You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Serhat Sakarya <se...@sakarya.nl> on 2004/03/23 11:42:51 UTC

Question regarding mixed anymous/authenticated repository

Hello,

we have been trying to use Subversion for a repository that allows both
anonymous and authenticated users. We basically followed the manual for
the apache variant, using these lines in our httpd.conf:

   Require valid-user
   Satisfy Any
   AuthType Basic

Our current authuserfile basically looks like this:
--------
[/]
* = r
serhat = rw

[/Ideas]
* =
serhat = rw
--------

When we check out /Ideas separately, the client asks for a username and
proceeds correctly. However, if we checkout the root dir (/), then no
username is used even if provided on commandline and "/Ideas" is skipped.

My question is: how can we get the client to checkout the entire
repository? The same applies to doing updates and commits. Do we have to
change something on the client side or server side for this to happen?

Thanks for any suggestions.

Regards,

Serhat

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Question regarding mixed anymous/authenticated repository

Posted by Scott Lawrence <sl...@pingtel.com>.
On Tue, 2004-03-23 at 06:42, Serhat Sakarya wrote:
> Hello,
> 
> we have been trying to use Subversion for a repository that allows both
> anonymous and authenticated users. We basically followed the manual for
> the apache variant, using these lines in our httpd.conf:
> 
>    Require valid-user
>    Satisfy Any
>    AuthType Basic

I think I've accomplished this doing everything at the apache level, but
it's not widely tested yet, so I'd appreciate a review.  I have only
http: access to the repository (my goal being to integrate the same
account system with our bug tracker and other services available through
the web site - anyone done that with Jira?)

I limit write access to any repository to valid users, and specific
repositories may also specify a group to which the user must belong:

<Location /rep>
  DAV svn
  # any "/rep/foo" URL will map to a repository /scm/rep/foo
  SVNParentPath /scm/rep
  Allow from all
 
  # For any operations other than these, require an authenticated user.
  <LimitExcept GET PROPFIND OPTIONS REPORT>
    Satisfy All
    Allow from all
    Require valid-user
  </LimitExcept>
</Location>

<Location /rep/testproj/>
  <LimitExcept GET PROPFIND OPTIONS REPORT>
    Require group testproj
  </LimitExcept>
</Location>

-- 
Scott Lawrence        
  Pingtel Corp.   
  sip:slawrence {at} pingtel.com  
  +1.781.938.5306 x162



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

RE: Question regarding mixed anymous/authenticated repository

Posted by Sander Striker <st...@apache.org>.

> -----Original Message-----
> From: Ben Collins-Sussman [mailto:sussman@collab.net]
> Sent: Tuesday, March 23, 2004 3:13 PM
> To: Serhat Sakarya
> Cc: users@subversion.tigris.org; striker@apache.org
> Subject: Re: Question regarding mixed anymous/authenticated repository
> 
> 
> Serhat Sakarya wrote:
> 
> > [/]
> > * = r
> > serhat = rw
> > 
> > [/Ideas]
> > * =
> > serhat = rw
> 
> > My question is: how can we get the client to checkout the entire
> > repository? The same applies to doing updates and commits. Do we have to
> > change something on the client side or server side for this to happen?
> 
> The problem here is that there's no way for the client to "push" 
> authentication at the server, the way it does in CVS.  Authentication is 
> strictly a "server pull" thing, and you've configured your server to not 
> automatically challenge clients.  You've made it very tolerant by 
> putting in the "satisfy any" directive:  the client asks for /, and your 
> authz file tells the server that there's no need to issue an auth challenge.
> 
> The "skipping" of /Ideas is actually a feature, believe it or not.
> 
> I think the only way to get the behavior you want is to disable 
> anonymous access completely (by removing the 'satisfy any' directive). 
> Then you'll be able to identify yourself as 'serhat' when you try to 
> checkout '/'.
> 
> Sander Striker:  what do you think about this?

Actually, we can 'push' the credentials on the first request, with mod_dav_svn
from trunk they will actually 'stick'.  As in, just send the Authorization
header, which I'm fairly sure neon is capable of doing this.  But this will
not work with digest auth (it needs a challenge), only with basic.  And TBH
I don't know if it is wanted to push credentials to a server without a
challenge...

Anyways, Ben is completely right.  The only way to overcome the
ignore-directories-I-don't-have-access-to feature is to require
authentication always.  The setup I have in my mind is:

- over https://

<Location xxx>
  DAV svn
  ...

  AuthzSVNAccessFile ...
  Require valid-user
</Location>

- over http://

<Location xxx>
  DAV svn
  ...

  AuthzSVNAccessFile ...
</Location>

That will forbid access to e.g. /Ideas over http://, but get you
the entire repos over https://.

The extra benefit of this setup is that your credentials are never
sent over the wire in the clear.


Sander




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Question regarding mixed anymous/authenticated repository

Posted by Ben Collins-Sussman <su...@collab.net>.
Serhat Sakarya wrote:

> [/]
> * = r
> serhat = rw
> 
> [/Ideas]
> * =
> serhat = rw

> My question is: how can we get the client to checkout the entire
> repository? The same applies to doing updates and commits. Do we have to
> change something on the client side or server side for this to happen?

The problem here is that there's no way for the client to "push" 
authentication at the server, the way it does in CVS.  Authentication is 
strictly a "server pull" thing, and you've configured your server to not 
automatically challenge clients.  You've made it very tolerant by 
putting in the "satisfy any" directive:  the client asks for /, and your 
authz file tells the server that there's no need to issue an auth challenge.

The "skipping" of /Ideas is actually a feature, believe it or not.

I think the only way to get the behavior you want is to disable 
anonymous access completely (by removing the 'satisfy any' directive). 
Then you'll be able to identify yourself as 'serhat' when you try to 
checkout '/'.

Sander Striker:  what do you think about this?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org