Thank you very much
On 07/20/2011 10:27 PM, Geoff Hoffman wrote:
Andy,
I thought you were off Apache and onto svnserve. Anyway, I sent you
this info last week - maybe you missed it. It is pasted again below.
I will grant to you that it is tricky to set up. The david winter blog
post below spells it out perfectly... for a single repo setup,
multiple users. For multi-user, multi-repo setup see my pasted config
files below. One thing to note that is confusing is that if your repos
are at /subversion/repos/repo1 your <Location /svn> stays the same.
The /svn bit there is what appears in the URL address bar, its not a
filesystem path.
I have 10 repositories, project1 through project10, physically located
on Ubuntu filesystem at
/svn/project1
/svn/project2
...
/svn/project10
Here is my /etc/apache2/mods-available/dav_svn.conf (the comments come
with the file. This was installed using apt-get on Ubuntu 10.04 LTS.)
<Location /svn>
# Uncomment this to enable the repository
DAV svn
# Set this to the path to your repository
#SVNPath /svn
# Alternatively, use SVNParentPath if you have multiple repositories
under
# under a single directory (/var/lib/svn/repo1, /var/lib/svn/repo2,
...).
# You need either SVNPath and SVNParentPath, but not both.
SVNParentPath /svn
SVNListParentPath on
This was the line missing from my config file; It allows me to see the
overall pictures. Thanks!
# From
http://www.redmine.org/projects/redmine/wiki/Repositories_access_control_with_apache_mod_dav_svn_and_mod_perl
#Order deny,allow
Deny from all
Satisfy any
Makes sense. I changed mine to fit yours.
# Access control is done at 3 levels: (1) Apache authentication, via
# any of several methods. A "Basic Auth" section is commented out
# below. (2) Apache <Limit> and <LimitExcept>, also commented out
# below. (3) mod_authz_svn is a svn-specific authorization module
# which offers fine-grained read/write access control for paths
# within a repository. (The first two layers are coarse-grained; you
# can only enable/disable access to an entire repository.) Note that
# mod_authz_svn is noticeably slower than the other two layers, so if
# you don't need the fine-grained control, don't configure it.
# Basic Authentication is repository-wide. It is not secure unless
# you are using https. See the 'htpasswd' command to create and
# manage the password file - and the documentation for the
# 'auth_basic' and 'authn_file' modules, which you will need for this
# (enable them with 'a2enmod').
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/apache2/dav_svn.passwd
# To enable authorization via mod_authz_svn
AuthzSVNAccessFile /etc/apache2/dav_svn.authz
# The following three lines allow anonymous read, but make
# committers authenticate themselves. It requires the 'authz_user'
# module (enable it with 'a2enmod').
#<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
#</LimitExcept>
</Location>
Now, here is my /etc/apache2/dav_svn.authz file.
[groups]
group1 = usera, userb, userc, userd, usere
group2 = userc, userb
group3 = userf, userg
group4 = usera, userb, userc, userd, usere, userf
group5 = userh
[/]
@group1 = rw
@group2 =
@group3 =
@group4 =
@group5 =
[project1:/]
@group1 = rw
[project2:/]
@group1 = rw
userg = rw
userf = rw
[project4:/]
@group1 = rw
[project5:/]
@group11 = rw
[project6:/]
@group1 = rw
@group5 = rw
[project7:/]
@group1 = rw
[project8:/]
@group1 = rw
[project9:/]
@group1 = rw
[project10:/]
@group1 = rw
@group4 = rw
I notice that you don't have any entries that read "... = r"; everyone
who can read can write also. No need?
There is no need to send you the dav_svn.passwd - it merely lists
usera through userh with their hashed password. You use the htpasswd
program to set your users up.
Here is the email I sent before...
I read (skimmed) all your posts, and I'm a little confused but I think
I know where you're going. I'm not sure if you're using Apache to
serve your repositories. If you are, you should check out this:
http://davidwinter.me/articles/2006/03/03/access-control-for-subversion-with-apache2-and-authz/
and this https://help.ubuntu.com/community/Subversion
I recently followed the blog above and got everything setup how I
think you want it. You can control user access to multiple repos in
three ways, the blog explains it all, except one thing. I found that
this is for folder-level control on one repository:
|[/]
@team = r
bob = rw
[/wowapp/trunk]
@team = r
@devteam = rw
brenda = rw|
In my authz control file, multiple repositories are done like this
(note the repo name and colon):
|[repoA:/]
@team = r
bob = rw
[repoB:/]
@team = r
@devteam = rw
brenda = rw|
I also put websvn on it, and use the configuration option
Looks interesting; I installed it. Lots of configuration to do; will do
later.
$config->useAuthenticationFile('/path/to/your/authz/file');
which I found on this stackoverflow QA
<http://serverfault.com/questions/13853/how-do-i-restrict-repository-access-via-websvn>.
http://serverfault.com/questions/13853/how-do-i-restrict-repository-access-via-websvn
Whoops! I did it, but it doesn't look right. Having recently learned the
difference between 'authentication' (who are you?) and 'authorization'
(what are you allowed to do?), I jumped at setting the authentication
file to an authorization file. Sure, it must work, but why?
Again, thank you for everything.
