You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Stefan Voelkel <st...@millenux.com> on 2005/03/14 18:06:05 UTC
[users@httpd] Different Auth's for /repos and /repos/foo.txt
Hello,
I have a subversion repository accesible via dav:
<Location /repos>
DAV svn
SVNParentPath /home/svn/repositories
AuthzSVNAccessFile ../users/access-file
Require valid-user
AuthType Basic
AuthName "Subversion repository"
AuthUserFile ../users/users.htpasswd
</Location>
Now I'd like to require a special group for certain files, e.g. foo.txt
beneath the above folder. I tried <Location>, <LocationMatch>, <Files> and
<FilesMatch> but could not get a workin setup.
Thanks in advance,
regards
Stefan
--
Stefan Völkel stefan.voelkel@millenux.com
Millenux GmbH mobile: +49.170.79177.17
Lilienthalstraße 2 phone: +49.711.88770.300
70825 Stuttgart-Korntal fax: +49.711.88770.349
-= linux without limits -=- http://linux.zSeries.org/ =-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Different Auth's for /repos and /repos/foo.txt
Posted by Stefan Voelkel <st...@millenux.com>.
> I think the problem here is that you are mixing up the mod_auth and
> mod_authz_svn configuration stuff. The "Require" directives in
> httpd.conf will not read the AuthzSVNAccessFile. So you need to have
> an AuthGroupFile directive pointing to an apache-style groups list (as
> in /etc/groups).
Nope, tried that already.
> Although that is certainly a part of the problem, I'm not sure if it
> will fix the whole thing. Normally with mod_authz_svn, apache's
> mod_auth provides only the authentication, and mod_authz_svn provides
> the actual access control list. Trying to mix the two with respect to
> access control is surely going to be complicated.
I can deny access in the mod_authz_svn file, although branching/tagging is
my problem here.
If I deny fred access to
/trunk/foo/bar/fred.may.not.read.this.txt
but I allow to read /branches (which I want him to be able to), everytime I
create a branch or tag I need to alter the acces-file, and besides this
beeing ugly its error prone.
I am taking this to the subversion List, perhaps they have a solution...
Nonetheless, thanks for your time.
regards
Stefan
--
Stefan Völkel stefan.voelkel@millenux.com
Millenux GmbH mobile: +49.170.79177.17
Lilienthalstraße 2 phone: +49.711.88770.300
70825 Stuttgart-Korntal fax: +49.711.88770.349
-= linux without limits -=- http://linux.zSeries.org/ =-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Different Auth's for /repos and /repos/foo.txt
Posted by Joshua Slive <js...@gmail.com>.
On Tue, 15 Mar 2005 14:51:50 +0100, Stefan Voelkel
<st...@millenux.com> wrote:
> > Need more details. Give us your best guess at the correct
> > configuration, and exactly what happens when you try to use this
> > configuration (including relevant excerpts from the apache error log).
>
> Will do, but there is no error, it just simply does not work as I want it
> to :)
>
> Abstract
Thanks. That was a much better problem report.
I think the problem here is that you are mixing up the mod_auth and
mod_authz_svn configuration stuff. The "Require" directives in
httpd.conf will not read the AuthzSVNAccessFile. So you need to have
an AuthGroupFile directive pointing to an apache-style groups list (as
in /etc/groups).
Although that is certainly a part of the problem, I'm not sure if it
will fix the whole thing. Normally with mod_authz_svn, apache's
mod_auth provides only the authentication, and mod_authz_svn provides
the actual access control list. Trying to mix the two with respect to
access control is surely going to be complicated.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Different Auth's for /repos and /repos/foo.txt
Posted by Stefan Voelkel <st...@millenux.com>.
> Need more details. Give us your best guess at the correct
> configuration, and exactly what happens when you try to use this
> configuration (including relevant excerpts from the apache error log).
Will do, but there is no error, it just simply does not work as I want it
to :)
Abstract
========
There are special files in my subversion repository i want to protect
(f.e. "prod.properties"). To be able to see these files you must be in a
special group called "admin". Access to all other files should be granted
if you do sent valid crendentials to the webserver.
Configuration
=============
<Location /repos>
DAV svn
SVNParentPath /home/svn/repositories
AuthzSVNAccessFile ../users/access-file
Satisfy All
Require valid-user
AuthType Basic
AuthName "Subversion repository"
AuthUserFile ../users/users.htpasswd
AuthAuthoritative off
</Location>
<LocationMatch "prod.properties$">
Require group admin
</LocationMatch>
Authentification
================
user.password:
super:XXXXXXX
fred:XXXXXX
acces-file:
[groups]
admin = super
[test:/]
fred = r
access_log
==========
127.0.0.1 - super[15/Mar/2005:14:40:12 +0100] "GET
/repos/dscneu/branches/prod/prod.properties HTTP/1.1" 200 182833
127.0.0.1 - fred [15/Mar/2005:14:40:33 +0100] "GET
/repos/test/branches/prod/prod.properties HTTP/1.1" 200 182833
Now the second get should fail. If I change the LocationMatch to this:
<LocationMatch "prod.properties$">
order deny,allow
deny from all
</LocationMatch>
This happens in the log:
127.0.0.1 - - [15/Mar/2005:14:41:54 +0100] "GET
/repos/dscneu/branches/prod/prod.properties HTTP/1.1" 403 487
thus the <LocationMatch> is evaluated, but I can not additionally require a
group for special files.
And in the error log:
[Tue Mar 15 14:50:27 2005] [error] an unknown filter was not added:
includes
I permuted pretty much everything, <Files>, <FilesMatch> instead of
<LocationMatch>, Auth* options in the <LocationMatch> section, etc. but
everytime either all users can access the file even fred, or nobody at all.
Thanks again,
regards
Stefan
--
Stefan Völkel stefan.voelkel@millenux.com
Millenux GmbH mobile: +49.170.79177.17
Lilienthalstraße 2 phone: +49.711.88770.300
70825 Stuttgart-Korntal fax: +49.711.88770.349
-= linux without limits -=- http://linux.zSeries.org/ =-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Different Auth's for /repos and /repos/foo.txt
Posted by Joshua Slive <js...@gmail.com>.
On Mon, 14 Mar 2005 18:06:05 +0100, Stefan Voelkel
<st...@millenux.com> wrote:
> Now I'd like to require a special group for certain files, e.g. foo.txt
> beneath the above folder. I tried <Location>, <LocationMatch>, <Files> and
> <FilesMatch> but could not get a workin setup.
Need more details. Give us your best guess at the correct
configuration, and exactly what happens when you try to use this
configuration (including relevant excerpts from the apache error log).
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org