On 2/12/2011 8:34 AM, m irya wrote:
The problem:
1) there's a directory on the server containing multiple svn
repositories roots, say /var/svn, with /var/svn/a, /var/svn/b, etc.
being repository roots
2) these repositories are accessed via HTTP, handled by Apache2 + mod_dav_svn
3) there's a MySQL user-password database we need to use to
authenticate access to those repositories
4) at last the problematic place itself: the repository
/var/svn/$username must be accessible (both read and write) only to
those who authenticated themselves as "$username" with a valid
password from the MySQL database
Currently i've stuck with two solutions (both incomplete) from tons of
manuals and how-tos:
a) AuthzSVNAccessFile could be a key to such an automatic repository
-> user binding, but updating the access rights file on changes to
MySQL database looks no way elegant, and will probably become a
bottleneck with growing users database
b) mod_auth_mysql (whatever one) makes it possible to transparently
use the users database in Apache config, but still I'm unable to find
a way to automatically Require user $username for a given repository
/var/svn/$username.
Please reply, if someone has an experience with such a configuration,
any ideas/thoughts are welcome.
I'm not sure I understand the problem. Except for not using mysql to
access passwords, this is what I have now, and it works fine (with one
very important caveat: see below). Here is part of my httpd.conf file:
<VirtualHost 1.2.3.4:80>
ServerName repos1.mydomain.com
ServerAlias mydomain.com
ServerAdmin ad...@mydomain.com
# just a placeholder:
DocumentRoot "/home/user1"
<Location /user1>
DAV svn
SVNPath /home/user1
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /etc/passwd.user1
Require valid-user
AuthzSVNAccessFile /home/user1/conf/access.conf
</Location>
<Directory /home/user1>
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
# log user1 operations separately from other users' operations
CustomLog /var/log/httpd/svn_logfile "%t %u user1 %{SVN-ACTION}e"
env=SVN-ACTION
</VirtualHost>
and the file /home/user1/conf/access.conf has:
[user1:/]
user1 = rw
There's been some name changing here, so this configuration has not been
tested in this precise form :-) but you get the idea. Every repository
has its own VirtualHost and its own access file; unless you have the
password for the one user in the repository, you can't read any of it.
You don't need to have <VirtualHost> entries for each repository; I host
multiple domains on a single machine and so I chose to have a different
host name (e.g. user1.mydomain.com) for every repository. This also
allows me to have user-specific access logging with CustomLog. You
could simply have a set of <Location> entries at the top level of the
httpd.conf file.
Note: <VirtualHost> with name-based hosts is incompatible with SSL
access (https://). I have a small number of repositories (and some
spare IP addresses), so in theory I could use network adapter aliasing
with "ifconfig", but I haven't got that far yet. Last time I tried
certificates I made a mess, and I spent too much time last month working
on computers anyway.
Here's the big caveat: whenever a repository is added or removed (in
your case, every time a user is added or removed), httpd must be
restarted because a <Location> entry must be added or removed. This
could be the big bottleneck, and if you use httpd to serve your
repositories, it's unavoidable. I know that some publicly accessible
Subversion hosting services (e.g. unfuddle.com) use http:// access, but
I don't know how they manage adding or removing users (unfuddle.com
advertises "up and running in as little as one minute").
So you need some method of getting the username and password from mysql
to httpd (replacing AuthType and AuthUserFile), but otherwise it's
pretty straightforward.
--
David Chapman dcchap...@acm.org
Chapman Consulting -- San Jose, CA
