flagged inaccessible to anonymous users. I have recently switched from
> a svnserve to apache based setup and using the exact same authz-db
> file, svnserve failed to return "svn log" results for protected paths
> while apache worked correctly.
>
> The below issue on the SVN tracker I think refers to this issue and it
> has been open since Oct. 2009:
> http://subversion.tigris.org/issues/show_bug.cgi?id=3516
>
> Anyway, I could be totally wrong here, but I do not think what you
> want to do is possible with svnserve. I hope I am mistaken, but if
> not, sorry to be the bearer of bad news.
>
> On Thu, Feb 10, 2011 at 9:30 PM, Victor Sudakov
> <su...@sibptus.tomsk.ru> wrote:
> > The problem is probably in the following. When anon-access is other
> > than "none", svnserve does not request authentication for some
> > important operations like "svn log", and I have found no way to force
> > it to request authentication. This effectively breaks path based
> > authorization.
> >
> > I have found some tricky solutions for the http access method (like
> > defining two aliases for the same repository), but none for the
> > svnserve method. Any help?
> >
> > Victor Sudakov wrote:
> >>
> >> I am trying to setup the following policy: a private repository with
> >> some public paths. Is such configuration supported at all?
> >>
> >> The following configuration:
> >>
> >> ========== conf/svnserve.conf:
> >> anon-access = read
> >> auth-access = write
> >> authz-db = authz
> >>
> >> ========== conf/authz:
> >> [/]
> >> @noc = rw
> >>
> >> [/foo]
> >> $anonymous = r
> >> $authenticated = rw
> >>
> >> does not work. A valid user from the noc group receives the following reply:
> >>
> >> $ svn diff -c2237 www.txt
> >> svn: Unreadable path encountered; access denied
> >>
> >> If I change "anon-access = read" to "anon-access = none", it begins to
> >> work for the valid user, but there is no anonymous access to anyone
> >> even to svn://myserver/foo despite the "$anonymous = r" clause.
> >>
> >> What am I doing wrong?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru
Combining public and private paths
Posted by John Conrad <co...@gmail.com>.
For what it's worth, I have run into the same problem and the only
solution I have found is to switch to a different access method. As
best as I can tell svnserve is simply not an option when trying to set
up a repository with path based authentication when select areas are
flagged inaccessible to anonymous users. I have recently switched from
a svnserve to apache based setup and using the exact same authz-db
file, svnserve failed to return "svn log" results for protected paths
while apache worked correctly.
The below issue on the SVN tracker I think refers to this issue and it
has been open since Oct. 2009:
http://subversion.tigris.org/issues/show_bug.cgi?id=3516
Anyway, I could be totally wrong here, but I do not think what you
want to do is possible with svnserve. I hope I am mistaken, but if
not, sorry to be the bearer of bad news.
On Thu, Feb 10, 2011 at 9:30 PM, Victor Sudakov
<su...@sibptus.tomsk.ru> wrote:
> The problem is probably in the following. When anon-access is other
> than "none", svnserve does not request authentication for some
> important operations like "svn log", and I have found no way to force
> it to request authentication. This effectively breaks path based
> authorization.
>
> I have found some tricky solutions for the http access method (like
> defining two aliases for the same repository), but none for the
> svnserve method. Any help?
>
> Victor Sudakov wrote:
>>
>> I am trying to setup the following policy: a private repository with
>> some public paths. Is such configuration supported at all?
>>
>> The following configuration:
>>
>> ========== conf/svnserve.conf:
>> anon-access = read
>> auth-access = write
>> authz-db = authz
>>
>> ========== conf/authz:
>> [/]
>> @noc = rw
>>
>> [/foo]
>> $anonymous = r
>> $authenticated = rw
>>
>> does not work. A valid user from the noc group receives the following reply:
>>
>> $ svn diff -c2237 www.txt
>> svn: Unreadable path encountered; access denied
>>
>> If I change "anon-access = read" to "anon-access = none", it begins to
>> work for the valid user, but there is no anonymous access to anyone
>> even to svn://myserver/foo despite the "$anonymous = r" clause.
>>
>> What am I doing wrong?
>>
>> --
>> Victor Sudakov, VAS4-RIPE, VAS47-RIPN
>> sip:sudakov@sibptus.tomsk.ru
>
> --
> Victor Sudakov, VAS4-RIPE, VAS47-RIPN
> sip:sudakov@sibptus.tomsk.ru
>
Re: Combining public and private paths
Posted by Victor Sudakov <su...@sibptus.tomsk.ru>.
The problem is probably in the following. When anon-access is other
than "none", svnserve does not request authentication for some
important operations like "svn log", and I have found no way to force
it to request authentication. This effectively breaks path based
authorization.
I have found some tricky solutions for the http access method (like
defining two aliases for the same repository), but none for the
svnserve method. Any help?
Victor Sudakov wrote:
>
> I am trying to setup the following policy: a private repository with
> some public paths. Is such configuration supported at all?
>
> The following configuration:
>
> ========== conf/svnserve.conf:
> anon-access = read
> auth-access = write
> authz-db = authz
>
> ========== conf/authz:
> [/]
> @noc = rw
>
> [/foo]
> $anonymous = r
> $authenticated = rw
>
> does not work. A valid user from the noc group receives the following reply:
>
> $ svn diff -c2237 www.txt
> svn: Unreadable path encountered; access denied
>
> If I change "anon-access = read" to "anon-access = none", it begins to
> work for the valid user, but there is no anonymous access to anyone
> even to svn://myserver/foo despite the "$anonymous = r" clause.
>
> What am I doing wrong?
>
> --
> Victor Sudakov, VAS4-RIPE, VAS47-RIPN
> sip:sudakov@sibptus.tomsk.ru
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru
Re: Combining public and private paths
Posted by Victor Sudakov <su...@sibptus.tomsk.ru>.
The problem is probably in the following. When anon-access is other
than "none", svnserve does not request authentication for some
important operations like "svn log", and I have found no way to force
it to request authentication. This effectively breaks path based
authorization.
I have found some tricky solutions for the http access method (like
defining two aliases for the same repository), but none for the
svnserve method. Any help?
Victor Sudakov wrote:
>
> I am trying to setup the following policy: a private repository with
> some public paths. Is such configuration supported at all?
>
> The following configuration:
>
> ========== conf/svnserve.conf:
> anon-access = read
> auth-access = write
> authz-db = authz
>
> ========== conf/authz:
> [/]
> @noc = rw
>
> [/foo]
> $anonymous = r
> $authenticated = rw
>
> does not work. A valid user from the noc group receives the following reply:
>
> $ svn diff -c2237 www.txt
> svn: Unreadable path encountered; access denied
>
> If I change "anon-access = read" to "anon-access = none", it begins to
> work for the valid user, but there is no anonymous access to anyone
> even to svn://myserver/foo despite the "$anonymous = r" clause.
>
> What am I doing wrong?
>
> --
> Victor Sudakov, VAS4-RIPE, VAS47-RIPN
> sip:sudakov@sibptus.tomsk.ru
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru
Re: Combining public and private paths
Posted by Victor Sudakov <su...@sibptus.tomsk.ru>.
Stefan Sperling wrote:
> > Can two svnserves share one repository?
>
> Yes. You can run as many server instances as you like, also with
> different access methods (e.g. http:// and svn:// at the same time).
I have read that different access methods can be used simultaneously.
I did not know it was possible for several svnserve processes to
access the same repository. That's great news. I think it solves my
problem, I will just setup another svnserve process for anonymous
users listening on a different TCP port, with a special --config-file.
But wait. How do I setup per repository authz-db together with a global
svnserve.conf? My svnserve serves several repositories.
>
> > There will be no data corruption, will there?
>
> In general, no. There are some multi-access problems with BDB-based
> repositories running into issues with berkeleyDB where you might have
I use FSFS. In fact, I have hated BDB for many years since I ran slapd and
especially spamprobe with the BDB backend.
> to unwedge repositories using svnadmin recover:
> http://subversion.apache.org/faq.html#stuck-bdb-repos
>
> However, these days FSFS-based repositories are the default and
> they don't have that issue.
Do they have some locking mechanism?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru
Re: Combining public and private paths
Posted by Stefan Sperling <st...@elego.de>.
On Fri, Feb 11, 2011 at 11:55:08PM +0600, Victor Sudakov wrote:
> Can two svnserves share one repository?
Yes. You can run as many server instances as you like, also with
different access methods (e.g. http:// and svn:// at the same time).
> There will be no data corruption, will there?
In general, no. There are some multi-access problems with BDB-based
repositories running into issues with berkeleyDB where you might have
to unwedge repositories using svnadmin recover:
http://subversion.apache.org/faq.html#stuck-bdb-repos
However, these days FSFS-based repositories are the default and
they don't have that issue.
Re: Combining public and private paths
Posted by Victor Sudakov <su...@sibptus.tomsk.ru>.
Can two svnserves share one repository? There will be no data
corruption, will there?
Daniel Shahaf wrote:
> Workaround: you could run two svnserves with different configs, one
> allowing only anonymous access and only only authenticated access.
>
> I know httpd has the problem you're describing, I don't recall previous
> reports of it with svnserve.
>
> Victor Sudakov wrote on Thu, Feb 10, 2011 at 21:14:24 +0600:
> > ========== conf/authz:
> > [/]
> > @noc = rw
> >
> > [/foo]
> > $anonymous = r
> > $authenticated = rw
> >
> > does not work. A valid user from the noc group receives the following reply:
> >
> > $ svn diff -c2237 www.txt
> > svn: Unreadable path encountered; access denied
>
> It would be relevant to know www.txt absolute path.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru
Re: Combining public and private paths
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Workaround: you could run two svnserves with different configs, one
allowing only anonymous access and only only authenticated access.
I know httpd has the problem you're describing, I don't recall previous
reports of it with svnserve.
Victor Sudakov wrote on Thu, Feb 10, 2011 at 21:14:24 +0600:
> ========== conf/authz:
> [/]
> @noc = rw
>
> [/foo]
> $anonymous = r
> $authenticated = rw
>
> does not work. A valid user from the noc group receives the following reply:
>
> $ svn diff -c2237 www.txt
> svn: Unreadable path encountered; access denied
It would be relevant to know www.txt absolute path.