Apache 2.4 + SVN authz authentication with mixed authenticated/anonymous access

Question

I'm using Apache 2.4, and I wish to use it without mod_access_compat.

I'm trying to serve SVN repositories, with access control handled by mod_authz_svn.

I want some repos or locations within repos to have read-only anonymous access. I want other repos or locations to require basic authentication.

Apache 2.4 no longer supports the Satisfy all syntax, however, mod_authz_svn seems to expect it. How is this supposed to be configured on Apache 2.4?

Apache config:

 <Location /svn>
        DAV svn
        SVNParentPath /usr/projects/svn
        AuthType Basic
        AuthName "SVN repository"
        AuthUserFile /usr/project-config/etc/svn-auth-file
        AuthzSVNAccessFile /usr/project-config/etc/svn-access-control
        Require valid-user
 </Location>

svn-access-control:

# cat etc/svn-access-control
[/]
antiduh = rw

[openprojects:/]
* = r
antiduh = rw

I have 5 repos, openprojects is the only one I want to have anonymous read-only access to. I cannot seem to get this to work. Even the most recent documentation I could find for mod_authz_svn continues to use Satisfy all.

Answer 1

Poking around in mod_authz_svn's source, it's looking like it has a hard dependency on ap_satisfies(r) == SATISFY_ANY. I'm not entirely familiar with the Apache API model, but this would appear to indicate that mod_authz_svn does not currently support Apache 2.4's new authentication model.

Since nobody else has come up with an answer or with contrary evidence, I'm going to mark this as the answer.

To make this work under Apache 2.4, load the mod_access_compat module:

LoadModule access_compat_module libexec/apache24/mod_access_compat.so

And then add the Satisfy any clause, just as the documentation currently indicates.

 <Location /svn>
    DAV svn
    SVNParentPath /usr/home/antiduh/svn
    AuthType Basic
    AuthName "SVN repository"
    AuthUserFile /usr/home/antiduh/svn/etc/svn-auth-file
    AuthzSVNAccessFile /usr/home/antiduh/svn/etc/svn-access-control
    Satisfy any
    Require valid-user
 </Location>

Answer 2

In most cases, the 2.4 equivalent of Satisfy All is to enclose the Require directives in a <RequireAll> block. The equivalent of Satisfy Any would be a <RequireAny> block.

For more information on the changes and equivalents, this presentation (PDF) by Rich Bowen might be helpful.

Answer 3

It's possible to create a separate Location without auth for a subset of the SVN protocol commands, such as :

<Location /subversion-open>
  DAV                    svn
  SVNParentPath          /path/to/svn-repos/subversion-open
  SVNListParentPath      Off
  SVNReposName           "SVN repos"
  AuthzSVNAccessFile     /path/to/svn-authz-file

  # Limit write permission to list of valid users.
  <LimitExcept GET PROPFIND OPTIONS REPORT>
    AuthType               Basic
    AuthBasicProvider      file PAM
    AuthUserFile           /path/to/svn-htpasswd-file
    AuthPAMService         httpd_svn
    AuthName               "Open access SVN repos"

    Require                valid-user
  </LimitExcept>
</Location>

This lets unauthenticated users read the repos, and authenticated users get access according to the svn-authz-file rules. (In this example we also allow auth via PAM for system users as well as those in the htpasswd file)