You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Brian Brophy <br...@email.com> on 2006/08/02 12:41:47 UTC
mod_authz_svn: Failed Authorization During COPY, RENAME, MOVE (due
to extra copy?)
Hello,
First let me say I posted this originally on the users list, but did not
have any responses. This is a rather critical issue for us and I am
sincerely hoping someone on this list can help. Our end goal is to have
a Subversion repository, accessed using Apache, whose authentication
goes against LDAP and authorization ideally goes against LDAP group
membership (ie allow path /x/y/z if user in LDAP group1) but we would be
open to use mod_authz_svn (and scripting the group names/membership from
LDAP to keep the two in sync).
I am posting to this group because I am seeing an unexpected (to me at
least) additional COPY. Full details below, but essentially if I am
copying /a/b/c1 to /a/b/c2 I see a copy from /a/b/c1 to /a/b/c2 which
successfully passes authorization; yet, I then see a copy from /a/b/c2
to /a/b/c2 which fails.
I would appreciate any insight you could offer.
We are using mod_authz_ldap to authenticate our users and mod_authz_svn
to authorize them. Subversion 1.3.1 running on Red Hat Enterprise Linux
3 and Apache 2.0.46.
What I can see is that authentication is working fine and the user is
being identified by mod_authz_svn correctly. Authorization is working
fine for everything except the COPY operation, and thus MOVE and RENAME
as well (since these attempt copies at some point).
Here is the attempt:
svn copy -m 'testing' --username user123 --password mySecret
"https://server.abc.com/svn/repo/Common/Architecture/Publish/Working/hotBackup"
"https://server.abc.com/svn/repo/Common/Architecture/Publish/Working/hotBackup2"
Here is an excerpt from a failed COPY (note how the user is correctly
identified and then failed as 'null' when SVN tries to copy the new
files name to itself ... weird ...):
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:/Common/Architecture/Publish/Working
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.18) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.19) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted:
'user123' CHECKOUT repo:
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.20) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted:
'user123' PROPPATCH repo:
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.21) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:/Common/Architecture/Publish/Working
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.22) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted:
'user123' CHECKOUT repo:/Common/Architecture/Publish/Working
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.23) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:/Common/Architecture/Publish/Working/hotBackup2
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
GET repo:/Common/Architecture/Publish/Working/hotBackup2
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.24) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:/Common/Architecture/Publish/Working/hotBackup
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.25) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:14 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND repo:
[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.26) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:15 2006] [info] [client 127.0.0.1] Access granted:
'user123' COPY repo:/Common/Architecture/Publish/Working/hotBackup
repo:/Common/Architecture/Publish/Working/hotBackup2
[Sun Jul 16 22:45:15 2006] [error] [client 127.0.0.1] Access denied:
'(null)' COPY repo:/Common/Architecture/Publish/Working/hotBackup2
repo:/Common/Architecture/Publish/Working/hotBackup2
[Sun Jul 16 22:45:15 2006] [info] Subsequent (No.27) HTTPS request
received for child 2 (server server.abc.com:443)
[Sun Jul 16 22:45:15 2006] [info] [client 127.0.0.1] Access granted:
'user123' DELETE repo:
[Sun Jul 16 22:45:15 2006] [info] Connection to child 2 closed with
standard shutdown(server server.abc.com:443, client 127.0.0.1)
And here is the corresponding mod_authz_svn ACL file:
# Last Updated 07/11/2006 11:30:02 from ldap://127.0.0.1:10636
[groups]
repo_SVN Administrator = user123, user789
repo_SVN Architecture = user123, user456
[repo:/]
* = r
@repo_SVN Administrator = rw
[repo:/Common/Architecture]
@repo_SVN Architecture = rw
Additionally, here is the apache subversion.conf file:
# Load Subversion Modules
LoadModule authz_ldap_module modules/mod_authz_ldap.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
<Location /svn/repo>
DAV svn
SVNPath /shared/subversion/repos/abc
SVNIndexXSLT "/arch-svnindex.xsl"
SSLRequireSSL
AuthzLDAPMethod ldap
AuthzLDAPAuthoritative off
AuthzSVNAuthoritative on
AuthType Basic
AuthName "LDAP"
AuthzLDAPServer 127.0.0.1:10636
AuthzLDAPLogLevel debug
AuthzLDAPUserBase cn=users,ou=org,dc=abc,dc=com
AuthzLDAPUserKey uid
AuthzLDAPUserScope base
AuthzLDAPGroupBase cn=groups,ou=org,dc=abc,dc=com
AuthzLDAPGroupKey cn
AuthzLDAPGroupScope base
AuthzLDAPMemberKey uniquemember
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
AuthzSVNAccessFile /shared/subversion/repos/abc/conf/subversion.acl
</Location>
Please note that the log excerpt above is the result of the single copy
command ... why does it attempt to copy from old to new (expected) but
then also after that from new to new?
Thanks,
Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: mod_authz_svn: Failed Authorization During COPY, RENAME, MOVE
(due to extra copy?) - RESOLVED
Posted by Brian Brophy <br...@email.com>.
It appears I have found the fix. I had not looked into this issue for
several months, and recently returned to it. We are running a minimal
Apache configuration (only loading modules we require). One of the
modules that was disabled was auth_anon. It appears that this behavior
was resolved by loading the auth_anon module. Once loaded, the access
denied during copies (renames, etc) were cured up, fixing the issue.
I hope this help others,
Brian
Brian Brophy wrote:
> I have now tried "Require ldap-user" and unfortunately it still
> results in the same issue.
>
> Here if the command run:
> svn copy -m "testing"
> "https://server.corp.net/svn/abc/Common/Architecture/Publish/Working/hotBackup"
> "https://server.corp.net/svn/abc/Common/Architecture/Publish/Working/hotBackup3"
> --username abc_user1 --password myPass
>
> Here is the resulting ssl_error_log entries (shows more info ... note
> this was isolated to a test server where the command above was the
> only request sent in and below are all log entries from that command):
> [Sat Aug 12 08:09:52 2006] [info] Connection to child 7 established
> (server server.corp.net:443, client 127.0.0.1)
> [Sat Aug 12 08:09:52 2006] [info] Seeding PRNG with 136 bytes of entropy
> [Sat Aug 12 08:09:53 2006] [info] Initial (No.1) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND abc:/Common/Architecture/Publish/Working
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.2) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND abc:
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.3) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND abc:
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.4) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND abc:/Common/Architecture/Publish/Working
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.5) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND abc:
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.6) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND abc:
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.7) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND abc:/Common/Architecture/Publish/Working/hotBackup
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.8) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND abc:
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.9) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND abc:/Common/Architecture/Publish/Working/hotBackup
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.10) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND abc:/Common/Architecture/Publish/Working/hotBackup3
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> GET abc:/Common/Architecture/Publish/Working/hotBackup3
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.11) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND abc:/Common/Architecture/Publish/Working
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.12) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND abc:
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.13) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND abc:/Common/Architecture/Publish/Working/hotBackup3
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> GET abc:/Common/Architecture/Publish/Working/hotBackup3
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.14) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> OPTIONS abc:/Common/Architecture/Publish/Working
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.15) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> MKACTIVITY abc:
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.16) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND abc:/Common/Architecture/Publish/Working
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.17) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND abc:
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.18) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> CHECKOUT abc:
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.19) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> PROPPATCH abc:
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.20) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
> PROPFIND abc:/Common/Architecture/Publish/Working
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.21) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [error] [client 127.0.0.1] [21687] no
> password?
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.22) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted:
> 'abc_user1' CHECKOUT abc:/Common/Architecture/Publish/Working
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.23) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted:
> 'abc_user1' PROPFIND abc:/Common/Architecture/Publish/Working/hotBackup3
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted:
> '(null)' GET abc:/Common/Architecture/Publish/Working/hotBackup3
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.24) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted:
> 'abc_user1' PROPFIND abc:/Common/Architecture/Publish/Working/hotBackup
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.25) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted:
> 'abc_user1' PROPFIND abc:
> [Sat Aug 12 08:09:53 2006] [info] Subsequent (No.26) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:54 2006] [info] [client 127.0.0.1] Access granted:
> 'abc_user1' COPY abc:/Common/Architecture/Publish/Working/hotBackup
> abc:/Common/Architecture/Publish/Working/hotBackup3
> [Sat Aug 12 08:09:54 2006] [error] [client 127.0.0.1] Access denied:
> '(null)' COPY abc:/Common/Architecture/Publish/Working/hotBackup3
> abc:/Common/Architecture/Publish/Working/hotBackup3
> [Sat Aug 12 08:09:54 2006] [info] Subsequent (No.27) HTTPS request
> received for child 7 (server server.corp.net:443)
> [Sat Aug 12 08:09:54 2006] [info] [client 127.0.0.1] Access granted:
> 'abc_user1' DELETE abc:
> [Sat Aug 12 08:09:54 2006] [info] Connection to child 7 closed with
> standard shutdown(server server.corp.net:443, client 127.0.0.1)
>
>
> Here is the current subversion.conf:
> LoadModule authz_ldap_module modules/mod_authz_ldap.so
> LoadModule dav_svn_module modules/mod_dav_svn.so
> LoadModule authz_svn_module modules/mod_authz_svn.so
>
> # ABC Repository
> <Location /svn/abc>
> DAV svn
> SVNPath /shared/subversion/repos/abc
>
> SVNIndexXSLT "/arch-svnindex.xsl"
>
> SSLRequireSSL
>
> AuthType Basic
> AuthName "ABC LDAP"
>
> AuthzLDAPMethod ldap
> AuthzLDAPAuthoritative off
> AuthzSVNAuthoritative on
> AuthzLDAPServer 127.0.0.1:10636
> AuthzLDAPLogLevel debug
> AuthzLDAPUserBase cn=users,ou=abc,dc=abc,dc=com
> AuthzLDAPUserKey uid
> AuthzLDAPUserScope base
> AuthzLDAPGroupBase cn=groups,ou=abc,dc=abc,dc=com
> AuthzLDAPGroupKey cn
> AuthzLDAPGroupScope base
> AuthzLDAPMemberKey uniquemember
> AuthzLDAPSetGroupAuth ldapdn
>
> Satisfy any
> Require ldap-user
>
> AuthzSVNAccessFile /shared/subversion/repos/abc/conf/subversion.acl
> </Location>
>
> And, here is the /shared/subversion/repos/abc/conf/subversion.acl file:
> # Last Updated 08/12/2006 07:58:01 from ldap://127.0.0.1:10636
> [groups]
> abc_SVN Administrator = abc_user1, abc_user2
> abc_SVN Architecture = abc_user1, abc_user3
> abc_SVN Security Framework = abc_user5, abc_user4
>
> [/]
> * = r
> @abc_SVN Administrator = rw
>
> [abc:/Common/Architecture]
> @abc_SVN Architecture = rw
>
>
> Justin Erenkrantz wrote:
>> On 8/9/06, Brian Brophy <br...@email.com> wrote:
>>> I tried the suggested (not use LimitExcept but instead use Require
>>> valid-user and satisfy any) but I am experiencing the same issue. The
>>
>> Did you try 'Require ldap-user' instead of 'Require valid-user'? --
>> justin
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: mod_authz_svn: Failed Authorization During COPY, RENAME, MOVE
(due to extra copy?)
Posted by Brian Brophy <br...@email.com>.
I have now tried "Require ldap-user" and unfortunately it still results
in the same issue.
Here if the command run:
svn copy -m "testing"
"https://server.corp.net/svn/abc/Common/Architecture/Publish/Working/hotBackup"
"https://server.corp.net/svn/abc/Common/Architecture/Publish/Working/hotBackup3"
--username abc_user1 --password myPass
Here is the resulting ssl_error_log entries (shows more info ... note
this was isolated to a test server where the command above was the only
request sent in and below are all log entries from that command):
[Sat Aug 12 08:09:52 2006] [info] Connection to child 7 established
(server server.corp.net:443, client 127.0.0.1)
[Sat Aug 12 08:09:52 2006] [info] Seeding PRNG with 136 bytes of entropy
[Sat Aug 12 08:09:53 2006] [info] Initial (No.1) HTTPS request received
for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:/Common/Architecture/Publish/Working
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.2) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.3) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.4) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:/Common/Architecture/Publish/Working
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.5) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.6) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.7) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:/Common/Architecture/Publish/Working/hotBackup
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.8) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.9) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:/Common/Architecture/Publish/Working/hotBackup
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.10) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:/Common/Architecture/Publish/Working/hotBackup3
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
GET abc:/Common/Architecture/Publish/Working/hotBackup3
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.11) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:/Common/Architecture/Publish/Working
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.12) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.13) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:/Common/Architecture/Publish/Working/hotBackup3
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
GET abc:/Common/Architecture/Publish/Working/hotBackup3
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.14) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
OPTIONS abc:/Common/Architecture/Publish/Working
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.15) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
MKACTIVITY abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.16) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:/Common/Architecture/Publish/Working
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.17) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.18) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
CHECKOUT abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.19) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPPATCH abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.20) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted: -
PROPFIND abc:/Common/Architecture/Publish/Working
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.21) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [error] [client 127.0.0.1] [21687] no password?
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.22) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted:
'abc_user1' CHECKOUT abc:/Common/Architecture/Publish/Working
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.23) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted:
'abc_user1' PROPFIND abc:/Common/Architecture/Publish/Working/hotBackup3
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted:
'(null)' GET abc:/Common/Architecture/Publish/Working/hotBackup3
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.24) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted:
'abc_user1' PROPFIND abc:/Common/Architecture/Publish/Working/hotBackup
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.25) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:53 2006] [info] [client 127.0.0.1] Access granted:
'abc_user1' PROPFIND abc:
[Sat Aug 12 08:09:53 2006] [info] Subsequent (No.26) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:54 2006] [info] [client 127.0.0.1] Access granted:
'abc_user1' COPY abc:/Common/Architecture/Publish/Working/hotBackup
abc:/Common/Architecture/Publish/Working/hotBackup3
[Sat Aug 12 08:09:54 2006] [error] [client 127.0.0.1] Access denied:
'(null)' COPY abc:/Common/Architecture/Publish/Working/hotBackup3
abc:/Common/Architecture/Publish/Working/hotBackup3
[Sat Aug 12 08:09:54 2006] [info] Subsequent (No.27) HTTPS request
received for child 7 (server server.corp.net:443)
[Sat Aug 12 08:09:54 2006] [info] [client 127.0.0.1] Access granted:
'abc_user1' DELETE abc:
[Sat Aug 12 08:09:54 2006] [info] Connection to child 7 closed with
standard shutdown(server server.corp.net:443, client 127.0.0.1)
Here is the current subversion.conf:
LoadModule authz_ldap_module modules/mod_authz_ldap.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
# ABC Repository
<Location /svn/abc>
DAV svn
SVNPath /shared/subversion/repos/abc
SVNIndexXSLT "/arch-svnindex.xsl"
SSLRequireSSL
AuthType Basic
AuthName "ABC LDAP"
AuthzLDAPMethod ldap
AuthzLDAPAuthoritative off
AuthzSVNAuthoritative on
AuthzLDAPServer 127.0.0.1:10636
AuthzLDAPLogLevel debug
AuthzLDAPUserBase cn=users,ou=abc,dc=abc,dc=com
AuthzLDAPUserKey uid
AuthzLDAPUserScope base
AuthzLDAPGroupBase cn=groups,ou=abc,dc=abc,dc=com
AuthzLDAPGroupKey cn
AuthzLDAPGroupScope base
AuthzLDAPMemberKey uniquemember
AuthzLDAPSetGroupAuth ldapdn
Satisfy any
Require ldap-user
AuthzSVNAccessFile /shared/subversion/repos/abc/conf/subversion.acl
</Location>
And, here is the /shared/subversion/repos/abc/conf/subversion.acl file:
# Last Updated 08/12/2006 07:58:01 from ldap://127.0.0.1:10636
[groups]
abc_SVN Administrator = abc_user1, abc_user2
abc_SVN Architecture = abc_user1, abc_user3
abc_SVN Security Framework = abc_user5, abc_user4
[/]
* = r
@abc_SVN Administrator = rw
[abc:/Common/Architecture]
@abc_SVN Architecture = rw
Justin Erenkrantz wrote:
> On 8/9/06, Brian Brophy <br...@email.com> wrote:
>> I tried the suggested (not use LimitExcept but instead use Require
>> valid-user and satisfy any) but I am experiencing the same issue. The
>
> Did you try 'Require ldap-user' instead of 'Require valid-user'? --
> justin
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: mod_authz_svn: Failed Authorization During COPY, RENAME, MOVE (due to extra copy?)
Posted by Justin Erenkrantz <ju...@erenkrantz.com>.
On 8/9/06, Brian Brophy <br...@email.com> wrote:
> I tried the suggested (not use LimitExcept but instead use Require
> valid-user and satisfy any) but I am experiencing the same issue. The
Did you try 'Require ldap-user' instead of 'Require valid-user'? -- justin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: mod_authz_svn: Failed Authorization During COPY, RENAME, MOVE
(due to extra copy?)
Posted by Brian Brophy <br...@email.com>.
I tried the suggested (not use LimitExcept but instead use Require
valid-user and satisfy any) but I am experiencing the same issue. The
svn copy command fails in the same way as before: first I see an
authorized copy with source = source and destination = destination
immediately followed (without any client secondary command or anything)
by a second copy of source = destination and destination = destination
where the user is '(null)' and authorization is denied, causing the full
attempted copy transaction to fail (not authorized).
Does any one have something similar to the following working?
- mod_davn_svn and mod_authz_svn
- SVN 1.3.2 (though also failed on 1.3.1 and 1.2.1)
- User authenticated by Apache mod_authz_ldap (configured to strip full
DN ... ie user uid=joesmith,ou=org,o=company gets identified in Apache
as user joesmith)
- Within mod_authz_svn, using groups to allow people like joesmith rw
perm to some sub directory (* = r is perm at / root)
I would think this would be a rather popular configuration with
companies using LDAP for authentication and that someone would have
encountered this.
Thanks,
Brian
Ben Collins-Sussman wrote:
> On 8/3/06, Brian Brophy <br...@email.com> wrote:
>> I really appreciate your follow-ups. Perhaps one additional thing I
>> should add is that we hope to be able to have a configuration that
>> permits anonymous read access, yet authorized write access. It is for
>> this reason that the "Require valid-user" occurs within the LimitExcept
>> ... so as to populate the Apache user for those operations where
>> mod_authz_svn's configuration would be looking to match the user to the
>> group in its file.
>
> The better way to do this is to *not* use LimitExcept at all, but
> instead to (1) unconditionally 'Require valid-user', (2) put a
> 'satisfy any' next to it, (3) unconditionally use SVNAuthzAccessfile,
> and (4) put a nice '* = r' on the root directory of your authz file.
> See example 6.3 in the svnbook.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: mod_authz_svn: Failed Authorization During COPY, RENAME, MOVE (due to extra copy?)
Posted by Ben Collins-Sussman <su...@red-bean.com>.
On 8/3/06, Brian Brophy <br...@email.com> wrote:
> I really appreciate your follow-ups. Perhaps one additional thing I
> should add is that we hope to be able to have a configuration that
> permits anonymous read access, yet authorized write access. It is for
> this reason that the "Require valid-user" occurs within the LimitExcept
> ... so as to populate the Apache user for those operations where
> mod_authz_svn's configuration would be looking to match the user to the
> group in its file.
The better way to do this is to *not* use LimitExcept at all, but
instead to (1) unconditionally 'Require valid-user', (2) put a
'satisfy any' next to it, (3) unconditionally use SVNAuthzAccessfile,
and (4) put a nice '* = r' on the root directory of your authz file.
See example 6.3 in the svnbook.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: mod_authz_svn: Failed Authorization During COPY, RENAME, MOVE
(due to extra copy?)
Posted by Brian Brophy <br...@email.com>.
I really appreciate your follow-ups. Perhaps one additional thing I
should add is that we hope to be able to have a configuration that
permits anonymous read access, yet authorized write access. It is for
this reason that the "Require valid-user" occurs within the LimitExcept
... so as to populate the Apache user for those operations where
mod_authz_svn's configuration would be looking to match the user to the
group in its file.
As to the question of "can groups contain spaces?", I questioned this
also. I have tested that other non-COPY activities such as add, delete,
etc do successfully require the group to perform them as well as only
allow members of the group to do them ... so I am guessing the space is
ok. Additionally, in troubleshooting, I did just rename the groups to
have underscores instead of spaces and it did not change the behavior
nor the error messages in any way.
Regarding the "perhaps one request checks write perms on the copy target
and one checks read perms on the copy source" ... wouldn't "* = r" at
the root allow global read as it is not over-written below in the path?
Is it possibly an issue that it is trying to authorize the read and in
evaluating *=r it is not "grabbing" the user from Apache since it is *
or all and thus failing when it tries to match group membership? If
this were true, shouldn't it instead be doing something like: "if * is
allowed read, then grant read" ?
As you can imagine our goal is to allow read to all but modify/write to
only authorized group member's within a URI location (ie one group may
have write to /a/b/1 while another has write to /a/b/2 ... but /a on
down should be read to all).
Thanks again for your help!
Brian
Malcolm Rowe wrote:
> On Thu, Aug 03, 2006 at 02:10:04PM -0500, Ben Collins-Sussman wrote:
>
>> On 8/3/06, C. Michael Pilato <cm...@collab.net> wrote:
>>
>>
>>> Just a guess: one request checks write perms on the copy target, one
>>> checks
>>> read perms on the copy source.
>>>
>
> Strange that we appear to check the target before the source. And the
> user appears to be in a group called 'repo_SVN Administrator' that has
> 'rw' on the repository root. (Can groups contain spaces?)
>
> Also, '*' has read access - is that 'all users' or 'all non-anonymous
> users' (I know, I should know that), it's the hypothesised read subrequest
> that appears to be failing.
>
>
>> ... and the GET subrequest (for the read check) has no username,
>> because of the <LimitExcept> block...
>>
>>
>
> Oh, I assumed the 'COPY' text in the log was the method used in the
> subrequest? The arguments in the subrequest certainly appear to contain
> both source and destination -- why would we generate two subrequests?
>
> Regards,
> Malcolm
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: mod_authz_svn: Failed Authorization During COPY, RENAME, MOVE (due to extra copy?)
Posted by Malcolm Rowe <ma...@farside.org.uk>.
On Thu, Aug 03, 2006 at 02:10:04PM -0500, Ben Collins-Sussman wrote:
> On 8/3/06, C. Michael Pilato <cm...@collab.net> wrote:
>
> >Just a guess: one request checks write perms on the copy target, one
> >checks
> >read perms on the copy source.
Strange that we appear to check the target before the source. And the
user appears to be in a group called 'repo_SVN Administrator' that has
'rw' on the repository root. (Can groups contain spaces?)
Also, '*' has read access - is that 'all users' or 'all non-anonymous
users' (I know, I should know that), it's the hypothesised read subrequest
that appears to be failing.
>
> ... and the GET subrequest (for the read check) has no username,
> because of the <LimitExcept> block...
>
Oh, I assumed the 'COPY' text in the log was the method used in the
subrequest? The arguments in the subrequest certainly appear to contain
both source and destination -- why would we generate two subrequests?
Regards,
Malcolm
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: mod_authz_svn: Failed Authorization During COPY, RENAME, MOVE (due to extra copy?)
Posted by Ben Collins-Sussman <su...@red-bean.com>.
On 8/3/06, C. Michael Pilato <cm...@collab.net> wrote:
> Just a guess: one request checks write perms on the copy target, one checks
> read perms on the copy source.
... and the GET subrequest (for the read check) has no username,
because of the <LimitExcept> block...
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: mod_authz_svn: Failed Authorization During COPY, RENAME, MOVE
(due to extra copy?)
Posted by "C. Michael Pilato" <cm...@collab.net>.
Malcolm Rowe wrote:
> On Wed, Aug 02, 2006 at 08:41:47AM -0400, Brian Brophy wrote:
>
>>[Sun Jul 16 22:45:14 2006] [info] Subsequent (No.26) HTTPS request
>>received for child 2 (server server.abc.com:443)
>>[Sun Jul 16 22:45:15 2006] [info] [client 127.0.0.1] Access granted:
>>'user123' COPY repo:/Common/Architecture/Publish/Working/hotBackup
>>repo:/Common/Architecture/Publish/Working/hotBackup2
>>[Sun Jul 16 22:45:15 2006] [error] [client 127.0.0.1] Access denied:
>>'(null)' COPY repo:/Common/Architecture/Publish/Working/hotBackup2
>>repo:/Common/Architecture/Publish/Working/hotBackup2
>>
>
>
> So if I'm reading that right, we generate two subrequests for
> mod_authz_svn from one copy operation, the second of which is failing.
>
> While I don't have a clue why the second subrequest occurs, I do note
> that it also appears not to have any user associated with it.
Just a guess: one request checks write perms on the copy target, one checks
read perms on the copy source.
--
C. Michael Pilato <cm...@collab.net>
CollabNet <> www.collab.net <> Distributed Development On Demand
Re: mod_authz_svn: Failed Authorization During COPY, RENAME, MOVE (due to extra copy?)
Posted by Malcolm Rowe <ma...@farside.org.uk>.
On Wed, Aug 02, 2006 at 08:41:47AM -0400, Brian Brophy wrote:
> [Sun Jul 16 22:45:14 2006] [info] Subsequent (No.26) HTTPS request
> received for child 2 (server server.abc.com:443)
> [Sun Jul 16 22:45:15 2006] [info] [client 127.0.0.1] Access granted:
> 'user123' COPY repo:/Common/Architecture/Publish/Working/hotBackup
> repo:/Common/Architecture/Publish/Working/hotBackup2
> [Sun Jul 16 22:45:15 2006] [error] [client 127.0.0.1] Access denied:
> '(null)' COPY repo:/Common/Architecture/Publish/Working/hotBackup2
> repo:/Common/Architecture/Publish/Working/hotBackup2
>
So if I'm reading that right, we generate two subrequests for
mod_authz_svn from one copy operation, the second of which is failing.
While I don't have a clue why the second subrequest occurs, I do note
that it also appears not to have any user associated with it.
> Please note that the log excerpt above is the result of the single copy
> command ... why does it attempt to copy from old to new (expected) but
> then also after that from new to new?
>
Good question; it seems wrong to me. Perhaps someone with more
mod_dav_svn experience knows a valid reason.
Regards,
Malcolm
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org