You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Michael Hogsett <ho...@csl.sri.com> on 2005/11/30 00:05:27 UTC
Authenticated ReadOnly and ReadWrite
I need to configure my apache config file
to require authenticated read-only and read-write
access.
I have 4 users, Alice, Bob, Chuck and Dan
Alice and Bob need authenticated Read-Only access.
Chuck and Dan need authenticated Read-Write access.
In my svngroups file I have group REPO containing all 4 users.
In my svnpasswd file each user is listed with a password set.
I have in my apache config :
<Location /svn>
AuthType Basic
AuthUserFile /space/svn/conf/svnpasswd
AuthGroupFile /space/svn/conf/svngroups
</Location>
<Location /svn/private>
Dav svn
SVNParentPath /space/svn/repos/private
AuthName "There's nothing to checkout here. Use the full repository
URL"
# Host-based access control here
# Order deny,allow
# Deny from all
Require valid-user
Satisfy all
</Location>
<Location /svn/private/REPO>
AuthName "Subversion repository for REPO"
Require group REPO
<LimitExcept GET PROPFIND OPTIONS REPORT>
require user Chuck Dan
</LimitExcept>
</Location>
My thought with the final Location block was
that it would require the group REPO, but to
perform GET PROPFIND OPTIONS and REPORT it would
require either user Chuck or Dan.
This is not the case. Alice and Bob can write
to the repo.
How can I change this to get the behaviour I want?
Thanks
- Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Authenticated ReadOnly and ReadWrite
Posted by Mike Dewhirst <mi...@dewhirst.com.au>.
Michael Hogsett wrote:
> I need to configure my apache config file
> to require authenticated read-only and read-write
> access.
>
> I have 4 users, Alice, Bob, Chuck and Dan
You need two groups, one with read-only and the other with read-write
access then put your people into whichever group is appropriate.
Here is an example which is working for me ...
First the apache configuration
# subversion
# see /usr/share/doc/packages/subversion for the full documentation
#
<IfModule mod_dav_svn.c>
##
## project related HTML files
##
<IfModule mod_alias.c>
Alias /repos /srv/svn/html
</IfModule>
<Directory /srv/svn/html>
Options Indexes +Multiviews -FollowSymLinks
IndexOptions FancyIndexing \
ScanHTMLTitles \
NameWidth=* \
DescriptionWidth=* \
SuppressLastModified \
SuppressSize
Order allow,deny
Allow from all
</Directory>
#
<Location /repos>
DAV svn
SVNParentPath /srv/svn/repos
# Require SSL connection for password protection.
# SSLRequireSSL
AuthType Basic
AuthName "repositories"
AuthUserFile /srv/svn/user_access/auth-file
AuthzSVNAccessFile /srv/svn/user_access/access-policy
Require valid-user
</Location>
</IfModule>
#
#
Now the subversion AuthUserFile mentioned above ...
Alice:$apr1$.b8Tc/..$qoHwnT26wYiHwCR525duV0
Bob:$apr1$0Jcpk...$ryDdHgGO6sHGuftvoLiBr/
Chuck:$apr1$2bnqi...$TYb/m2K3VZhOel6xcb2wp/
Dan:$apr1$/LW28...$M9DW7GxunB6s2XGKWeyQ30
Elvis:$apr1$/ccd8...$d9DWrGxu4B6s2sGeWeyf31
# insert new names with ...
# htpasswd -m /srv/svn/user_access/auth-file [new-name]
#
... and now the AuthzSVNAccessFile mentioned above ...
# groups and access policy
[groups]
grpalfa = Alice, Bob
grpbravo = Chuck, Dan
grpcharlie = Alice, Dan
grpdelta = Bob, Dan
grpecho = Elvis
[project_1:/]
@grpalfa = r
@grpdelta = rw
[project_2:/]
@grpecho = rw
[project_3:/]
@grpalfa = r
@grpbravo = r
#
HTH
>
> Alice and Bob need authenticated Read-Only access.
>
> Chuck and Dan need authenticated Read-Write access.
>
>
>
> In my svngroups file I have group REPO containing all 4 users.
> In my svnpasswd file each user is listed with a password set.
>
>
> I have in my apache config :
>
> <Location /svn>
> AuthType Basic
> AuthUserFile /space/svn/conf/svnpasswd
> AuthGroupFile /space/svn/conf/svngroups
> </Location>
>
> <Location /svn/private>
> Dav svn
> SVNParentPath /space/svn/repos/private
> AuthName "There's nothing to checkout here. Use the full repository
> URL"
> # Host-based access control here
> # Order deny,allow
> # Deny from all
> Require valid-user
> Satisfy all
> </Location>
>
> <Location /svn/private/REPO>
> AuthName "Subversion repository for REPO"
> Require group REPO
> <LimitExcept GET PROPFIND OPTIONS REPORT>
> require user Chuck Dan
> </LimitExcept>
> </Location>
>
>
> My thought with the final Location block was
> that it would require the group REPO, but to
> perform GET PROPFIND OPTIONS and REPORT it would
> require either user Chuck or Dan.
>
> This is not the case. Alice and Bob can write
> to the repo.
>
> How can I change this to get the behaviour I want?
>
> Thanks
>
> - Mike
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org