You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Jeb <je...@penske.com> on 2006/06/26 11:08:00 UTC

[Fwd: svn: Lock request failed: 401 Authorization Required]

Authorizatio driectives added to previous post

Having trouble with locking.  Checked out existing project, added a file, 
committed. Tried to get lock, receive error as below. We have security enabled via apache 
directives.  It appears the svn client is not caching the credentials 
properly for lock requests.

How can I work around this?}
thanks
Jeb Beasley

ERROR
svn client 1.3.0
C:\msdev\projects\_autotest_webproj_035>svn lock test.txt --username 
jeb.beasley<at>penske<dot>com --password *******
svn: Lock request failed: 401 Authorization Required (http://ghlx035ptlge.penske.com)


httpd directives
<Location ~ /ecomm/.*/webprojects/.*/branches/dev.*/>
    AuthType basic
    AuthUserFile /opt/apache/subversion/conf/.auth.users
    <Limit GET PROPFIND OPTIONS REPORT>
        Require valid-user
    </Limit>
    AuthGroupFile conf/.auth.ecomm.webprojects.groups
    AuthName "Subversion Source Control ecomm/webprojects/branches/dev"
    <LimitExcept GET PROPFIND OPTIONS REPORT>
        Require group developers onsite_lead super_users
    </LimitExcept>
</Location>



apache 2.054 DAV/2 SVN/1.3.0  Linux RHAS
apache logs
2006-06-22 12:13:36 3.144.56.85 - httpd PROPFIND 
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 401 813 633 
1673 "SVN/1.3.0 (r17949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 - httpd PROPFIND 
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 401 813 633 
1787 "SVN/1.3.0 (r17949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND 
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 207 964 700 
225085 "SVN/1.3.0 (r1
7949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND 
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 207 964 700 
225144 "SVN/1.3.0 (r1
7949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND 
/svn/ecomm/!svn/vcc/default 207 576 456 4148 "SVN/1.3.0 (r17949) 
neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND 
/svn/ecomm/!svn/vcc/default 207 576 456 4172 "SVN/1.3.0 (r17949) 
neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND 
/svn/ecomm/!svn/bln/378 207 631 489 5627 "SVN/1.3.0 (r17949) 
neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND 
/svn/ecomm/!svn/bln/378 207 631 489 5677 "SVN/1.3.0 (r17949) 
neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 - httpd LOCK 
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 401 692 478 
94309 "SVN/1.3.0 (r17949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 - httpd LOCK 
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 401 692 478 
94358 "SVN/1.3.0 (r17949) neon/0.25.4" "-"


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: [Fwd: svn: Lock request failed: 401 Authorization Required]

Posted by Jeb <je...@penske.com>.

Thanks for the info on the patch. That will likely help us get around 
this issue. We may have to seriously  rethink our security process.

I am attepting to illustrate what seems like a bug in the svn client.  
It seems to have existed in earlier versions
@see
http://www.pushok.com/tickets_addmodify.php?id=774
http://svn.haxx.se/dev/archive-2005-08/0466.shtml

Related to this - I have another post on this site related to this
If I own the lock and try to commit a change I also get an error and on 
the server a [notice] child pid 1663 exit signal Segmentation fault (11)

http://svn.haxx.se/users/archive-2006-06/0948.shtml

Thanks for the prompt feedback you have been giving me!

Jeb

Erik Huelsmann wrote:

> On 6/26/06, Jeb <je...@penske.com> wrote:
>
>> I saw that too, we have tested with  /ecomm.*/webprojects as well.
>> Either way, it challenges everything else, but does not submit
>> credentials on the actual LOCK request
>
>
> Well, I guess you just proved that you must use mod_authz_svn... If it
> doesn't do what you want, maybe you can extend it yourself, or try
>
> http://svn.haxx.se/dev/archive-2005-02/0631.shtml
>
> to see if it does what you want.
>
> HTH,
>
>
> Erik.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: [Fwd: svn: Lock request failed: 401 Authorization Required]

Posted by Erik Huelsmann <eh...@gmail.com>.

On 6/26/06, Jeb <je...@penske.com> wrote:
> I saw that too, we have tested with  /ecomm.*/webprojects as well.
> Either way, it challenges everything else, but does not submit
> credentials on the actual LOCK request

Well, I guess you just proved that you must use mod_authz_svn... If it
doesn't do what you want, maybe you can extend it yourself, or try

http://svn.haxx.se/dev/archive-2005-02/0631.shtml

to see if it does what you want.

HTH,


Erik.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: [Fwd: svn: Lock request failed: 401 Authorization Required]

Posted by Jeb <je...@penske.com>.

I saw that too, we have tested with  /ecomm.*/webprojects as well.
Either way, it challenges everything else, but does not submit 
credentials on the actual LOCK request

Sample from logs below.  the initial challenge on the first two lines 
collects the credentials.  The credentials are used for several 
PROPFINDs and then not used for the actual LOCK.  The first number after 
the URI is the http status code.  The field after the IP address is the 
user credential {REMOTE_USER}

Note the timestamp for all records is the same.  This is one svn 
TortoiseSVN action.

apache logs
2006-06-22 12:13:36 3.144.56.85 - httpd PROPFIND 
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 401 813 633 
1673 "SVN/1.3.0 (r17949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 - httpd PROPFIND 
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 401 813 633 
1787 "SVN/1.3.0 (r17949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND 
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 207 964 700 
225085 "SVN/1.3.0 (r1
7949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND 
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 207 964 700 
225144 "SVN/1.3.0 (r1
7949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND 
/svn/ecomm/!svn/vcc/default 207 576 456 4148 "SVN/1.3.0 (r17949) 
neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND 
/svn/ecomm/!svn/vcc/default 207 576 456 4172 "SVN/1.3.0 (r17949) 
neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND 
/svn/ecomm/!svn/bln/378 207 631 489 5627 "SVN/1.3.0 (r17949) 
neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 jeb.beasley@penske.com httpd PROPFIND 
/svn/ecomm/!svn/bln/378 207 631 489 5677 "SVN/1.3.0 (r17949) 
neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 - httpd LOCK 
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 401 692 478 
94309 "SVN/1.3.0 (r17949) neon/0.25.4" "-"
2006-06-22 12:13:36 3.144.56.85 - httpd LOCK 
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt 401 692 478 
94358 "SVN/1.3.0 (r17949) neon/0.25.4" "-"

Erik Huelsmann wrote:

> On 6/26/06, Jeb <je...@penske.com> wrote:
>
>> We are using Apache authentication/authorization to limit access, not
>> subversion.
>>
>> Up until we got into this lock issue, this kind of authorization scheme
>> is working well.  The problem surfaced when users set the needs-lock
>> property on files.
>>
>> As I understand, the mod_authz_svn mechanism does not do any pattern
>> matching, and out tests indicate that if we have a rule for
>> [repo/project/branches/dev]
>> that is does not match
>> repo/project/branches/dev/module/source.ext
>>
>> We have branches like dev_gh, dev_phase2, dev_pl  and based on the
>> parent project control access to group members for that group.
>>
>> When I request a lock, the apache logs show several authenticated
>> propfinds, and then a LOCK request without the authentication token.
>> (Log snippet attached to previous message)
>
>
> Maybe:
> /svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt
>
> doesn't match /ecomm/.*/webprojects? I think there's one forward slash 
> too many?
>
> HTH,
>
>
> Erik.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: [Fwd: svn: Lock request failed: 401 Authorization Required]

Posted by Erik Huelsmann <eh...@gmail.com>.

On 6/26/06, Jeb <je...@penske.com> wrote:
> We are using Apache authentication/authorization to limit access, not
> subversion.
>
> Up until we got into this lock issue, this kind of authorization scheme
> is working well.  The problem surfaced when users set the needs-lock
> property on files.
>
> As I understand, the mod_authz_svn mechanism does not do any pattern
> matching, and out tests indicate that if we have a rule for
> [repo/project/branches/dev]
> that is does not match
> repo/project/branches/dev/module/source.ext
>
> We have branches like dev_gh, dev_phase2, dev_pl  and based on the
> parent project control access to group members for that group.
>
> When I request a lock, the apache logs show several authenticated
> propfinds, and then a LOCK request without the authentication token.
> (Log snippet attached to previous message)

Maybe:
/svn/ecomm/webprojects/autotest/branches/dev_gh/test.txt

doesn't match /ecomm/.*/webprojects? I think there's one forward slash too many?

HTH,


Erik.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: [Fwd: svn: Lock request failed: 401 Authorization Required]

Posted by Jeb <je...@penske.com>.

We are using Apache authentication/authorization to limit access, not 
subversion.

Up until we got into this lock issue, this kind of authorization scheme 
is working well.  The problem surfaced when users set the needs-lock 
property on files. 

As I understand, the mod_authz_svn mechanism does not do any pattern 
matching, and out tests indicate that if we have a rule for
[repo/project/branches/dev]
that is does not match
repo/project/branches/dev/module/source.ext

We have branches like dev_gh, dev_phase2, dev_pl  and based on the 
parent project control access to group members for that group.

When I request a lock, the apache logs show several authenticated 
propfinds, and then a LOCK request without the authentication token.  
(Log snippet attached to previous message)

Jeb

Erik Huelsmann wrote:

> On 6/26/06, Jeb <je...@penske.com> wrote:
>
>>
>>
>> Erik Huelsmann wrote:
>>
>> >> httpd directives
>> >
>> # match urls for the 'ecomm' reposoitory, skip svn specific stuff,
>> webprojects group ( company conventions
>> # to separate functional development groups),  dev.*  developers use dev
>> branches
>
>
> Uhh. No, Subversion authentication/authorization doesn't work that
> way: you need to authorise at a repository level. DAV uses an internal
> URL scheme which doesn't match the URLs you match on here.
>
> You *need* to use mod_authz_svn if you want path-based access in your
> repository.
>
>
> bye,
>
>
> Erik.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: [Fwd: svn: Lock request failed: 401 Authorization Required]

Posted by Erik Huelsmann <eh...@gmail.com>.

On 6/26/06, Jeb <je...@penske.com> wrote:
>
>
> Erik Huelsmann wrote:
>
> >> httpd directives
> >
> # match urls for the 'ecomm' reposoitory, skip svn specific stuff,
> webprojects group ( company conventions
> # to separate functional development groups),  dev.*  developers use dev
> branches

Uhh. No, Subversion authentication/authorization doesn't work that
way: you need to authorise at a repository level. DAV uses an internal
URL scheme which doesn't match the URLs you match on here.

You *need* to use mod_authz_svn if you want path-based access in your
repository.

bye,

Erik.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: [Fwd: svn: Lock request failed: 401 Authorization Required]

Posted by Jeb <je...@penske.com>.


Erik Huelsmann wrote:

>> httpd directives
>
# match urls for the 'ecomm' reposoitory, skip svn specific stuff, 
webprojects group ( company conventions
# to separate functional development groups),  dev.*  developers use dev 
branches

>> <Location ~ /ecomm/.*/webprojects/.*/branches/dev.*/>
>
# specify apache basic authentication chanllenge response

>>    AuthType basic
>
# look up user/pwd here

>>    AuthUserFile /opt/apache/subversion/conf/.auth.users
>
# grant read access, but force authentication

>>    <Limit GET PROPFIND OPTIONS REPORT>
>>        Require valid-user
>>    </Limit>
>
# where to look up group memberships

>>    AuthGroupFile conf/.auth.ecomm.webprojects.groups
>
# Realm name as  displayed in Authentication Challenge - provides sanity 
check also so we can
# verify which pattern is matching

>>    AuthName "Subversion Source Control ecomm/webprojects/branches/dev"
>
# For anything other than Read access, test group membership

>>    <LimitExcept GET PROPFIND OPTIONS REPORT>
>>        Require group developers onsite_lead super_users
>>    </LimitExcept>
>> </Location>
>
>
> What should a location block like this mean to Apache?!
>
> bye,
>
>
> Erik.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: [Fwd: svn: Lock request failed: 401 Authorization Required]

Posted by Erik Huelsmann <eh...@gmail.com>.

> httpd directives
> <Location ~ /ecomm/.*/webprojects/.*/branches/dev.*/>
>    AuthType basic
>    AuthUserFile /opt/apache/subversion/conf/.auth.users
>    <Limit GET PROPFIND OPTIONS REPORT>
>        Require valid-user
>    </Limit>
>    AuthGroupFile conf/.auth.ecomm.webprojects.groups
>    AuthName "Subversion Source Control ecomm/webprojects/branches/dev"
>    <LimitExcept GET PROPFIND OPTIONS REPORT>
>        Require group developers onsite_lead super_users
>    </LimitExcept>
> </Location>

What should a location block like this mean to Apache?!

bye,


Erik.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org