Enabling per directory permissions in subversion (readonly, hidden, with apache, svn access file, LDAP). TutorialBy neokrates, written on February 24, 2011
Subversion with Apache allows you to enable read only access or hide directories. Access can be based on user, group or LDAP criteria.
Apache Modules to enable per-directory access in SVN
There are modules for SVN , DAV, and per directory access. Also, LDAP.
First, make sure apache mods are loaded. Here is the list, hope full list of what is needed:
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule dav_module modules/mod_dav.so LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so LoadModule authn_alias_module modules/mod_authn_alias.so
If something was missing, add and restart the apache.
Identify the user, basic challenge
In your httpd.conf you will need to configure SVN yourrepo location.
Here, we do following things:
1) /svn/yourrepo URL can be connected to like
2) Local repo is in
3) We use LDAP to identify the user and make sure he belongs to “some” group
4) As we know user name, we decide what directories he can read and write
... <Location /svn/yourrepo> DAV svn SVNParentPath "C:\repos\yourrepo" Order allow,deny AuthType Basic AuthName SubVer AuthLDAPUrl "ldap://server:389/query_string_comes_here" AuthLDAPBindDN "cn=bind_string_comes_here" AuthLDAPBindPassword "pass_for_ldap" AuthLDAPGroupAttribute member require ldap-group member_of_specific_group AuthzLDAPAuthoritative off # LDAP will identify AuthBasicProvider ldap # Control svn access AuthzSVNAccessFile "C:\repos\svnaccessfile" </Location> ...
Edit Svn access file
I define two groups. First will be allowed to read
/branches/hideme, that group will contain me and great general oda.nabunaga :)
Second group will allow to write to
/branches/hideme, and that only I can do.
Other users will be not able to open
/branches/hideme at all.
[groups] declares the groups
readonly = uwarov,oda.nabunaga readwrite = uwarov
Here I allow all to all people
[yourrepo:/] * = rw
But here i restrict permissions for
[yourrepo:/branches/hideme] @readwrite = rw @readonly = r * =
All together, my svnaccessfile looks like:
[groups] readonly = uwarov,oda.nabunaga readwrite = uwarov [yourrepo:/] * = rw [yourrepo:/branches/hideme] @readwrite = rw @readonly = r * =
1. Adding AuthzSVNAccessFile “C:\repos\svnaccessfile” line requires restart of apache to take effect. But editing svnaccessfile after that will be effective immediately.
2. Be very careful with restriction of the sub paths:
– If you restricted /trunk/my/deep/sub/path
– NOBODY without read permission will be able to branch, etc… That is quite problematic in big enterprise.
3. You can always take back permissions for subdirectory, by using form
@group = . It reads, members of @group are not allowed here.