You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Dan Ports <dr...@mit.edu> on 2004/08/05 12:16:46 UTC

Checkouts fail with mod_authz_svn/FakeBasicAuth

 Hello all,

 I've run into what seems to be a bug in Subversion or Apache. The
quick summary: checkouts fail when using mod_authz_svn with mod_ssl's
FakeBasicAuth option to achieve repository access control based on 
client SSL certificates. This appears to be due to a problem with
authentication in subrequests.

 I'll be the first to admit my ignorance about the internals of
Subversion and Apache, so I may be misdiagnosing the problem. In
particular, I have a possible fix/workaround, but I can't say whether
it's actually the Right Thing to do. I suspect this may actually be an
issue purely with Apache that's just being tickled by Subversion, but I
thought I'd post here first in order to make sure it wasn't related to
part of svn.

 I'm running Subversion 1.0.6 with Apache 2.0.50 under FreeBSD 4.10.
I access my repository via HTTPS with SSL client certificates, and use
mod_authz_svn to specify repository permissions. To make this work, I
use mod_ssl's FakeBasicAuth option, which translates the client
certificate into a faked Authorization header identifying the
certificate, which mod_authz_svn can use to look up the user's
permissions.

 With this configuration, some operations are possible on the
repository, but checkouts fail with the following error: 
    svn: REPORT request failed on '/svn/!svn/vcc/default'
    svn: 
    Unable to open root of edit

 The relevant messages in the Apache logs:
    midnight-anchovy.mit.edu - - [05/Aug/2004:03:56:31 -0700] "REPORT /svn/!svn/vcc/default HTTP/1.1" 500 223
  (Note the lack of a username added by FakeBasicAuth.)

    [Thu Aug 05 03:56:31 2004] [error] [client 18.239.1.63] A failure occurred while driving the update report editor  [500, #220000]
    [Thu Aug 05 03:56:31 2004] [error] [client 18.239.1.63] Unable to open root of edit  [500, #220000]

 I've also observed that this error does not take place if I've granted
world-read access to the repository, only if authentication is required
to access the repository. (Of course, I've made sure that the client
has the correct certificates and configuration.)

 It seems as though the Authorization header is not correctly added to
the subrequest, causing the authentication to fail. I poked around a
bit in the mod_ssl source, and found that I could make things work if I
made the following changes to httpd-2.0.50/modules/ssl/ssl_engine_kernel.c:

 1) Commented out the following lines (813-815 in my copy):
      if (!ap_is_initial_req(r)) { 
          return DECLINED;
      }                   

 2) Added '&& ap_is_initial_req(r)' to the following conditional (line
823):
      if ((auth_line = apr_table_get(r->headers_in, "Authorization"))) {
823)

 Now, not being an Apache expert, I don't know whether this is the
correct fix. I'm not even entirely sure what my changes do -- in
particular, I'm not totally clear on why the second change is
necessary. I'm particularly suspicious because the first change
involves disabling a check that someone explicitly added, presumably
for some reason. But I've been running with this configuration for
several weeks now, and everything seems to be working correctly. (I was
initially using it under svn 1.0.5 and apache 2.0.49, then upgraded to
1.0.6/2.0.50.)

 Can one of you shed some light on this problem? In particular, is the
fix I'm using correct? Is this issue related to the Subversion modules,
or is it a pure Apache issue that I should pass along to the Apache
folks? Or am I just doing something wrong? Any insights would be
appreciated.

 Cheers,
 
 Dan

-- 
Dan R. K. Ports
Research Minion
Massachusetts Institute of Technology                     <dr...@mit.edu>
Computer Science and Artificial Intelligence Lab    <dr...@csail.mit.edu>                            

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Checkouts fail with mod_authz_svn/FakeBasicAuth

Posted by Dan Ports <dr...@mit.edu>.
On Fri, Oct 01, 2004 at 10:27:11AM -0500, Travis P wrote:
> For debugging at least, you might want to try requiring the 
> authentication for all interactions, eg with this in your Location 
> block:
>   SSLRequireSSL

 I have in fact tried this, though I don't see how it relates to my
problem. I haven't had any problems with SSL itself, nor with
certificate validity; the only problem is with translating the
certificate ID into something authz_svn can use (via FakeBasicAuth).

> You've tested reading some static web pages via authenticated SLL? 
> (with SSLRequireSSL again?)

 Yes, this works fine. I can correctly control access to static
webpages based on certificate ID with FakeBasicAuth. The problem seems
to be that the FakeBasicAuth authentication information is apparently
not passed from the HTTP request to any subrequests. This means that
regular HTTP GET requests are fine, but more complex requests (like
those created by a svn checkout) fail.

> The user id running Apache is the same one that created and owns 
> everything within the repository, yes?
 
 Yes.

 Dan

-- 
Dan R. K. Ports                                
Research Minion
Massachusetts Institute of Technology                     <dr...@mit.edu>
Computer Science and Artificial Intelligence Lab    <dr...@csail.mit.edu>                            

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Checkouts fail with mod_authz_svn/FakeBasicAuth

Posted by Travis P <sv...@castle.fastmail.fm>.
(Switched to users@ mailing list as there's no indication this involves 
a code issues and not user configuration difficulties.)

Just some debug ideas:

For debugging at least, you might want to try requiring the 
authentication for all interactions, eg with this in your Location 
block:
   SSLRequireSSL

You've tested reading some static web pages via authenticated SLL? 
(with SSLRequireSSL again?)

The user id running Apache is the same one that created and owns 
everything within the repository, yes?

-Travis


On Aug 5, 2004, at 7:16 AM, Dan Ports wrote:

>  Hello all,
>
>  I've run into what seems to be a bug in Subversion or Apache. The
> quick summary: checkouts fail when using mod_authz_svn with mod_ssl's
> FakeBasicAuth option to achieve repository access control based on
> client SSL certificates. This appears to be due to a problem with
> authentication in subrequests.
>
>  I'll be the first to admit my ignorance about the internals of
> Subversion and Apache, so I may be misdiagnosing the problem. In
> particular, I have a possible fix/workaround, but I can't say whether
> it's actually the Right Thing to do. I suspect this may actually be an
> issue purely with Apache that's just being tickled by Subversion, but I
> thought I'd post here first in order to make sure it wasn't related to
> part of svn.
>
>  I'm running Subversion 1.0.6 with Apache 2.0.50 under FreeBSD 4.10.
> I access my repository via HTTPS with SSL client certificates, and use
> mod_authz_svn to specify repository permissions. To make this work, I
> use mod_ssl's FakeBasicAuth option, which translates the client
> certificate into a faked Authorization header identifying the
> certificate, which mod_authz_svn can use to look up the user's
> permissions.
>
>  With this configuration, some operations are possible on the
> repository, but checkouts fail with the following error:
>     svn: REPORT request failed on '/svn/!svn/vcc/default'
>     svn:
>     Unable to open root of edit
>
>  The relevant messages in the Apache logs:
>     midnight-anchovy.mit.edu - - [05/Aug/2004:03:56:31 -0700] "REPORT 
> /svn/!svn/vcc/default HTTP/1.1" 500 223
>   (Note the lack of a username added by FakeBasicAuth.)
>
>     [Thu Aug 05 03:56:31 2004] [error] [client 18.239.1.63] A failure 
> occurred while driving the update report editor  [500, #220000]
>     [Thu Aug 05 03:56:31 2004] [error] [client 18.239.1.63] Unable to 
> open root of edit  [500, #220000]
>
>  I've also observed that this error does not take place if I've granted
> world-read access to the repository, only if authentication is required
> to access the repository. (Of course, I've made sure that the client
> has the correct certificates and configuration.)
>
>  It seems as though the Authorization header is not correctly added to
> the subrequest, causing the authentication to fail. I poked around a
> bit in the mod_ssl source, and found that I could make things work if I
> made the following changes to 
> httpd-2.0.50/modules/ssl/ssl_engine_kernel.c:
>
>  1) Commented out the following lines (813-815 in my copy):
>       if (!ap_is_initial_req(r)) {
>           return DECLINED;
>       }
>
>  2) Added '&& ap_is_initial_req(r)' to the following conditional (line
> 823):
>       if ((auth_line = apr_table_get(r->headers_in, "Authorization"))) 
> {
> 823)
>
>  Now, not being an Apache expert, I don't know whether this is the
> correct fix. I'm not even entirely sure what my changes do -- in
> particular, I'm not totally clear on why the second change is
> necessary. I'm particularly suspicious because the first change
> involves disabling a check that someone explicitly added, presumably
> for some reason. But I've been running with this configuration for
> several weeks now, and everything seems to be working correctly. (I was
> initially using it under svn 1.0.5 and apache 2.0.49, then upgraded to
> 1.0.6/2.0.50.)
>
>  Can one of you shed some light on this problem? In particular, is the
> fix I'm using correct? Is this issue related to the Subversion modules,
> or is it a pure Apache issue that I should pass along to the Apache
> folks? Or am I just doing something wrong? Any insights would be
> appreciated.
>
>  Cheers,
>
>  Dan
>
> -- 
> Dan R. K. Ports
> Research Minion
> Massachusetts Institute of Technology                     
> <dr...@mit.edu>
> Computer Science and Artificial Intelligence Lab    
> <dr...@csail.mit.edu>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Checkouts fail with mod_authz_svn/FakeBasicAuth

Posted by Dan Ports <dr...@mit.edu>.
On Fri, Oct 01, 2004 at 03:32:35PM +0100, Julian Foad wrote:
> Dan Ports wrote:
> > I've run into what seems to be a bug in Subversion or Apache. The
> >quick summary: checkouts fail when using mod_authz_svn with mod_ssl's
> >FakeBasicAuth option to achieve repository access control based on 
> >client SSL certificates. This appears to be due to a problem with
> >authentication in subrequests.
> [...]
> 
> Sorry to hear you had trouble and got no reply on the mailing list.  Please 
> feel free to re-post your query if you haven't resolved the problem.

 I am indeed still having this problem, though the patch (against
Apache mod_ssl) I described in my previous message appears to solve it.
Briefly, I'm trying to use FakeBasicAuth and mod_authz_svn to restrict
access to parts of my repository to certain certificate-authenticated
users. The problem seems to be that FakeBasicAuth authentication
information is not preserved when a HTTP request generates a
subrequest, so authz_svn authorization based on FakeBasicAuth
certificate information fails to work.

 For more details, see my original post,
http://subversion.tigris.org/servlets/ReadMsg?list=dev&msgNo=73775

 Kevin Bentley also recently posted some notes on how to use mod_ssl's
SSLUserName option with authz_svn to accomplish the same goal, but this
appears to require patching both mod_ssl and mod_authz_svn.

 I'm currently running Subversion 1.0.6 with Apache 2.0.50; I'll see if
I can find some time this weekend to upgrade and test with the latest
version, though I doubt this will change anything.

 Dan

-- 
Dan R. K. Ports                                
Research Minion
Massachusetts Institute of Technology                     <dr...@mit.edu>
Computer Science and Artificial Intelligence Lab    <dr...@csail.mit.edu>                            

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Checkouts fail with mod_authz_svn/FakeBasicAuth

Posted by Julian Foad <ju...@btopenworld.com>.
Looking through old mail...

Dan Ports wrote:
>  I've run into what seems to be a bug in Subversion or Apache. The
> quick summary: checkouts fail when using mod_authz_svn with mod_ssl's
> FakeBasicAuth option to achieve repository access control based on 
> client SSL certificates. This appears to be due to a problem with
> authentication in subrequests.
[...]

Sorry to hear you had trouble and got no reply on the mailing list.  Please feel free to re-post your query if you haven't resolved the problem.

If anyone doesn't get a response on this list within a couple of (working) days it may be that nobody can help or it may be that the one or two people who might be able to help were too busy with other things when they saw your message, or whatever, so please do ask again.

- Julian


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org