You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Serhat Sakarya <se...@sakarya.nl> on 2004/03/23 11:42:51 UTC
Question regarding mixed anymous/authenticated repository
Hello,
we have been trying to use Subversion for a repository that allows both
anonymous and authenticated users. We basically followed the manual for
the apache variant, using these lines in our httpd.conf:
Require valid-user
Satisfy Any
AuthType Basic
Our current authuserfile basically looks like this:
--------
[/]
* = r
serhat = rw
[/Ideas]
* =
serhat = rw
--------
When we check out /Ideas separately, the client asks for a username and
proceeds correctly. However, if we checkout the root dir (/), then no
username is used even if provided on commandline and "/Ideas" is skipped.
My question is: how can we get the client to checkout the entire
repository? The same applies to doing updates and commits. Do we have to
change something on the client side or server side for this to happen?
Thanks for any suggestions.
Regards,
Serhat
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Question regarding mixed anymous/authenticated repository
Posted by Scott Lawrence <sl...@pingtel.com>.
On Tue, 2004-03-23 at 06:42, Serhat Sakarya wrote:
> Hello,
>
> we have been trying to use Subversion for a repository that allows both
> anonymous and authenticated users. We basically followed the manual for
> the apache variant, using these lines in our httpd.conf:
>
> Require valid-user
> Satisfy Any
> AuthType Basic
I think I've accomplished this doing everything at the apache level, but
it's not widely tested yet, so I'd appreciate a review. I have only
http: access to the repository (my goal being to integrate the same
account system with our bug tracker and other services available through
the web site - anyone done that with Jira?)
I limit write access to any repository to valid users, and specific
repositories may also specify a group to which the user must belong:
<Location /rep>
DAV svn
# any "/rep/foo" URL will map to a repository /scm/rep/foo
SVNParentPath /scm/rep
Allow from all
# For any operations other than these, require an authenticated user.
<LimitExcept GET PROPFIND OPTIONS REPORT>
Satisfy All
Allow from all
Require valid-user
</LimitExcept>
</Location>
<Location /rep/testproj/>
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require group testproj
</LimitExcept>
</Location>
--
Scott Lawrence
Pingtel Corp.
sip:slawrence {at} pingtel.com
+1.781.938.5306 x162
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: Question regarding mixed anymous/authenticated repository
Posted by Sander Striker <st...@apache.org>.
> -----Original Message-----
> From: Ben Collins-Sussman [mailto:sussman@collab.net]
> Sent: Tuesday, March 23, 2004 3:13 PM
> To: Serhat Sakarya
> Cc: users@subversion.tigris.org; striker@apache.org
> Subject: Re: Question regarding mixed anymous/authenticated repository
>
>
> Serhat Sakarya wrote:
>
> > [/]
> > * = r
> > serhat = rw
> >
> > [/Ideas]
> > * =
> > serhat = rw
>
> > My question is: how can we get the client to checkout the entire
> > repository? The same applies to doing updates and commits. Do we have to
> > change something on the client side or server side for this to happen?
>
> The problem here is that there's no way for the client to "push"
> authentication at the server, the way it does in CVS. Authentication is
> strictly a "server pull" thing, and you've configured your server to not
> automatically challenge clients. You've made it very tolerant by
> putting in the "satisfy any" directive: the client asks for /, and your
> authz file tells the server that there's no need to issue an auth challenge.
>
> The "skipping" of /Ideas is actually a feature, believe it or not.
>
> I think the only way to get the behavior you want is to disable
> anonymous access completely (by removing the 'satisfy any' directive).
> Then you'll be able to identify yourself as 'serhat' when you try to
> checkout '/'.
>
> Sander Striker: what do you think about this?
Actually, we can 'push' the credentials on the first request, with mod_dav_svn
from trunk they will actually 'stick'. As in, just send the Authorization
header, which I'm fairly sure neon is capable of doing this. But this will
not work with digest auth (it needs a challenge), only with basic. And TBH
I don't know if it is wanted to push credentials to a server without a
challenge...
Anyways, Ben is completely right. The only way to overcome the
ignore-directories-I-don't-have-access-to feature is to require
authentication always. The setup I have in my mind is:
- over https://
<Location xxx>
DAV svn
...
AuthzSVNAccessFile ...
Require valid-user
</Location>
- over http://
<Location xxx>
DAV svn
...
AuthzSVNAccessFile ...
</Location>
That will forbid access to e.g. /Ideas over http://, but get you
the entire repos over https://.
The extra benefit of this setup is that your credentials are never
sent over the wire in the clear.
Sander
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Question regarding mixed anymous/authenticated repository
Posted by Ben Collins-Sussman <su...@collab.net>.
Serhat Sakarya wrote:
> [/]
> * = r
> serhat = rw
>
> [/Ideas]
> * =
> serhat = rw
> My question is: how can we get the client to checkout the entire
> repository? The same applies to doing updates and commits. Do we have to
> change something on the client side or server side for this to happen?
The problem here is that there's no way for the client to "push"
authentication at the server, the way it does in CVS. Authentication is
strictly a "server pull" thing, and you've configured your server to not
automatically challenge clients. You've made it very tolerant by
putting in the "satisfy any" directive: the client asks for /, and your
authz file tells the server that there's no need to issue an auth challenge.
The "skipping" of /Ideas is actually a feature, believe it or not.
I think the only way to get the behavior you want is to disable
anonymous access completely (by removing the 'satisfy any' directive).
Then you'll be able to identify yourself as 'serhat' when you try to
checkout '/'.
Sander Striker: what do you think about this?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org