You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Michael Hogsett <ho...@csl.sri.com> on 2005/11/30 00:05:27 UTC

Authenticated ReadOnly and ReadWrite

I need to configure my apache config file
to require authenticated read-only and read-write
access.

I have 4 users, Alice, Bob, Chuck and Dan

Alice and Bob need authenticated Read-Only access.

Chuck and Dan need authenticated Read-Write access.



In my svngroups file I have group REPO containing all 4 users.
In my svnpasswd file each user is listed with a password set.


I have in my apache config :

<Location /svn>
    AuthType Basic
    AuthUserFile /space/svn/conf/svnpasswd
    AuthGroupFile /space/svn/conf/svngroups
</Location>

<Location /svn/private>
    Dav svn
    SVNParentPath /space/svn/repos/private
    AuthName "There's nothing to checkout here.  Use the full repository 
URL"
    # Host-based access control here
    # Order deny,allow
    # Deny from all
    Require valid-user
    Satisfy all
</Location>

<Location /svn/private/REPO>
    AuthName "Subversion repository for REPO"
    Require group REPO
    <LimitExcept GET PROPFIND OPTIONS REPORT>
         require user Chuck Dan
    </LimitExcept>
</Location>


My thought with the final Location block was
that it would require the group REPO, but to
perform GET PROPFIND OPTIONS and REPORT it would
require either user Chuck or Dan.

This is not the case.   Alice and Bob can write
to the repo.

How can I change this to get the behaviour I want?

Thanks

  - Mike


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Authenticated ReadOnly and ReadWrite

Posted by Mike Dewhirst <mi...@dewhirst.com.au>.

Michael Hogsett wrote:
> I need to configure my apache config file
> to require authenticated read-only and read-write
> access.
> 
> I have 4 users, Alice, Bob, Chuck and Dan

You need two groups, one with read-only and the other with read-write
access then put your people into whichever group is appropriate.

Here is an example which is working for me ...

First the apache configuration

# subversion
# see /usr/share/doc/packages/subversion for the full documentation
#
<IfModule mod_dav_svn.c>
##
## project related HTML files
##
     <IfModule mod_alias.c>
         Alias /repos    /srv/svn/html
     </IfModule>
     <Directory /srv/svn/html>
         Options         Indexes +Multiviews -FollowSymLinks
         IndexOptions    FancyIndexing \
                         ScanHTMLTitles \
                         NameWidth=* \
                         DescriptionWidth=* \
                         SuppressLastModified \
                         SuppressSize
         Order allow,deny
         Allow from all
     </Directory>
#
     <Location /repos>
         DAV svn
         SVNParentPath /srv/svn/repos
         # Require SSL connection for password protection.
         # SSLRequireSSL
         AuthType Basic
         AuthName "repositories"
         AuthUserFile /srv/svn/user_access/auth-file
         AuthzSVNAccessFile /srv/svn/user_access/access-policy
         Require valid-user
     </Location>
</IfModule>
#
#

Now the subversion AuthUserFile mentioned above ...

Alice:$apr1$.b8Tc/..$qoHwnT26wYiHwCR525duV0
Bob:$apr1$0Jcpk...$ryDdHgGO6sHGuftvoLiBr/
Chuck:$apr1$2bnqi...$TYb/m2K3VZhOel6xcb2wp/
Dan:$apr1$/LW28...$M9DW7GxunB6s2XGKWeyQ30
Elvis:$apr1$/ccd8...$d9DWrGxu4B6s2sGeWeyf31
# insert new names with ...
# htpasswd -m /srv/svn/user_access/auth-file [new-name]
#

... and now the AuthzSVNAccessFile mentioned above ...

# groups and access policy
[groups]
grpalfa = Alice, Bob
grpbravo = Chuck, Dan
grpcharlie = Alice, Dan
grpdelta = Bob, Dan
grpecho = Elvis

[project_1:/]
@grpalfa = r
@grpdelta = rw

[project_2:/]
@grpecho = rw

[project_3:/]
@grpalfa = r
@grpbravo = r

#

HTH

> 
> Alice and Bob need authenticated Read-Only access.
> 
> Chuck and Dan need authenticated Read-Write access.
> 
> 
> 
> In my svngroups file I have group REPO containing all 4 users.
> In my svnpasswd file each user is listed with a password set.
> 
> 
> I have in my apache config :
> 
> <Location /svn>
>    AuthType Basic
>    AuthUserFile /space/svn/conf/svnpasswd
>    AuthGroupFile /space/svn/conf/svngroups
> </Location>
> 
> <Location /svn/private>
>    Dav svn
>    SVNParentPath /space/svn/repos/private
>    AuthName "There's nothing to checkout here.  Use the full repository 
> URL"
>    # Host-based access control here
>    # Order deny,allow
>    # Deny from all
>    Require valid-user
>    Satisfy all
> </Location>
> 
> <Location /svn/private/REPO>
>    AuthName "Subversion repository for REPO"
>    Require group REPO
>    <LimitExcept GET PROPFIND OPTIONS REPORT>
>         require user Chuck Dan
>    </LimitExcept>
> </Location>
> 
> 
> My thought with the final Location block was
> that it would require the group REPO, but to
> perform GET PROPFIND OPTIONS and REPORT it would
> require either user Chuck or Dan.
> 
> This is not the case.   Alice and Bob can write
> to the repo.
> 
> How can I change this to get the behaviour I want?
> 
> Thanks
> 
>  - Mike
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
> 
> 
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org