Re: Combining public and private paths
Stefan Sperling wrote: > > Can two svnserves share one repository? > > Yes. You can run as many server instances as you like, also with > different access methods (e.g. http:// and svn:// at the same time). I have read that different access methods can be used simultaneously. I did not know it was possible for several svnserve processes to access the same repository. That's great news. I think it solves my problem, I will just setup another svnserve process for anonymous users listening on a different TCP port, with a special --config-file. But wait. How do I setup per repository authz-db together with a global svnserve.conf? My svnserve serves several repositories. > > > There will be no data corruption, will there? > > In general, no. There are some multi-access problems with BDB-based > repositories running into issues with berkeleyDB where you might have I use FSFS. In fact, I have hated BDB for many years since I ran slapd and especially spamprobe with the BDB backend. > to unwedge repositories using svnadmin recover: > http://subversion.apache.org/faq.html#stuck-bdb-repos > > However, these days FSFS-based repositories are the default and > they don't have that issue. Do they have some locking mechanism? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru
Re: Combining public and private paths
On Fri, Feb 11, 2011 at 11:55:08PM +0600, Victor Sudakov wrote: > Can two svnserves share one repository? Yes. You can run as many server instances as you like, also with different access methods (e.g. http:// and svn:// at the same time). > There will be no data corruption, will there? In general, no. There are some multi-access problems with BDB-based repositories running into issues with berkeleyDB where you might have to unwedge repositories using svnadmin recover: http://subversion.apache.org/faq.html#stuck-bdb-repos However, these days FSFS-based repositories are the default and they don't have that issue.
Re: Combining public and private paths
Can two svnserves share one repository? There will be no data corruption, will there? Daniel Shahaf wrote: > Workaround: you could run two svnserves with different configs, one > allowing only anonymous access and only only authenticated access. > > I know httpd has the problem you're describing, I don't recall previous > reports of it with svnserve. > > Victor Sudakov wrote on Thu, Feb 10, 2011 at 21:14:24 +0600: > > == conf/authz: > > [/] > > @noc = rw > > > > [/foo] > > $anonymous = r > > $authenticated = rw > > > > does not work. A valid user from the noc group receives the following reply: > > > > $ svn diff -c2237 www.txt > > svn: Unreadable path encountered; access denied > > It would be relevant to know www.txt absolute path. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru
Re: Combining public and private paths
Workaround: you could run two svnserves with different configs, one allowing only anonymous access and only only authenticated access. I know httpd has the problem you're describing, I don't recall previous reports of it with svnserve. Victor Sudakov wrote on Thu, Feb 10, 2011 at 21:14:24 +0600: > == conf/authz: > [/] > @noc = rw > > [/foo] > $anonymous = r > $authenticated = rw > > does not work. A valid user from the noc group receives the following reply: > > $ svn diff -c2237 www.txt > svn: Unreadable path encountered; access denied It would be relevant to know www.txt absolute path.
Re: Combining public and private paths
What the "anon-access = none" option does is remove the ANONYMOUS mech from the list of SASL mechs offered by svnserve (I see this in tcpflow). If this mech is present in the mech list, the svn client does not bother to authenticate even if a valid Kerberos ticket is available. If the svn client had an option to enforce authentication even if offered the ANONYMOUS mech by the server, the problem would be solved IMHO. Which boils down to another problem I stated here about SASL mech selection: http://tinyurl.com/4ntesca John Conrad wrote: > For what it's worth, I have run into the same problem and the only > solution I have found is to switch to a different access method. As > best as I can tell svnserve is simply not an option when trying to set > up a repository with path based authentication when select areas are > flagged inaccessible to anonymous users. I have recently switched from > a svnserve to apache based setup and using the exact same authz-db > file, svnserve failed to return "svn log" results for protected paths > while apache worked correctly. > > The below issue on the SVN tracker I think refers to this issue and it > has been open since Oct. 2009: > http://subversion.tigris.org/issues/show_bug.cgi?id=3516 > > Anyway, I could be totally wrong here, but I do not think what you > want to do is possible with svnserve. I hope I am mistaken, but if > not, sorry to be the bearer of bad news. > > On Thu, Feb 10, 2011 at 9:30 PM, Victor Sudakov > wrote: > > The problem is probably in the following. When anon-access is other > > than "none", svnserve does not request authentication for some > > important operations like "svn log", and I have found no way to force > > it to request authentication. This effectively breaks path based > > authorization. > > > > I have found some tricky solutions for the http access method (like > > defining two aliases for the same repository), but none for the > > svnserve method. Any help? > > > > Victor Sudakov wrote: > >> > >> I am trying to setup the following policy: a private repository with > >> some public paths. Is such configuration supported at all? > >> > >> The following configuration: > >> > >> == conf/svnserve.conf: > >> anon-access = read > >> auth-access = write > >> authz-db = authz > >> > >> == conf/authz: > >> [/] > >> @noc = rw > >> > >> [/foo] > >> $anonymous = r > >> $authenticated = rw > >> > >> does not work. A valid user from the noc group receives the following > >> reply: > >> > >> $ svn diff -c2237 www.txt > >> svn: Unreadable path encountered; access denied > >> > >> If I change "anon-access = read" to "anon-access = none", it begins to > >> work for the valid user, but there is no anonymous access to anyone > >> even to svn://myserver/foo despite the "$anonymous = r" clause. > >> > >> What am I doing wrong? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru
Combining public and private paths
For what it's worth, I have run into the same problem and the only solution I have found is to switch to a different access method. As best as I can tell svnserve is simply not an option when trying to set up a repository with path based authentication when select areas are flagged inaccessible to anonymous users. I have recently switched from a svnserve to apache based setup and using the exact same authz-db file, svnserve failed to return "svn log" results for protected paths while apache worked correctly. The below issue on the SVN tracker I think refers to this issue and it has been open since Oct. 2009: http://subversion.tigris.org/issues/show_bug.cgi?id=3516 Anyway, I could be totally wrong here, but I do not think what you want to do is possible with svnserve. I hope I am mistaken, but if not, sorry to be the bearer of bad news. On Thu, Feb 10, 2011 at 9:30 PM, Victor Sudakov wrote: > The problem is probably in the following. When anon-access is other > than "none", svnserve does not request authentication for some > important operations like "svn log", and I have found no way to force > it to request authentication. This effectively breaks path based > authorization. > > I have found some tricky solutions for the http access method (like > defining two aliases for the same repository), but none for the > svnserve method. Any help? > > Victor Sudakov wrote: >> >> I am trying to setup the following policy: a private repository with >> some public paths. Is such configuration supported at all? >> >> The following configuration: >> >> == conf/svnserve.conf: >> anon-access = read >> auth-access = write >> authz-db = authz >> >> == conf/authz: >> [/] >> @noc = rw >> >> [/foo] >> $anonymous = r >> $authenticated = rw >> >> does not work. A valid user from the noc group receives the following reply: >> >> $ svn diff -c2237 www.txt >> svn: Unreadable path encountered; access denied >> >> If I change "anon-access = read" to "anon-access = none", it begins to >> work for the valid user, but there is no anonymous access to anyone >> even to svn://myserver/foo despite the "$anonymous = r" clause. >> >> What am I doing wrong? >> >> -- >> Victor Sudakov, VAS4-RIPE, VAS47-RIPN >> sip:suda...@sibptus.tomsk.ru > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > sip:suda...@sibptus.tomsk.ru >
Re: Combining public and private paths
The problem is probably in the following. When anon-access is other than "none", svnserve does not request authentication for some important operations like "svn log", and I have found no way to force it to request authentication. This effectively breaks path based authorization. I have found some tricky solutions for the http access method (like defining two aliases for the same repository), but none for the svnserve method. Any help? Victor Sudakov wrote: > > I am trying to setup the following policy: a private repository with > some public paths. Is such configuration supported at all? > > The following configuration: > > == conf/svnserve.conf: > anon-access = read > auth-access = write > authz-db = authz > > == conf/authz: > [/] > @noc = rw > > [/foo] > $anonymous = r > $authenticated = rw > > does not work. A valid user from the noc group receives the following reply: > > $ svn diff -c2237 www.txt > svn: Unreadable path encountered; access denied > > If I change "anon-access = read" to "anon-access = none", it begins to > work for the valid user, but there is no anonymous access to anyone > even to svn://myserver/foo despite the "$anonymous = r" clause. > > What am I doing wrong? > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > sip:suda...@sibptus.tomsk.ru -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru
Combining public and private paths
Dear Colleagues, I am trying to setup the following policy: a private repository with some public paths. Is such configuration supported at all? The following configuration: == conf/svnserve.conf: anon-access = read auth-access = write authz-db = authz == conf/authz: [/] @noc = rw [/foo] $anonymous = r $authenticated = rw does not work. A valid user from the noc group receives the following reply: $ svn diff -c2237 www.txt svn: Unreadable path encountered; access denied If I change "anon-access = read" to "anon-access = none", it begins to work for the valid user, but there is no anonymous access to anyone even to svn://myserver/foo despite the "$anonymous = r" clause. What am I doing wrong? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru