I see now. The path /project/!svn makes no sense. It doesn't exist in the
repository, so that rule doesn't do anything. The !svn is a SVN-internal
concept. To assign permissions to /project, you need to have to specify:
[/project]
* = r
Do a search on the old list archives on tigris for some background. If I
remember correctly, you cannot have less than global read permissions on the
repository's root if you're on SVN 1.5 or later.
Hope this helps,
Rob
On Sat, Jan 9, 2010 at 12:09 PM, Brian Topping topp...@codehaus.org wrote:
Thanks, but that is incorrect. I have no problem downloading sources with
a single rule of [/project] *=r, nor do I have a problem correctly
resolving group memberships that a user has assigned to them. As well, I
have tested that a user who is not logged in cannot access the repository.
Arguably, this is a problem with Apache HTTPD, not SVN. I posted here
because I thought that it was more likely that someone here had approached
this problem and solved it. My apologies in advance if anyone takes issue
with that.
Cheers, Brian
On Jan 9, 2010, at 11:58 AM, Rob van Oostrum wrote:
Your problem is with Crowd, not authz. Authentication is failing: Could
not authenticate to server: rejected Basic challenge (https://dev.host.net
)
Check your Crowd configuration/documentation. I'd suggest taking SVN out of
the equation and verifying that your integration with Crowd is working
first.
Cheers,
Rob
On Sat, Jan 9, 2010 at 1:19 AM, Brian Topping topp...@codehaus.orgwrote:
Hello all,
I've been wrestling with getting authz setup in a way that must be
somewhat unconventional all week and was hoping someone here on the list
might be able to offer some insight. The environment is Apache httpd
2.2.3, mod_dav_svn 1.6.6, and Subversion 1.6.6. My configs follow.
So far, most of the docs that I've seen on authz start by granting read
access to everyone at the root of the tree, then subtracting authorizations
to specific sensitive directories. My concern with this is that this allows
people to lazily create directories without considering that they might be
granting access to any valid user.
Instead, I would like to configure path-based access to deny access to all
non-root directories, then rely on specific grants to individual directories
based on group.
I have groups working fine, but as soon as I lock down the root directory,
my svn client gets the following problem:
Username: svn: PROPFIND of '/repos/project/!svn/vcc/default':
authorization failed: Could not authenticate to server: rejected Basic
challenge (https://dev.host.net)
I understand about the metadata located at !svn. So I added:
[/project/!svn]
* = r
But this doesn't seem to do anything. I still get the first error.
Is there a way to do what I am trying to do?
I have exhaustively tested that the AuthHandler is doing asking the right
questions of the authentication broker and is able to recover the correct
user and group mappings.
Note that I am using Atlassian's Crowd-based auth. This is a fork of
standard authz to patch Crowd users and groups in, but it would be easy for
me to convert to direct LDAP if necessary.
/etc/httpd/conf.d/subversion.conf:
Location /repos
LoadModule perl_module modules/mod_perl.so
LoadModule dav_svn_module modules/mod_dav_svn.so
# Uncomment this to enable the repository
DAV svn
# Set this to the path to your repository
SVNParentPath /var/www/svn/
SSLRequireSSL
AuthName crowd
AuthType Basic
PerlAuthenHandler Apache::CrowdAuth
PerlSetVar CrowdAppName subversion
PerlSetVar CrowdAppPassword xxx
PerlSetVar CrowdSOAPURL
https://dev.host.net/crowd/services/SecurityServer
PerlAuthzHandler Apache::CrowdAuthz
PerlSetVar CrowdAuthzSVNAccessFile /var/www/svn/access
require valid-user
/Location
/var/www/svn/access
[/project/!svn]
* = r
[/project/trunk/project-web]
@project-web-developer = rw
Cheers, Brian
