You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Cristiano Paris <pa...@algonet.uniroma2.it> on 2004/03/05 00:41:03 UTC
authz_svn_module
Hi everyone,
I've just finished setting up my first three subversion repositories and
I've been dealing with acess control problems. Initially I decided to
use the authz_svn_module but soon discovered it has too many limitations
as I wanted to use SVNParentPath and have a Require directive in a
Limit section.
So I decided to use the access control primitives directly available in
Apache, and it seems to work quite good. Apache is more flexible than
authz_svn_module I think. So the point here is: what is the rationale
of authz_svn_module? Is there a real difference between using Apache
access control or using authz_svn_module?
I think I'm missing something...
Cristiano
----
Web: http://www.disp.uniroma2.it/users/paris
Public PGP/GnuPG key
pub 1024D/32CA6D54 2004-01-23 Cristiano Paris (RHPK) <c....@email.it>
Key fingerprint = 3BFD 9884 230A 1F17 391C 1434 80CB 2C7A 32CA 6D54
----
Re: authz_svn_module
Posted by Sander Striker <st...@apache.org>.
On Sat, 2004-03-06 at 17:18, Raymond wrote:
> > You can use mod_authz_svn from trunk now, which does have support for
> > SVNParentPath. And, bonus, it supports checking for anonymous access
> > aswell nowadays.
>
> Can you give an example of how to utilize AuthzSVNAccessFile <file> entries
> for multiple repositories when utilizing SVNParentPath? Can't seem to locate
> this in the docs.
http://svn.collab.net/repos/svn/trunk/subversion/mod_authz_svn/INSTALL.
Note that you need to use mod_authz_svn from trunk, this is not in the
1.0.0 release.
Sander
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: authz_svn_module
Posted by John Szakmeister <jo...@szakmeister.net>.
On Saturday 06 March 2004 11:18, Raymond wrote:
> > You can use mod_authz_svn from trunk now, which does have support for
> > SVNParentPath. And, bonus, it supports checking for anonymous access
> > aswell nowadays.
>
> Can you give an example of how to utilize AuthzSVNAccessFile <file> entries
> for multiple repositories when utilizing SVNParentPath? Can't seem to
> locate this in the docs.
Look at:
http://svn.collab.net/repos/svn/trunk/subversion/mod_authz_svn/INSTALL
-John
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: authz_svn_module
Posted by Raymond <su...@bigriverinfotech.com>.
> You can use mod_authz_svn from trunk now, which does have support for
> SVNParentPath. And, bonus, it supports checking for anonymous access
> aswell nowadays.
Can you give an example of how to utilize AuthzSVNAccessFile <file> entries
for multiple repositories when utilizing SVNParentPath? Can't seem to locate
this in the docs.
Raymond
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: authz_svn_module
Posted by Seth Falcon <sf...@fhcrc.org>.
On Fri, Mar 05, 2004 at 02:16:55PM -0500, Francois Beausoleil wrote:
> But ! Internally, all URLs are rewritten to something like the
> following, when Subversion operations occur on the repository:
> http://xxx/repos/!svn/n0192/
>
> So, while access *looks like* it's protected, in fact it's not.
Thanks, Francois. That clears is up for me. I didn't know about the
internal URL rewritting. I knew I had to be missing something.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: authz_svn_module
Posted by Francois Beausoleil <fb...@users.sourceforge.net>.
On Fri, 5 Mar 2004 11:11:15 -0800, "Seth Falcon" <sf...@fhcrc.org>
said:
> On Fri, Mar 05, 2004 at 10:20:07AM -0600, Ben Collins-Sussman wrote:
> > In other words, Apache isn't able to restrict access on paths *within*
> > an svn repository: it can only restrict access on the repository as a
> > whole. That's why we wrote mod_authz_svn.
>
> I'm confused by the above statement. It was a few months ago that I was
> experimenting with Apache, svn, and access control, but I recall being
> able to limit access to particular subdirs of a given repository using
> Apache's LocationMatch directive along with BasicAuth primitives.
What Ben's saying here is that LocationMatch can protect the "public"
part of the repository:
http://xxx/repos/project/trunk
But ! Internally, all URLs are rewritten to something like the
following, when Subversion operations occur on the repository:
http://xxx/repos/!svn/n0192/
So, while access *looks like* it's protected, in fact it's not.
Hope that helps !
François
Developer of Java Gui Builder
http://jgb.sourceforge.net/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: authz_svn_module
Posted by Seth Falcon <sf...@fhcrc.org>.
On Fri, Mar 05, 2004 at 10:20:07AM -0600, Ben Collins-Sussman wrote:
> In other words, Apache isn't able to restrict access on paths *within*
> an svn repository: it can only restrict access on the repository as a
> whole. That's why we wrote mod_authz_svn.
I'm confused by the above statement. It was a few months ago that I was
experimenting with Apache, svn, and access control, but I recall being
able to limit access to particular subdirs of a given repository using
Apache's LocationMatch directive along with BasicAuth primitives.
Indeed, this led me to the same question of "what am I missing" w.r.t.
what mod_authz_svn provides that can't be done in plain apache.
a bit baffled,
+ seth
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: authz_svn_module
Posted by Ben Collins-Sussman <su...@collab.net>.
On Fri, 2004-03-05 at 06:39, Sander Striker wrote:
> > So I decided to use the access control primitives directly available in
> > Apache, and it seems to work quite good. Apache is more flexible than
> > authz_svn_module I think. So the point here is: what is the rationale
> > of authz_svn_module? Is there a real difference between using Apache
> > access control or using authz_svn_module?
>
> Yes. The httpd core doesn't have any idea about the 'magic' !svn urls.
In other words, Apache isn't able to restrict access on paths *within*
an svn repository: it can only restrict access on the repository as a
whole. That's why we wrote mod_authz_svn.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: authz_svn_module
Posted by Sander Striker <st...@apache.org>.
On Fri, 2004-03-05 at 01:41, Cristiano Paris wrote:
> Hi everyone,
>
> I've just finished setting up my first three subversion repositories and
> I've been dealing with acess control problems. Initially I decided to
> use the authz_svn_module but soon discovered it has too many limitations
> as I wanted to use SVNParentPath and have a Require directive in a
> Limit section.
You can use mod_authz_svn from trunk now, which does have support for
SVNParentPath. And, bonus, it supports checking for anonymous access
aswell nowadays.
> So I decided to use the access control primitives directly available in
> Apache, and it seems to work quite good. Apache is more flexible than
> authz_svn_module I think. So the point here is: what is the rationale
> of authz_svn_module? Is there a real difference between using Apache
> access control or using authz_svn_module?
Yes. The httpd core doesn't have any idea about the 'magic' !svn urls.
Sander
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org