You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Jeb <je...@penske.com> on 2006/06/26 11:08:00 UTC
[Fwd: svn: Lock request failed: 401 Authorization Required]
Authorizatio driectives added to previous post
Having trouble with locking. Checked out existing project, added a file,
committed. Tried to get lock, receive error as below. We have security enabled via apache
directives. It appears the svn client is not caching the credentials
properly for lock requests.
How can I work around this?}
thanks
Jeb Beasley
ERROR
svn client 1.3.0
C:\msdev\projects\_autotest_webproj_035>svn lock test.txt --username
jeb.beasley<at>penske<dot>com --password *******
svn: Lock request failed: 401 Authorization Required (http://ghlx035ptlge.penske.com)
httpd directives
<Location ~ /ecomm/.*/webprojects/.*/branches/dev.*/>
AuthType basic
AuthUserFile /opt/apache/subversion/conf/.auth.users
<Limit GET PROPFIND OPTIONS REPORT>
Require valid-user
</Limit>
AuthGroupFile conf/.auth.ecomm.webprojects.groups
AuthName "Subversion Source Control ecomm/webprojects/branches/dev"
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require group developers onsite_lead super_users
</LimitExcept>
</Location>
apache 2.054 DAV/2 SVN/1.3.0 Linux RHAS
apache logs
2006-06-22 12:13:36 3.144.56.85 - httpd PROPFIND
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 401 813 633
1673 "SVN/1.3.0 (r17949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 - httpd PROPFIND
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 401 813 633
1787 "SVN/1.3.0 (r17949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 207 964 700
225085 "SVN/1.3.0 (r1
7949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 207 964 700
225144 "SVN/1.3.0 (r1
7949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND
/svn/ecomm/!svn/vcc/default 207 576 456 4148 "SVN/1.3.0 (r17949)
neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND
/svn/ecomm/!svn/vcc/default 207 576 456 4172 "SVN/1.3.0 (r17949)
neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND
/svn/ecomm/!svn/bln/378 207 631 489 5627 "SVN/1.3.0 (r17949)
neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND
/svn/ecomm/!svn/bln/378 207 631 489 5677 "SVN/1.3.0 (r17949)
neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 - httpd LOCK
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 401 692 478
94309 "SVN/1.3.0 (r17949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 - httpd LOCK
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 401 692 478
94358 "SVN/1.3.0 (r17949) neon/0.25.4" "-"
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: [Fwd: svn: Lock request failed: 401 Authorization Required]
Posted by Jeb <je...@penske.com>.
Thanks for the info on the patch. That will likely help us get around
this issue. We may have to seriously rethink our security process.
I am attepting to illustrate what seems like a bug in the svn client.
It seems to have existed in earlier versions
@see
http://www.pushok.com/tickets_addmodify.php?id=774
http://svn.haxx.se/dev/archive-2005-08/0466.shtml
Related to this - I have another post on this site related to this
If I own the lock and try to commit a change I also get an error and on
the server a [notice] child pid 1663 exit signal Segmentation fault (11)
http://svn.haxx.se/users/archive-2006-06/0948.shtml
Thanks for the prompt feedback you have been giving me!
Jeb
Erik Huelsmann wrote:
> On 6/26/06, Jeb <je...@penske.com> wrote:
>
>> I saw that too, we have tested with /ecomm.*/webprojects as well.
>> Either way, it challenges everything else, but does not submit
>> credentials on the actual LOCK request
>
>
> Well, I guess you just proved that you must use mod_authz_svn... If it
> doesn't do what you want, maybe you can extend it yourself, or try
>
> http://svn.haxx.se/dev/archive-2005-02/0631.shtml
>
> to see if it does what you want.
>
> HTH,
>
>
> Erik.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: [Fwd: svn: Lock request failed: 401 Authorization Required]
Posted by Erik Huelsmann <eh...@gmail.com>.
On 6/26/06, Jeb <je...@penske.com> wrote:
> I saw that too, we have tested with /ecomm.*/webprojects as well.
> Either way, it challenges everything else, but does not submit
> credentials on the actual LOCK request
Well, I guess you just proved that you must use mod_authz_svn... If it
doesn't do what you want, maybe you can extend it yourself, or try
http://svn.haxx.se/dev/archive-2005-02/0631.shtml
to see if it does what you want.
HTH,
Erik.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: [Fwd: svn: Lock request failed: 401 Authorization Required]
Posted by Jeb <je...@penske.com>.
I saw that too, we have tested with /ecomm.*/webprojects as well.
Either way, it challenges everything else, but does not submit
credentials on the actual LOCK request
Sample from logs below. the initial challenge on the first two lines
collects the credentials. The credentials are used for several
PROPFINDs and then not used for the actual LOCK. The first number after
the URI is the http status code. The field after the IP address is the
user credential {REMOTE_USER}
Note the timestamp for all records is the same. This is one svn
TortoiseSVN action.
apache logs
2006-06-22 12:13:36 3.144.56.85 - httpd PROPFIND
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 401 813 633
1673 "SVN/1.3.0 (r17949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 - httpd PROPFIND
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 401 813 633
1787 "SVN/1.3.0 (r17949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 207 964 700
225085 "SVN/1.3.0 (r1
7949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 207 964 700
225144 "SVN/1.3.0 (r1
7949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND
/svn/ecomm/!svn/vcc/default 207 576 456 4148 "SVN/1.3.0 (r17949)
neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND
/svn/ecomm/!svn/vcc/default 207 576 456 4172 "SVN/1.3.0 (r17949)
neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND
/svn/ecomm/!svn/bln/378 207 631 489 5627 "SVN/1.3.0 (r17949)
neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND
/svn/ecomm/!svn/bln/378 207 631 489 5677 "SVN/1.3.0 (r17949)
neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 - httpd LOCK
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 401 692 478
94309 "SVN/1.3.0 (r17949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 - httpd LOCK
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 401 692 478
94358 "SVN/1.3.0 (r17949) neon/0.25.4" "-"
Erik Huelsmann wrote:
> On 6/26/06, Jeb <je...@penske.com> wrote:
>
>> We are using Apache authentication/authorization to limit access, not
>> subversion.
>>
>> Up until we got into this lock issue, this kind of authorization scheme
>> is working well. The problem surfaced when users set the needs-lock
>> property on files.
>>
>> As I understand, the mod_authz_svn mechanism does not do any pattern
>> matching, and out tests indicate that if we have a rule for
>> [repo/project/branches/dev]
>> that is does not match
>> repo/project/branches/dev/module/source.ext
>>
>> We have branches like dev_gh, dev_phase2, dev_pl and based on the
>> parent project control access to group members for that group.
>>
>> When I request a lock, the apache logs show several authenticated
>> propfinds, and then a LOCK request without the authentication token.
>> (Log snippet attached to previous message)
>
>
> Maybe:
> /svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt
>
> doesn't match /ecomm/.*/webprojects? I think there's one forward slash
> too many?
>
> HTH,
>
>
> Erik.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: [Fwd: svn: Lock request failed: 401 Authorization Required]
Posted by Erik Huelsmann <eh...@gmail.com>.
On 6/26/06, Jeb <je...@penske.com> wrote:
> We are using Apache authentication/authorization to limit access, not
> subversion.
>
> Up until we got into this lock issue, this kind of authorization scheme
> is working well. The problem surfaced when users set the needs-lock
> property on files.
>
> As I understand, the mod_authz_svn mechanism does not do any pattern
> matching, and out tests indicate that if we have a rule for
> [repo/project/branches/dev]
> that is does not match
> repo/project/branches/dev/module/source.ext
>
> We have branches like dev_gh, dev_phase2, dev_pl and based on the
> parent project control access to group members for that group.
>
> When I request a lock, the apache logs show several authenticated
> propfinds, and then a LOCK request without the authentication token.
> (Log snippet attached to previous message)
Maybe:
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt
doesn't match /ecomm/.*/webprojects? I think there's one forward slash too many?
HTH,
Erik.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: [Fwd: svn: Lock request failed: 401 Authorization Required]
Posted by Jeb <je...@penske.com>.
We are using Apache authentication/authorization to limit access, not
subversion.
Up until we got into this lock issue, this kind of authorization scheme
is working well. The problem surfaced when users set the needs-lock
property on files.
As I understand, the mod_authz_svn mechanism does not do any pattern
matching, and out tests indicate that if we have a rule for
[repo/project/branches/dev]
that is does not match
repo/project/branches/dev/module/source.ext
We have branches like dev_gh, dev_phase2, dev_pl and based on the
parent project control access to group members for that group.
When I request a lock, the apache logs show several authenticated
propfinds, and then a LOCK request without the authentication token.
(Log snippet attached to previous message)
Jeb
Erik Huelsmann wrote:
> On 6/26/06, Jeb <je...@penske.com> wrote:
>
>>
>>
>> Erik Huelsmann wrote:
>>
>> >> httpd directives
>> >
>> # match urls for the 'ecomm' reposoitory, skip svn specific stuff,
>> webprojects group ( company conventions
>> # to separate functional development groups), dev.* developers use dev
>> branches
>
>
> Uhh. No, Subversion authentication/authorization doesn't work that
> way: you need to authorise at a repository level. DAV uses an internal
> URL scheme which doesn't match the URLs you match on here.
>
> You *need* to use mod_authz_svn if you want path-based access in your
> repository.
>
>
> bye,
>
>
> Erik.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: [Fwd: svn: Lock request failed: 401 Authorization Required]
Posted by Erik Huelsmann <eh...@gmail.com>.
On 6/26/06, Jeb <je...@penske.com> wrote:
>
>
> Erik Huelsmann wrote:
>
> >> httpd directives
> >
> # match urls for the 'ecomm' reposoitory, skip svn specific stuff,
> webprojects group ( company conventions
> # to separate functional development groups), dev.* developers use dev
> branches
Uhh. No, Subversion authentication/authorization doesn't work that
way: you need to authorise at a repository level. DAV uses an internal
URL scheme which doesn't match the URLs you match on here.
You *need* to use mod_authz_svn if you want path-based access in your
repository.
bye,
Erik.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: [Fwd: svn: Lock request failed: 401 Authorization Required]
Posted by Jeb <je...@penske.com>.
Erik Huelsmann wrote:
>> httpd directives
>
# match urls for the 'ecomm' reposoitory, skip svn specific stuff,
webprojects group ( company conventions
# to separate functional development groups), dev.* developers use dev
branches
>> <Location ~ /ecomm/.*/webprojects/.*/branches/dev.*/>
>
# specify apache basic authentication chanllenge response
>> AuthType basic
>
# look up user/pwd here
>> AuthUserFile /opt/apache/subversion/conf/.auth.users
>
# grant read access, but force authentication
>> <Limit GET PROPFIND OPTIONS REPORT>
>> Require valid-user
>> </Limit>
>
# where to look up group memberships
>> AuthGroupFile conf/.auth.ecomm.webprojects.groups
>
# Realm name as displayed in Authentication Challenge - provides sanity
check also so we can
# verify which pattern is matching
>> AuthName "Subversion Source Control ecomm/webprojects/branches/dev"
>
# For anything other than Read access, test group membership
>> <LimitExcept GET PROPFIND OPTIONS REPORT>
>> Require group developers onsite_lead super_users
>> </LimitExcept>
>> </Location>
>
>
> What should a location block like this mean to Apache?!
>
> bye,
>
>
> Erik.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: [Fwd: svn: Lock request failed: 401 Authorization Required]
Posted by Erik Huelsmann <eh...@gmail.com>.
> httpd directives
> <Location ~ /ecomm/.*/webprojects/.*/branches/dev.*/>
> AuthType basic
> AuthUserFile /opt/apache/subversion/conf/.auth.users
> <Limit GET PROPFIND OPTIONS REPORT>
> Require valid-user
> </Limit>
> AuthGroupFile conf/.auth.ecomm.webprojects.groups
> AuthName "Subversion Source Control ecomm/webprojects/branches/dev"
> <LimitExcept GET PROPFIND OPTIONS REPORT>
> Require group developers onsite_lead super_users
> </LimitExcept>
> </Location>
What should a location block like this mean to Apache?!
bye,
Erik.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org