Hi Graham, Thanks, this has made things much clearer. I will try and apply this at work tomorrow (well, later today..)
I think you are right about me confusing some of the concepts, but it seems to make sense now! Andy: It seems you were more on track than I was with this! Cheers -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Dumpleton Sent: 04 December 2007 02:17 To: Trac Users Subject: [Trac] Re: TRAC SVNPath oddness On Dec 4, 12:14 pm, "Savvas, Panayotis" <[EMAIL PROTECTED]> wrote: > > The presence of AuthzSVNAccessFile is likely enough to trigger > > Subversion Apache authorisation handler for all URLs > > So what would be the best way to do this. i.e. have a single reference > to the svn access file for all. Or should I not be using the svn > access list for apache sites (such as trac in this instance) and use a > more generic non-svn access method with apache? > This would mean that I would have to have separate svn and apache > permissions logic, which seems counter intuitive as I need exactly the > same permissions for each svn and trac instance pair. > > > But are you wanting to also expose Subversion repository through > > Apache so you can do checkouts over the network? > > Indeed that is right. This is why I need svn and apache permissions, > and why I was trying to find a unified way. I am not sure what the > best practice is as this is the first time I am using apache/svn/trac. I'm not sure you understand some things about how Apache works. In Apache it determines whether a user can use the site, or parts of it, by doing three checks. These are for access, authentication and authorization. The 'access' checks generally relate to what client hosts can access a site and isn't relevant to this discussion. The next thing it does is 'user authentication'. This is where it is determined whether a user has an account and whether the supplied password matches what is held for that user. It would appear you want to use SSPI across the whole site for this. The final thing is 'user authorisation'. Thus, although a user may have been authenticated, it doesn't mean that they automatically have access to the whole site as different parts of the sites may enforce different restrictions. As far as authorisation for Subversion repository access, this is controlled by file specified by AuthzSVNAccessFile. Because it only applies to Subversion repository access, it should only be defined for URL subset which maps to Subversion repository. Although Trac also performs authorisation, it is done within Trac and not at Apache level of configuration. So as to match up authorisation for Subversion repository access via Trac source browser, Trac can be configured to point at the same file as was pointed at by AuthzSVNAccessFile. This has to be done in Trac ini file. End result is you would have with VirtualHost or at root of server configuration: # Enable SSPI for site wide user authentication. AuthType SSPI AuthName "TestProject" SSPIAuth On SSPIAuthoritative On SSPIDomain groupinfra.com SSPIOfferBasic On #SSPIOmitDomain on //**this makes things a lot easier** #SSPIUsernameCase lower SSPIBasicPreferred On SSPIOfferSSPI off # Require that at least have authenticated user. Require valid-user # Where further authorisation regimes, must be applied additively. Satisfy All <Location /svn> DAV svn #SVNListParentPath on SVNPath C:\Projects\svn\TestProject #SVNParentPath C:\Projects\svn # Enable Subversion authorisation for just Subversion URL subset. AuthzSVNAccessFile "C:\Program Files\Apache Group \Apache2\svnaccessfile.txt" </Location> <Location /tracs>\ SetHandler mod_python PythonHandler trac.web.modpython_frontend PythonOption TracEnv C:\Projects\trac\TestProject PythonOption TracUriRoot /tracs # NO authorisation done at Apache level as Trac does it internally. </Location> Finally, in trac.ini, you need to have: authz_file = C:/Program Files/Apache Group/Apache2/svnaccessfile.txt You currently don't have this authz_file option in trac ini file. Having outlined what you need, suggest you go back and study Trac documentation and see what its says about authz_file as there may be other things related to that which need to be set. Graham > Thanks again. > > -----Original Message----- > From: [email protected] [mailto:[EMAIL PROTECTED] > > On Behalf Of Graham Dumpleton > Sent: 04 December 2007 01:04 > To: Trac Users > Subject: [Trac] Re: TRAC SVNPath oddness > > On Dec 4, 10:55 am, "Panos Savvas" <[EMAIL PROTECTED]> > wrote: > > Hi Graham, > > > Thanks for the advice. I will try this out tomorrow. > > > > Its presence in the root context is possibly what is causing the > problem. > > > I suppose this is typical of trying to configure 3 new technologies > > (new to > > me) at once. > > I assumed that referencing the AuthzSVNAccessFile in the root > > context would mean that it is inherited by all other contexts. > > This seems to be supported in that the authorisation works in all > > other contexts. Is this a flawed assumption however? > > The presence of AuthzSVNAccessFile is likely enough to trigger > Subversion Apache authorisation handler for all URLs, but that handler > is then expecting SVNPath to have also been defined in the same > context, which it isn't. Thus possibly why you are getting an error. > If this is the case, accessing stuff outside of /trac would also > result in the same error. > > > I am going to have several projects/trac environments eventually and > > am trying to have a single configuration for authorisation, i.e path > > based permissions. > > But are you wanting to also expose Subversion repository through > Apache so you can do checkouts over the network? If not, you don't > need the SVNPath stuff nor the Subversion authorisation checks. > > Graham > > > However currently my svn access file only has one generic entry. > > Could > > > this be the problem? Would have the svn access file formated with > > paths potentially make this strategy succeed? I will experiment at > > work tomorrow and let you know how I am doing. Meanwhile any more > > advice is appreciated :) > > > Thanks again. > > > Panos > > > On Dec 3, 2007 9:58 PM, Graham Dumpleton > > <[EMAIL PROTECTED]> > wrote: > > > > On Dec 1, 1:27 am, Panos <[EMAIL PROTECTED]> wrote: > > > > Hi everyone, > > > > > I am new to trac/svn/apache but have configured a basic setup of > > > > the free and am very impressed. > > > > I have one question at the moment which is confussing me: > > > > > I have had to add the SVNPATH to my "trac" location in > > > > httpd.conf, > > > > > which seems strange. If not the error log complains that it is > > > > missing. Does this mean anything to you? It took me a while to > > > > figure this out as I have not seen this mentioned anywhere online. > > > > > However it does fix it. > > > > Why do you have: > > > > AuthzSVNAccessFile "C:\Program Files\Apache Group > > > \Apache2\svnaccessfile.txt" > > > > defined at '/' context and not '/TestProject'? > > > > Its presence in the root context is possibly what is causing the > > > problem. > > > > Graham > > > > > Please see excerpts from httpd.conf and trac.ini below > > > > > Versions: > > > > trac 0.10.4 > > > > apache 2.0.6x > > > > svn 1.45 > > > > > files: > > > > ########### TRAC.INI ############## [trac] authz_file = > > > > authz_module_name = base_url = check_auth_ip = true database = > > > > sqlite:db/trac.db default_charset = iso-8859-15 default_handler > > > > = WikiModule htdocs_location = ignore_auth_case = false mainnav > > > > = wiki,timeline,roadmap,browser,tickets,newticket,search > > > > metanav = login,logout,settings,help,about permission_store = > > > > DefaultPermissionStore repository_dir = > > > > c:\Projects\svn\TestProject repository_type = svn > > > > > ########### httpd.conf ############## <Location /> > > > > AuthType SSPI > > > > AuthName "TestProject" > > > > SSPIAuth On > > > > SSPIAuthoritative On > > > > SSPIDomain groupinfra.com > > > > SSPIOfferBasic On > > > > #SSPIOmitDomain on //**this makes things a lot easier** > > > > #SSPIUsernameCase lower > > > > SSPIBasicPreferred On > > > > SSPIOfferSSPI off > > > > AuthzSVNAccessFile "C:\Program Files\Apache Group > > > > \Apache2\svnaccessfile.txt" > > > > Require valid-user > > > > </Location> > > > > #SVN > > > > <Location /TestProject> > > > > DAV svn > > > > #SVNListParentPath on > > > > SVNPath C:\Projects\svn\TestProject > > > > #SVNParentPath C:\Projects\svn </Location> > > > > > #TRAC > > > > <Location /tracs> # the top level url that hosts multiple projects > > > > SetHandler mod_python > > > > PythonHandler trac.web.modpython_frontend > > > > PythonOption TracEnv C:\Projects\trac\TestProject > > > > PythonOption TracUriRoot /tracs > > > > SVNPath C:\Projects\svn\TestProject </Location> > > > > > If i remove the SVNPath from the /tracs location the following > > > > occurs in the error.log when I try to navigate to the trac > website: > > > > > [Fri Nov 30 14:13:40 2007] [error] [client 127.0.0.1] The server > > > > is > > > > misconfigured: either an SVNPath or SVNParentPath directive is > > > > required to specify the location of this resource's repository. > > > > [500, #190000] > > > > > It seems to be working, however it makes not much sense, and I > > > > am worried it will cause issues later > > > > > Thanks > > > > > Panos > > This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
