8

I have multiple subversion repositories which are served up through Apache 2.2 and WebDAV. They are all located in a central place, and I used this debian-administration.org article as the basis (I dropped the use of the database authentication for a simple htpasswd file though).

Since then, I have also started using WebSVN. My issue is that not all users on the system should be able to access the different repositories, and the default setup of WebSVN is to allow anyone who can authenticate.

According to the WebSVN documentation, the best way around this is to use subversion's path access system, so I looked to create this, using the AuthzSVNAccessFile directive.

When I do this though, I keep getting "403 Forbidden" messages.

My files look like the following:

I have default policy settings in a file:

<Location /svn/>
  DAV svn
  SVNParentPath  /var/lib/svn/repository

  Order deny,allow
  Deny from all
</Location>

Each repository gets a policy file like below:

<Location /svn/sysadmin/>
    Include  /var/lib/svn/conf/default_auth.conf
    AuthName "Repository for sysadmin"
    require user joebloggs jimsmith mickmurphy
</Location>

The default_auth.conf file contains this:

SVNParentPath      /var/lib/svn/repository
AuthType           basic
AuthUserFile       /var/lib/svn/conf/.dav_svn.passwd
AuthzSVNAccessFile /var/lib/svn/conf/svnaccess.conf

I am not fully sure why I need the second SVNParentPath in default_auth.conf, but I just added that today as I was getting error messages as a result of adding the AuthzSVNAccessFile directive.

With a totally permissive access file

[/]
joebloggs = rw

the system worked fine (and was essentially unchanged), but as I soon as I start trying to add any kind of restrictions such as

[sysadmin:/]
joebloggs = rw

instead, I get the 'Permission denied' errors again. The log file entries are:

[Thu May 28 10:40:17 2009] [error] [client 89.100.219.180] Access denied: 'joebloggs' GET websvn:/
[Thu May 28 10:40:20 2009] [error] [client 89.100.219.180] Access denied: 'joebloggs' GET svn:/sysadmin

What do I need to do to get this to work? Have configured apache wrong, or is my understanding of the svnaccess.conf file incorrect?

If I am going about this the wrong way, I have no particular attachment to my overall approach, so feel free to offer alternatives as well.

UPDATE (20090528-1600):

I attempted to implement this answer, but I still cannot get it to work properly.

I know most of the configuration is correct, as I have added

[/]
joebloggs = rw

at the start and 'joebloggs' then has all the correct access.

When I try to go repository-specific though, doing something like

[/]
joebloggs = rw

[sysadmin:/]
mickmurphy = rw

then I got a permission denied error for mickmurphy (joebloggs still works), with an error similar to what I already had previously

[Thu May 28 10:40:20 2009] [error] [client 89.100.219.180] Access denied: 'mickmurphy' GET svn:/sysadmin

Also, I forgot to explain previously that all my repositories are underneath

/var/lib/svn/repository

UPDATE (20090529-1245):

Still no luck getting this to work, but all the signs seem to be pointing to the issue being with path-access control in subversion not working properly. My assumption is that I have not configured apache or svn to properly recognise my repository structure.

This is because the '[/]' entry seems to work perfectly.

It also occurs to me that this is question that may belong better on StackOverflow?

UPDATE (20090603-1740):

In response to one of the comments to this question, my WebDAV setup for subversion itself is given the location /svn/repos but websvn is set to /websvn.

Community
  • 1
kaybenleroll
  • 369
  • 2
  • 5
  • 9
  • At which relative server url does your websvn run? In my current setup websvn is at /websvn, whereas the repository itself is at /svn – Sander Rijken Jun 02 '09 at 22:10
  • hi kaybenleroll can you help me on this? http://stackoverflow.com/questions/13541629/websvn-doesnt-ask-for-authentication-for-using-a-repository – Juned Nov 26 '12 at 11:10

5 Answers5

5

The issue is probably relating to the splitting of configuration between two location directives, but I'm not sure.

Rather than defining permissions in two places (apache config and the authz file), just define them in the authz file. Like so:

httpd.conf

<Location /svn>
  DAV svn
  SVNParentPath /var/lib/svn/repository

  Require valid-user
  AuthType Basic
  AuthName "Subversion Repository"
  AuthUserFile /path/to/.htpasswd

  SVNPathAuthz on
  AuthzSVNAccessFile /path/to/svn.authz
</Location>

svn.authz

[groups]
sysadmins = joebloggs jimsmith mickmurphy

# By default, nobody has any permissions
[/]
* = 

# sysadmins get access to the sysadmin repository
[sysadmin:/]
@sysadmins = rw

You would need the appropriate users in the htpasswd file too, obviously.

Alex J
  • 2,844
  • 2
  • 23
  • 24
  • can you help me on this ? http://stackoverflow.com/questions/13541629/websvn-doesnt-ask-for-authentication-for-using-a-repository – Juned Nov 26 '12 at 11:11
4

Have no idea whether or not you have solved this issue, but this is the procedure that works for me.

Forget fiddling with apache directives, instead edit WebSVN's config.php file and include/uncomment the following directive:

$config->useAuthenticationFile('/path/to/your/authz/file');

2

this works for me.

user1 can see "/" and "/project1" user3 can see only "/project1"

[groups]

groupa = user1, user2

groupb = user3, user4

[/]

@groupa = rw

[/project1]

@groupb = rw

1

I have struggled with this quite a lot, and the only configuration that works for me is the following:

Authz file
------
[groups]
group1=user1
group2=user2

#Read and write for everyone defined in some group, others denied
[/]
@group1=rw
@group2=rw
*=

[project1:/]
@group1=rw
*=

[project2:/]
@group2=r
*=
----end authz file

As a result, group1 has read and write access to project1, and group2 has read access to project2. Everyone else does not have access to any projects.

I should emphasize, that "project1" and "project2" are projects inside the repository defined in Apache configuration file subversion.conf as.

Subversion.conf
----
LoadModule dav_module         modules/mod_dav.so
LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so

<Location /svn>
   DAV svn
   SVNParentPath /var/www/svn
   AuthType Basic
   AuthName "Name of the root repositories"
   Require valid-user
</Location>

<Location /svn/repos>
   AuthName "Subversion subrepository"
   AuthUserFile /var/www/svn/repos/conf/passwdfile
#Authz control
   AuthzSVNAccessFile /var/www/svn/repos/conf/authz
</Location>

-----end

My current problem is, that it is not possible to list the projects at repository /svn/repos at all (although they can be properly accessed). SVNListParentPath on directive, regardless where you put it, it does not help.

Currently my /var/www/svn is not a repository, but just a directory in a servers filesystem. /var/www/svn/repos is a repository created with svnadmin create

Bart De Vos
  • 17,911
  • 6
  • 63
  • 82
Marko Kosunen
  • 11
  • 1
0

You should have read the websvn doc and everything would have been obvious :)

Also note that you should not use the AuthzSVNAccessFile command to define the access file.

Now that you've defined your authentication, you'll be asked for your user name and password in order to access the WebSVN directory. All that's left is to configure WebSVN to use your Subversion access file to control access. Add this line to your config.php file:

$config->useAuthenticationFile('/path/to/accessfile');

Community
  • 1
Bartek
  • 1