Author: dsahlberg
Date: Fri Jul 14 14:49:23 2023
New Revision: 1911008
URL: http://svn.apache.org/viewvc?rev=1911008&view=rev
Log:
In site/staging:
Copy another blog article from blogs.collab.net following the previously given
permission.
* blog/2007-03-27-authz-and-anon-authn-agony.html:
New file
* blog/index.html
(#blog-20070327): New section linking to the file above
Several sections: Fix end-of-div comment pointing to the wrong #anchor
Added:
subversion/site/staging/blog/2007-03-27-authz-and-anon-authn-agony.html
(with props)
Modified:
subversion/site/staging/blog/index.html
Added: subversion/site/staging/blog/2007-03-27-authz-and-anon-authn-agony.html
URL:
http://svn.apache.org/viewvc/subversion/site/staging/blog/2007-03-27-authz-and-anon-authn-agony.html?rev=1911008&view=auto
==============================================================================
--- subversion/site/staging/blog/2007-03-27-authz-and-anon-authn-agony.html
(added)
+++ subversion/site/staging/blog/2007-03-27-authz-and-anon-authn-agony.html Fri
Jul 14 14:49:23 2023
@@ -0,0 +1,74 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<meta http-equiv="x-ua-compatible" content="ie=edge">
+<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
+<title>Authz and Anon Authn Agony</title>
+<meta name="description" content="Access control configuration with mixed
authenticated and anonymous users">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<link rel="manifest" href="/site.webmanifest">
+<link rel="apple-touch-icon" href="/icon.png">
+<link rel="icon" type="image/png" href="/icon.png">
+<link rel="stylesheet" href="/style/site.css" type="text/css" media="all">
+<meta name="theme-color" content="#98b0d4">
+</head>
+
+<body>
+<!--#include virtual="/site-banner.html" -->
+<!--#include virtual="/site-nav.html" -->
+<div id="site-content">
+<!--#include virtual="/site-notice.html" -->
+<!-- **************** BEGIN CONTENT ***************** -->
+
+<h1>Authz and Anon Authn Agony</h1>
+<div>
+<p>This article is mirrored with permission from the original location
http://blogs.collab.net/subversion/authz_and_anon_. Inactive links have been
removed or updated.</p>
+
+<p><strong>Author:</strong> C. Michael Pilato</p>
+<p><strong>Posted:</strong> 2007-03-22</p>
+
+<p>A recent first-time attempt at using Subversion’s path-based
authorization module turned out to be less trivial than I’d planned
because I was trying to use it with a repository that allowed anonymous read
access. Things went well at first â I did some copying and pasting of sample
<tt>httpd.conf</tt> directives and authz file contents from <a
href="http://www.svnbook.com/";>Version Control with Subversion</a>, tweaking as
necessary to suit my needs. In a short time, I had what I thought was the
perfect setup. I was wrong.</p>
+<p>Say, like me, you wish to configure a repository such that it permits
anonymous reads to most of it, authenticated reads to the rest of it, and
authenticated writes to the whole thing. You already have an Apache htpasswd
file with your writers’ usernames and password hashes, and you’ve
configured Apache to use that htpasswd file for authentication, and an authz
file for authorization. You then make the obvious additions to your authz
file:</p>
+<blockquote>
+<pre>[groups]
+writers = someuser1, someuser2, â¦
+
+[repository:/]
+* = r
+@writers = rw
+
+[repository:/trunk/private-area]
+* =
+@writers = rw</pre>
+</blockquote>
+<p>There’s a group with your writers’ usernames. There’s a
rule which grants anonymous read to the world, and write access to just the
writers. And there’s an override rule which removes read access from
unauthenticated users in the repository’s private area. Looks great.</p>
+<p>Then you start testing.</p>
+<p>Upon checking out your repository’s <tt>/trunk</tt> directory,
anonymous users get what you’d expect â the tree, minus the
<tt>/trunk/private-area</tt> directory.</p>
+<p>But what about your authenticated would-be writers? Ah, therein lies the
rub! There <em>are no</em> authenticated users. Since anonymous users can
checkout the tree, Apache never bothers to query you for authentication
credentials. And you can’t force Subversion to transmit authentication
credentials when Apache hasn’t asked for them.</p>
+<p>So what’s the workaround?</p>
+<p>First, you could disable anonymous access altogether, and force non-writers
to share a username like “anonymous” and a publicized password. In
your authz rules, the user “anonymous” would have only read
permission, and only on the public portion of the repository. This works fine,
but at some discomfort to non-writers. They now have to supply a password
which, though not secret, might still be non-obvious and/or unknown to them.</p>
+<p>Secondly, you could just leave things the way they are, and force writers
to checkout just the private area of the repository separately. They
won’t have the luxury of both the public and private areas being
connected inside a single working copy, but that might be okay.</p>
+<p>Thirdly, you could keep the private stuff in its own repository. For
writers, this is very similar to the second workaround. But your writers
won’t be able to make a private thing public without breaking the history
across repositories.</p>
+<p>Finally, you could setup a second <tt><Location></tt> block in your
<tt>httpd.conf</tt> file which points to the same repository but with a
slightly different URL (for example, with “-no-anon” appended to
it). In this block, disallow anonymous access. Then add a matching redundant
entry in your authz file, too:</p>
+<blockquote>
+<pre>[repository-no-anon:/]
+* =
+@writers = rw</pre>
+</blockquote>
+<p>Now, anonymous non-writers can checkout from the original repository URL
without prompting, and won’t see the private area. Non-anonymous writers
can checkout from the alternate repository URL with prompting, and will see the
private area. (Thanks to Max Bowsher for this great hybrid workaround
idea.)</p>
+
+</div>
+
+<div class="h2" id="about-the-author">
+<h2>About the author
+<a class="sectionlink" href="#about-the-author"
+ title="Link to this section">¶</a>
+</h2>
+<p>C. Michael Pilato is a core Subversion developer, co-author of Version
Control With Subversion (O'Reilly Media), and the primary maintainer of ViewVC.
He works remotely from his home state of North Carolina as a software engineer
for CollabNet, and has been an active open source developer since early 2001.
Mike is a proud husband and father who loves traveling, soccer, spending
quality time with his family, and any combination of those things. He also
enjoys composing and performing music, and harbors not-so-secret fantasies of
rock stardom. Mike has a degree in computer science and mathematics from the
University of North Carolina at Charlotte.</p>
+</div>
+
+<!-- ***************** END CONTENT ****************** -->
+</div> <!-- #site-content -->
+</body>
+</html>
Propchange:
subversion/site/staging/blog/2007-03-27-authz-and-anon-authn-agony.html
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
subversion/site/staging/blog/2007-03-27-authz-and-anon-authn-agony.html
------------------------------------------------------------------------------
svn:mime-type = text/html
Modified: subversion/site/staging/blog/index.html
URL:
http://svn.apache.org/viewvc/subversion/site/staging/blog/index.html?rev=1911008&r1=1911007&r2=1911008&view=diff
==============================================================================
--- subversion/site/staging/blog/index.html (original)
+++ subversion/site/staging/blog/index.html Fri Jul 14 14:49:23 2023
@@ -130,7 +130,20 @@
<code>svn:mergeinfo</code>. <a
href="2007-06-13-merge_auditing.html">Continue reading</a></p>
-</div> <!-- blog-20080506 -->
+</div> <!-- blog-20070613 -->
+
+<div class="h2" id="blog-20070327">
+<h2>2007-06-13 — Merge auditing
+ <a class="sectionlink" href="#blog-20070327"
+ title="Link to this section">¶</a>
+</h2>
+
+<p>C. Michael Pilato reveals a trick to expose a repository root to anonymous
+ users while restricting access to a specific subdirectory to authenticated
+ users. <a
+ href="2007-03-27-authz-and-anon-authn-agony.html">Continue reading</a></p>
+
+</div> <!-- blog-20070327 -->
<div class="h2" id="blog-20060910">
<h2>2006-09-10 — Enhancing Subversion
@@ -142,7 +155,7 @@
a Subversion installation. <a
href="2006-09-10-EnhancingSubversionServer.html">Continue reading</a></p>
-</div> <!-- blog-20080506 -->
+</div> <!-- blog-20060910 -->
</div> <!-- #site-content -->
</body>
