You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Adrian Marsh <Ad...@ubiquisys.com> on 2007/03/07 14:54:54 UTC
Restricting access
Hi,
I've an SVN server, accessed by svn+ssh, with 2 repositories. I'd like
to control access to the repositories.
The SSH config includes the setup to specify the tunnel user, eg:
command="/usr/local/bin/svnserve -t
--tunnel-user=marsh",no-port-forwarding,no-agent-forwarding,no-X11-forwa
rding,no-pty
My svnserve.conf file has:
-----
[general]
anon-access = none
auth-access = write
authz-db = authz
realm = test_r
-----
My authz file has:
-----
[groups]
test_group = marsh
[/]
@test_group = r
-----
This config works ok, and user "marsh" has r/o access to the repository.
However I want to use the same authz file for 2 repositories
(changing "authz-db = authz" to "authz-db = /somedir/authz")
So I thought that I'd need to specify the realm in the authz file, and
then later on add a second realm config:
-----
[groups]
test_group = marsh
[test_r:/]
@test_group = r
-----
But instead I get an authorisation failure.
NB: At this point, both authz and svnserv.conf are in the same conf/
directory under one repository.
The full unix path to the repo is /svn/test_abc, so does the [test_r:/]
refer to the root of the repository - OR - the unix filepath ?
What did I miss??
Adrian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Restricting access
Posted by Rahul Bhargava <me...@rahulbhargava.org>.
Adrian Marsh wrote:
> Thanks Rahul,
>
You are welcome!
> So what happens if you don't specify the -r option at all?
>
If you don't specify a -r option, '/' is assumed as the root. The svn
client then
presumes you will specify the fully qualified path relative to '/'
> Currently, my .ssh authenticate file contains :
>
> command="/usr/local/bin/svnserve -t --tunnel-user=marsh"
> no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa
> <key>
>
>
> If I change my .ssh authentication file to:
>
> command="/usr/local/bin/svnserve -t --tunnel-user=marsh -r /svn"
> no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa
> <key>
>
> Then does that mean that the current url of:
> svn+ssh://puttyname/svn/svnroot1 would change to
> svn+ssh://puttyname/svnroot1 ?
>
>
That would be correct
> Cheers,
>
> Adrian
> ---------------
>
> The authz file's repository specification is relative to the parent path
>
> specified to svnserve via the -r
> option.
>
> for e.g.
>
> $ ls ~/svnrroots
> svnroot1 svnroot2
>
> $ svnserve -d -r ~/svnroots/
>
> Then authz file could contain:
>
> [svnroot1:/bar]
> rahul = w
>
> So make sure you are specifying the correct root to svnserve
>
> Adrian Marsh wrote:
>
>> Anyone have an idea for this??
>>
>>
>>
>>
>> -----Original Message-----
>> From: Adrian Marsh [mailto:Adrian.Marsh@ubiquisys.com]
>> Sent: 07 March 2007 14:55
>> To: users@subversion.tigris.org
>> Subject: Restricting access
>>
>> Hi,
>>
>> I've an SVN server, accessed by svn+ssh, with 2 repositories. I'd like
>> to control access to the repositories.
>>
>> The SSH config includes the setup to specify the tunnel user, eg:
>>
>> command="/usr/local/bin/svnserve -t
>>
>>
> --tunnel-user=marsh",no-port-forwarding,no-agent-forwarding,no-X11-forwa
>
>> rding,no-pty
>>
>>
>> My svnserve.conf file has:
>>
>> -----
>> [general]
>> anon-access = none
>> auth-access = write
>> authz-db = authz
>> realm = test_r
>> -----
>>
>> My authz file has:
>>
>> -----
>> [groups]
>> test_group = marsh
>>
>> [/]
>> @test_group = r
>> -----
>>
>>
>> This config works ok, and user "marsh" has r/o access to the
>>
> repository.
>
>> However I want to use the same authz file for 2 repositories
>> (changing "authz-db = authz" to "authz-db = /somedir/authz")
>>
>> So I thought that I'd need to specify the realm in the authz file, and
>> then later on add a second realm config:
>>
>>
>> -----
>> [groups]
>> test_group = marsh
>>
>> [test_r:/]
>> @test_group = r
>> -----
>>
>> But instead I get an authorisation failure.
>>
>> NB: At this point, both authz and svnserv.conf are in the same conf/
>> directory under one repository.
>>
>> The full unix path to the repo is /svn/test_abc, so does the
>>
> [test_r:/]
>
>> refer to the root of the repository - OR - the unix filepath ?
>>
>>
>> What did I miss??
>>
>>
>> Adrian
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail: users-help@subversion.tigris.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail: users-help@subversion.tigris.org
>>
>>
>>
>>
>
>
>
--
Rahul Bhargava
http://www.rahulbhargava.org
Phone: (925) 265-8801(W)|895-2201(M)
RE: Restricting access
Posted by Adrian Marsh <Ad...@ubiquisys.com>.
Thanks Rahul,
So what happens if you don't specify the -r option at all?
Currently, my .ssh authenticate file contains :
command="/usr/local/bin/svnserve -t --tunnel-user=marsh"
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa
<key>
If I change my .ssh authentication file to:
command="/usr/local/bin/svnserve -t --tunnel-user=marsh -r /svn"
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa
<key>
Then does that mean that the current url of:
svn+ssh://puttyname/svn/svnroot1 would change to
svn+ssh://puttyname/svnroot1 ?
Cheers,
Adrian
---------------
The authz file's repository specification is relative to the parent path
specified to svnserve via the -r
option.
for e.g.
$ ls ~/svnrroots
svnroot1 svnroot2
$ svnserve -d -r ~/svnroots/
Then authz file could contain:
[svnroot1:/bar]
rahul = w
So make sure you are specifying the correct root to svnserve
Adrian Marsh wrote:
> Anyone have an idea for this??
>
>
>
>
> -----Original Message-----
> From: Adrian Marsh [mailto:Adrian.Marsh@ubiquisys.com]
> Sent: 07 March 2007 14:55
> To: users@subversion.tigris.org
> Subject: Restricting access
>
> Hi,
>
> I've an SVN server, accessed by svn+ssh, with 2 repositories. I'd like
> to control access to the repositories.
>
> The SSH config includes the setup to specify the tunnel user, eg:
>
> command="/usr/local/bin/svnserve -t
>
--tunnel-user=marsh",no-port-forwarding,no-agent-forwarding,no-X11-forwa
> rding,no-pty
>
>
> My svnserve.conf file has:
>
> -----
> [general]
> anon-access = none
> auth-access = write
> authz-db = authz
> realm = test_r
> -----
>
> My authz file has:
>
> -----
> [groups]
> test_group = marsh
>
> [/]
> @test_group = r
> -----
>
>
> This config works ok, and user "marsh" has r/o access to the
repository.
> However I want to use the same authz file for 2 repositories
> (changing "authz-db = authz" to "authz-db = /somedir/authz")
>
> So I thought that I'd need to specify the realm in the authz file, and
> then later on add a second realm config:
>
>
> -----
> [groups]
> test_group = marsh
>
> [test_r:/]
> @test_group = r
> -----
>
> But instead I get an authorisation failure.
>
> NB: At this point, both authz and svnserv.conf are in the same conf/
> directory under one repository.
>
> The full unix path to the repo is /svn/test_abc, so does the
[test_r:/]
> refer to the root of the repository - OR - the unix filepath ?
>
>
> What did I miss??
>
>
> Adrian
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>
--
Rahul Bhargava
http://www.rahulbhargava.org
Phone: (925) 265-8801(W)|895-2201(M)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Restricting access
Posted by Rahul Bhargava <me...@rahulbhargava.org>.
The authz file's repository specification is relative to the parent path
specified to svnserve via the -r
option.
for e.g.
$ ls ~/svnrroots
svnroot1 svnroot2
$ svnserve -d -r ~/svnroots/
Then authz file could contain:
[svnroot1:/bar]
rahul = w
So make sure you are specifying the correct root to svnserve
Adrian Marsh wrote:
> Anyone have an idea for this??
>
>
>
>
> -----Original Message-----
> From: Adrian Marsh [mailto:Adrian.Marsh@ubiquisys.com]
> Sent: 07 March 2007 14:55
> To: users@subversion.tigris.org
> Subject: Restricting access
>
> Hi,
>
> I've an SVN server, accessed by svn+ssh, with 2 repositories. I'd like
> to control access to the repositories.
>
> The SSH config includes the setup to specify the tunnel user, eg:
>
> command="/usr/local/bin/svnserve -t
> --tunnel-user=marsh",no-port-forwarding,no-agent-forwarding,no-X11-forwa
> rding,no-pty
>
>
> My svnserve.conf file has:
>
> -----
> [general]
> anon-access = none
> auth-access = write
> authz-db = authz
> realm = test_r
> -----
>
> My authz file has:
>
> -----
> [groups]
> test_group = marsh
>
> [/]
> @test_group = r
> -----
>
>
> This config works ok, and user "marsh" has r/o access to the repository.
> However I want to use the same authz file for 2 repositories
> (changing "authz-db = authz" to "authz-db = /somedir/authz")
>
> So I thought that I'd need to specify the realm in the authz file, and
> then later on add a second realm config:
>
>
> -----
> [groups]
> test_group = marsh
>
> [test_r:/]
> @test_group = r
> -----
>
> But instead I get an authorisation failure.
>
> NB: At this point, both authz and svnserv.conf are in the same conf/
> directory under one repository.
>
> The full unix path to the repo is /svn/test_abc, so does the [test_r:/]
> refer to the root of the repository - OR - the unix filepath ?
>
>
> What did I miss??
>
>
> Adrian
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>
--
Rahul Bhargava
http://www.rahulbhargava.org
Phone: (925) 265-8801(W)|895-2201(M)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: Restricting access
Posted by Adrian Marsh <Ad...@ubiquisys.com>.
Anyone have an idea for this??
-----Original Message-----
From: Adrian Marsh [mailto:Adrian.Marsh@ubiquisys.com]
Sent: 07 March 2007 14:55
To: users@subversion.tigris.org
Subject: Restricting access
Hi,
I've an SVN server, accessed by svn+ssh, with 2 repositories. I'd like
to control access to the repositories.
The SSH config includes the setup to specify the tunnel user, eg:
command="/usr/local/bin/svnserve -t
--tunnel-user=marsh",no-port-forwarding,no-agent-forwarding,no-X11-forwa
rding,no-pty
My svnserve.conf file has:
-----
[general]
anon-access = none
auth-access = write
authz-db = authz
realm = test_r
-----
My authz file has:
-----
[groups]
test_group = marsh
[/]
@test_group = r
-----
This config works ok, and user "marsh" has r/o access to the repository.
However I want to use the same authz file for 2 repositories
(changing "authz-db = authz" to "authz-db = /somedir/authz")
So I thought that I'd need to specify the realm in the authz file, and
then later on add a second realm config:
-----
[groups]
test_group = marsh
[test_r:/]
@test_group = r
-----
But instead I get an authorisation failure.
NB: At this point, both authz and svnserv.conf are in the same conf/
directory under one repository.
The full unix path to the repo is /svn/test_abc, so does the [test_r:/]
refer to the root of the repository - OR - the unix filepath ?
What did I miss??
Adrian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org