How to allow anonymous access, but not everyone access in path-based authorization?
I have a subversion server running with apache. It authenticates users using LDAP configuration and uses SVN path-based authorizations to limit user access to certain repositories. This works perfectly. Now, I have a service I want to setup (rietveld, for code reviews) that needs to have an anonymous access to the repository. As this is a web service, accesses are always done from the same server. Thus I added an apache configuration to allow accesses from this machine. without user authentication. |Limit GET PROPFIND OPTIONS REPORT Order allow,deny Allow from # private IP address Satisfy Any /Limit | This did not work until I add an additional line * = r in the authorization file to allow read access to all users. For instance, before I add the authorization from a specific IP, all users were authenticated, and thus had a name. Now, some accesses are done without a user name! I found the |-| user name in the apache log files, but the line |- = r| does not work, neither do |anonymous = r|. I'd like not to allow read access to everyone in SVN authorization. How can I do this? (More details in stackoverflow question http://stackoverflow.com/questions/2728021/how-to-allow-unamed-user-in-svn-authz-file
Re: How to allow anonymous access, but not everyone access in path-based authorization?
On Thu, Apr 29, 2010 at 3:09 PM, Didier Trosset didier_tros...@agilent.comwrote: I have a subversion server running with apache. It authenticates users using LDAP configuration and uses SVN path-based authorizations to limit user access to certain repositories. This works perfectly. Now, I have a service I want to setup (rietveld, for code reviews) that needs to have an anonymous access to the repository. As this is a web service, accesses are always done from the same server. Thus I added an apache configuration to allow accesses from this machine. without user authentication. |Limit GET PROPFIND OPTIONS REPORT Order allow,deny Allow from # private IP address Satisfy Any /Limit | This did not work until I add an additional line * = r in the authorization file to allow read access to all users. For instance, before I add the authorization from a specific IP, all users were authenticated, and thus had a name. Now, some accesses are done without a user name! I found the |-| user name in the apache log files, but the line |- = r| does not work, neither do |anonymous = r|. I'd like not to allow read access to everyone in SVN authorization. How can I do this? (More details in stackoverflow question http://stackoverflow.com/questions/2728021/how-to-allow-unamed-user-in-svn-authz-file IMHO there is no way to do it other than creating a dummy user and giving it access to all repositories in authorization file as we had similar issues integrating Subversion repositories with JIRA. -- Vishwajeet Singh +91-9657702154 | dextrou...@gmail.com | http://bootstraptoday.com Twitter: http://twitter.com/vishwajeets | LinkedIn: http://www.linkedin.com/in/singhvishwajeet
Re: How to allow anonymous access, but not everyone access in path-based authorization?
On Thu, Apr 29, 2010 at 11:53 AM, vishwajeet singh dextrou...@gmail.com wrote: On Thu, Apr 29, 2010 at 3:09 PM, Didier Trosset didier_tros...@agilent.com wrote: I have a subversion server running with apache. It authenticates users using LDAP configuration and uses SVN path-based authorizations to limit user access to certain repositories. This works perfectly. Now, I have a service I want to setup (rietveld, for code reviews) that needs to have an anonymous access to the repository. As this is a web service, accesses are always done from the same server. Thus I added an apache configuration to allow accesses from this machine. without user authentication. | Limit GET PROPFIND OPTIONS REPORT Order allow,deny Allow from # private IP address Satisfy Any /Limit | This did not work until I add an additional line * = r in the authorization file to allow read access to all users. For instance, before I add the authorization from a specific IP, all users were authenticated, and thus had a name. Now, some accesses are done without a user name! I found the |-| user name in the apache log files, but the line |- = r| does not work, neither do |anonymous = r|. I'd like not to allow read access to everyone in SVN authorization. How can I do this? (More details in stackoverflow question http://stackoverflow.com/questions/2728021/how-to-allow-unamed-user-in-svn-authz-file IMHO there is no way to do it other than creating a dummy user and giving it access to all repositories in authorization file as we had similar issues integrating Subversion repositories with JIRA. You can do this if you set up a separate Location block (referring to the same svn repo) for this anonymous access. Then they can each have their own authz file (or no authz file if it's not needed). I don't see another way. We do something like that: Location /svn DAV svn SVNPath /path/to/repos ... auth possible authz stuff /Location Location /svn_anon DAV svn SVNPath /path/to/repos ... auth authz stuff, Limit, ... for anonymous access within certain limits /Location Cheers, -- Johan
