Enabling per directory permissions in subversion (readonly, hidden, with apache, svn access file, LDAP). Tutorial

By neokrates, written on February 24, 2011

howto

  • Join date: 11-30-99
  • Posts: 224
View Counter:
  • 2,765 views
Rate it
Ad
Poll
  • Your favorite way to manage packages is?

    View Results

    Loading ... Loading ...
Feeds:
  • bodytext bodytext bodytext

Subversion with Apache allows you to enable read only access or hide directories. Access can be based on user, group or LDAP criteria.

1

Apache Modules to enable per-directory access in SVN

There are modules for SVN , DAV, and per directory access. Also, LDAP.

First, make sure apache mods are loaded. Here is the list, hope full list of what is needed:

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LoadModule authn_alias_module modules/mod_authn_alias.so

If something was missing, add and restart the apache.

2

Identify the user, basic challenge

In your httpd.conf you will need to configure SVN yourrepo location.

Here, we do following things:
1) /svn/yourrepo URL can be connected to like http://your.server/svn/yourrepo
2) Local repo is in C:\repos\yourrepo
3) We use LDAP to identify the user and make sure he belongs to “some” group
4) As we know user name, we decide what directories he can read and write

...
<Location /svn/yourrepo>
  DAV svn
  SVNParentPath "C:\repos\yourrepo"
  
  Order allow,deny
  
  AuthType Basic
  AuthName SubVer
  AuthLDAPUrl "ldap://server:389/query_string_comes_here"
  AuthLDAPBindDN "cn=bind_string_comes_here"
  AuthLDAPBindPassword "pass_for_ldap"
  AuthLDAPGroupAttribute member

  require ldap-group member_of_specific_group

  AuthzLDAPAuthoritative off
  # LDAP will identify
  AuthBasicProvider ldap

# Control svn access
  AuthzSVNAccessFile "C:\repos\svnaccessfile"
</Location>
...

3

Edit Svn access file

I define two groups. First will be allowed to read /branches/hideme, that group will contain me and great general oda.nabunaga :)
Second group will allow to write to /branches/hideme, and that only I can do.
Other users will be not able to open /branches/hideme at all.

[groups] declares the groups

two groups:

readonly = uwarov,oda.nabunaga
readwrite = uwarov

Here I allow all to all people

[yourrepo:/]
* = rw

But here i restrict permissions for /branches/hideme:

[yourrepo:/branches/hideme]
@readwrite = rw 
@readonly = r
* = 

All together, my svnaccessfile looks like:

[groups]
readonly = uwarov,oda.nabunaga
readwrite = uwarov
[yourrepo:/]
* = rw
[yourrepo:/branches/hideme]
@readwrite = rw 
@readonly = r
* = 

IMPORTANT
1. Adding AuthzSVNAccessFile “C:\repos\svnaccessfile” line requires restart of apache to take effect. But editing svnaccessfile after that will be effective immediately.

2. Be very careful with restriction of the sub paths:
– If you restricted /trunk/my/deep/sub/path
– NOBODY without read permission will be able to branch, etc… That is quite problematic in big enterprise.

3. You can always take back permissions for subdirectory, by using form @group = . It reads, members of @group are not allowed here.

  
  

have fun

Be Sociable, Share!
 
Does that help to solve your problem?
VN:F [1.8.5_1061]
Rating: +7 (from 11 votes)
9 votes 'YES'  2 votes 'NO'


TAGS
No tags for this post.

SOCIAL
Be Sociable, Share!

INCOMING SEARCH TERMS


One Response to “Enabling per directory permissions in subversion (readonly, hidden, with apache, svn access file, LDAP). Tutorial”

  1. […] Enabling per directory permissions in subversion (readonly, hidden …Feb 24, 2011 … Subversion with Apache allows you to enable read only access or hide directories. Access can be based on user, group or LDAP criteria. == […]

Leave a Reply