On Wed, Apr 13, 2016 at 1:56 PM, Mary Loftis <[email protected]> wrote:
> > > On Wednesday, April 13, 2016 at 4:44:58 PM UTC-4, RjOllos wrote: >> >> >> >> On Monday, April 11, 2016 at 8:03:19 AM UTC-7, Mary Loftis wrote: >>> >>> I am having an issue with TRAC not adhering to the Subversion access >>> control permissions. >>> >>> >>> >>> Platform/Authentication Info >>> >>> OS: Windows Server 2008 R2 Standard SP1 (64 bit) >>> >>> Service: CollabNet Subversion Apache 2.2.23 (win32) >>> >>> Service: CollabNet Subversion Client svnserver v1.7.8 >>> >>> Client App: Tortoise SVN v1.8.11.26382 (64 bit) >>> >>> Authentication: Apache using SSPI >>> >>> >>> >>> =============================== >>> >>> In the httpd.conf file: >>> >>> >>> >>> # Among other load modules used are the following: >>> >>> LoadModule authn_default_module modules/mod_authn_default.so >>> >>> LoadModule authn_file_module modules/mod_authn_file.so >>> >>> LoadModule authz_default_module modules/mod_authz_default.so >>> >>> LoadModule authz_groupfile_module modules/mod_authz_groupfile.so >>> >>> LoadModule authz_host_module modules/mod_authz_host.so >>> >>> LoadModule authz_user_module modules/mod_authz_user.so >>> >>> LoadModule sspi_auth_module modules/mod_auth_sspi.so >>> >>> LoadModule authz_svn_module modules/mod_authz_svn.so >>> >>> >>> >>> <Location /svn/> >>> >>> DAV svn >>> >>> SVNParentPath e:/svn_repository >>> >>> SVNIndexXSLT /manual/style/xsl/svnindex.xsl >>> >>> AuthType SSPI >>> >>> SSPIAuth On >>> >>> SSPIOfferSSPI Off >>> >>> SSPIAuthoritative On >>> >>> SSPIDomain <domaincontroller> >>> >>> # Specify domain\userid in .svnaccess file so set SSPIOmitDomain to >>> off. >>> >>> SSPIOmitDomain Off >>> >>> SSPIUsernameCase lower >>> >>> SSPIPerRequestAuth On >>> >>> SSPIOfferBasic On >>> >>> AuthName " Subversion Login (Use domain\userid format)" >>> >>> # Specify which users are allowed to access which svn projects >>> >>> AuthzSVNAccessFile "E:/etc/.svnaccess" >>> >>> Require valid-user >>> >>> </Location> >>> >>> >>> >>> <Location /trac> >>> >>> SVNParentPath e:/svn_repository >>> >>> AuthzSVNAccessFile "E:/etc/.svnaccess" >>> >>> >>> >>> SetHandler mod_python >>> >>> PythonHandler trac.web.modpython_frontend >>> >>> PythonOption TracEnvParentDir e:\trac >>> >>> # Location and TracUriRoot have the same path >>> >>> # TracUriRoot may or may not be necessary in your setup. >>> >>> PythonOption TracUriRoot /trac >>> >>> >>> >>> AuthType SSPI >>> >>> SSPIAuth On >>> >>> SSPIOfferSSPI Off >>> >>> SSPIAuthoritative On >>> >>> SSPIDomain <domaincontroller> >>> >>> SSPIOmitDomain Off >>> >>> SSPIUsernameCase lower >>> >>> SSPIPerRequestAuth On >>> >>> SSPIOfferBasic On >>> >>> AuthName "TRAC Login (Use domain\userid format)" >>> >>> Require valid-user >>> >>> </Location> >>> >>> >>> >>> <Location /trac/login> >>> >>> AuthType SSPI >>> >>> AuthName "Trac Login" >>> >>> SSPIAuth On >>> >>> SSPIAuthoritative On >>> >>> SSPIDomain MyLocalDomain >>> >>> SSPIOfferBasic On >>> >>> SSPIOmitDomain Off >>> >>> SSPIBasicPreferred On >>> >>> Require valid-user >>> >>> </Location> >>> >>> >>> >>> #Include e:/etc/subversion.conf >>> >>> >>> >>> =============================== >>> >>> In the e:/etc/subversion.conf file: >>> >>> >>> >>> <Location /ARES> >>> >>> DAV svn >>> >>> SVNPath E:/svn_repository/ARES >>> >>> AuthType Basic >>> >>> AuthName "Subversion ARES repository" >>> >>> Require valid-user >>> >>> ErrorDocument 404 default >>> >>> </Location> >>> >>> >>> >>> >>> >>> Svn repo for which a TRAC project has been created is >>> E:\svn_repository\ARES. >>> >>> >>> >>> On the server, E:\svn_repository\ARES contains the following folders: >>> >>> Conf >>> >>> Dav >>> >>> Db >>> >>> Hooks >>> >>> Locks >>> >>> >>> >>> And the following files: >>> >>> >>> >>> Format >>> >>> Readme.txt >>> >>> >>> >>> =============================== >>> >>> >>> >>> In the svn access control file, e:\etc\.svnaccess, is: >>> >>> >>> >>> # Groups are defined. >>> >>> [groups] >>> >>> admin = domain\beth, domain\eric >>> >>> ARES_team = domain\beth, domain\eric, domain\greg, domain\joseph >>> >>> >>> >>> # Access to the top-level / directory is only for the admin group. >>> >>> [/] >>> >>> @admin = rw >>> >>> >>> >>> # Access to the ARES folder is forbidden for all. >>> >>> [ARES:/] >>> >>> * = >>> >>> >>> >>> # Access to subfolders under the ARES area is allowed. >>> >>> [ARES:/ComponentLibrary] >>> >>> @ARES_team = rw >>> >>> >>> >>> =============================== >>> >>> >>> >>> Access to the repositories works as it should for all users when using >>> TortoiseSVN. Only admins have access to the slash repo. No one can access >>> the ARES repo. Members of the ARES_team can access the >>> ARES/ComponentLibrary repo. >>> >>> >>> >>> We want a TRAC project which points to the ARES/ComponentLibrary area. >>> The following TRAC project is set up associated with the svn repo: >>> >>> >>> >>> [components] >>> >>> tracopt.versioncontrol.svn.* = enabled >>> >>> tracstats.* = enabled >>> >>> trac.versioncontrol.api.repositorymanager = enabled >>> >>> trac.versioncontrol.svn_authz.svnauthzoptions = enabled >>> >>> >>> >>> # This is an optional 'project root' >>> >>> [stats] >>> >>> root = e:\svn_repository\ARES\ComponentLibrary >>> >>> >>> >>> [repositories] >>> >>> # >>> >>> # It should be noted that the path below doesn’t actually exist. >>> >>> # There is no ComponentLibrary subfolder on the server, but it is >>> >>> # accessible from the TortoiseSVN repo browser at >>> >>> # https://<myserver>/ARES/ComponentLibrary. >>> # >>> >>> ARES_ComponentLibrary.dir = e:\svn_repository\ARES\ComponentLibrary >>> >>> ARES_ComponentLibrary.description = This is the 'ARES Component Library' >>> project repository. >>> >>> ARES_ComponentLibrary.type = svn >>> >>> ARES_ComponentLibrary.url = https://<myserver>/svn/ARES/ComponentLibrary >>> >>> ARES_ComponentLibrary.hidden = true >>> >>> tsvn = tsvn: Interact with TortoiseSvn >>> >>> >>> >>> [trac] >>> >>> authz_file = E:\etc\.svnaccess >>> >>> authz_module_name = ARES >>> >>> permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy, >>> LegacyAttachmentPolicy >>> >>> permission_store = DefaultPermissionStore >>> >>> # >>> >>> # It should be noted that the path below doesn’t actually exist. >>> >>> # There is no ComponentLibrary subfolder on the server, but it is >>> >>> # accessible from the TortoiseSVN repo browser at >>> >>> # https://<myserver>/ARES/ComponentLibrary. >>> # >>> >>> repository_dir = e:\svn_repository\ARES\ComponentLibrary >>> >>> repository_sync_per_request = (default) >>> >>> repository_type = svn >>> >>> >>> >>> TRAC does not seem to follow the svn access controls. Users can only >>> access the TRAC repository associated with ARES/ComponentLibrary if their >>> userids are in the admin group. In this case, greg and joseph cannot access >>> the ARES/ComponentLibrary TRAC project, even though they are in the >>> ARES_team group which is allowed to access it. (They can access it fine >>> through TortoiseSVN.) >>> >>> >>> >>> If I add greg and joseph to the admin group, then they can access the >>> TRAC ARES/ComponentLibrary project. This is not how the authorization >>> should work. The behavior should be the same that subversion uses. >>> >>> >>> >>> Am I missing a setting or have a setting wrong? Thanks in advance. >>> >> >> If you enable logging you should get some messages about users being >> granted or denied access: >> >> https://trac.edgewall.org/wiki/TracFineGrainedPermissions#Debuggingpermissions >> >> There might be an inconsistency in the order of rule matching, similar to >> the issue discussed here: >> https://trac.edgewall.org/ticket/11744 >> >> - Ryan >> >> I did see that post earlier and already incorporated the changes to > svn_authz.py. It did not help. > > -Beth > I don't think your issue is the same, I just said it was similar in nature. We'll need to see the logging to understand what rules are being matched in granting/denying permissions. -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
