I tried changing the [repositories] section to remove the ARES_ComponentLibrary prefix. Same error.
When I am not a member of the admin group and therefore do not have read access to the slash (/) directory, this is the error in the error.log file. (A replaced server and ip addresses with <my_server> and <my_ip>.) [Thu Apr 14 08:40:38 2016] [info] Subsequent (No.2) HTTPS request received for child 245 (server <myserver.com>:443) [Thu Apr 14 08:40:38 2016] [debug] mod_authz_svn.c(195): [client <my_ip>] Path to authz file is E:/etc/.svnaccess, referer: https://<myserver.com>/trac/ [Thu Apr 14 08:40:38 2016] [error] [client <my_ip>] Access denied: 'utcaus\\loftism' GET ARES_ComponentLibrary:/, referer: https://<myserver.com>/trac/ [Thu Apr 14 08:40:43 2016] [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#b870e0 [mem: 10dc55b] [Thu Apr 14 08:40:43 2016] [info] [client <my_ip>] (OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. : SSL input filter read failed. [Thu Apr 14 08:40:43 2016] [debug] ssl_engine_kernel.c(1910): OpenSSL: Write: SSL negotiation finished successfully [Thu Apr 14 08:40:43 2016] [info] [client <my_ip>] Connection closed to child 245 with standard shutdown (server <myserver.com>:443) When I am a member of the admin group and have read access to the slash (/) directory, this is what I see in the error.log file - a successful connection: [Thu Apr 14 08:43:48 2016] [debug] mod_authz_svn.c(195): [client <my_ip>] Path to authz file is E:/etc/.svnaccess, referer: https://<myserver.com>/trac/ARES_ComponentLibrary [Thu Apr 14 08:43:48 2016] [info] [client <my_ip>] Access granted: 'utcaus\\loftism' GET ARES_ComponentLibrary:/chrome/common/extlink.gif, referer: https://<myserver.com>/trac/ARES_ComponentLibrary [Thu Apr 14 08:43:48 2016] [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#b870e0 [mem: cbcf3e3] [Thu Apr 14 08:43:48 2016] [info] [client <my_ip>] (70014)End of file found: SSL input filter read failed. [Thu Apr 14 08:43:48 2016] [debug] ssl_engine_kernel.c(1910): OpenSSL: Write: SSL negotiation finished successfully [Thu Apr 14 08:43:48 2016] [info] [client <my_ip>] Connection closed to child 249 with standard shutdown (server <myserver.com>:443) I am going to attempt to create a top-level svn repo (call it ACompLib) and have it contain a subversion external to the ARES\ComponentLibrary area. I will set the permission on ACompLib to use the same access control group used at the ARES\ComponentLibrary. I will then create a TRAC project called ACompLib which points to the svn repo ACompLib. I'm hoping that by having the TRAC project point to a top-level svn repo, and having that svn repo have the same permissions as the lower-level directory in the other subversion repo with an subversion external to it, that TRAC will use the correct permissions. On Monday, April 11, 2016 at 11:03:19 AM UTC-4, Mary Loftis wrote: > I am having an issue with TRAC not adhering to the Subversion access > control permissions. > > > > Platform/Authentication Info > > OS: Windows Server 2008 R2 Standard SP1 (64 bit) > > Service: CollabNet Subversion Apache 2.2.23 (win32) > > Service: CollabNet Subversion Client svnserver v1.7.8 > > Client App: Tortoise SVN v1.8.11.26382 (64 bit) > > Authentication: Apache using SSPI > > > > =============================== > > In the httpd.conf file: > > > > # Among other load modules used are the following: > > LoadModule authn_default_module modules/mod_authn_default.so > > LoadModule authn_file_module modules/mod_authn_file.so > > LoadModule authz_default_module modules/mod_authz_default.so > > LoadModule authz_groupfile_module modules/mod_authz_groupfile.so > > LoadModule authz_host_module modules/mod_authz_host.so > > LoadModule authz_user_module modules/mod_authz_user.so > > LoadModule sspi_auth_module modules/mod_auth_sspi.so > > LoadModule authz_svn_module modules/mod_authz_svn.so > > > > <Location /svn/> > > DAV svn > > SVNParentPath e:/svn_repository > > SVNIndexXSLT /manual/style/xsl/svnindex.xsl > > AuthType SSPI > > SSPIAuth On > > SSPIOfferSSPI Off > > SSPIAuthoritative On > > SSPIDomain <domaincontroller> > > # Specify domain\userid in .svnaccess file so set SSPIOmitDomain to off. > > SSPIOmitDomain Off > > SSPIUsernameCase lower > > SSPIPerRequestAuth On > > SSPIOfferBasic On > > AuthName " Subversion Login (Use domain\userid format)" > > # Specify which users are allowed to access which svn projects > > AuthzSVNAccessFile "E:/etc/.svnaccess" > > Require valid-user > > </Location> > > > > <Location /trac> > > SVNParentPath e:/svn_repository > > AuthzSVNAccessFile "E:/etc/.svnaccess" > > > > SetHandler mod_python > > PythonHandler trac.web.modpython_frontend > > PythonOption TracEnvParentDir e:\trac > > # Location and TracUriRoot have the same path > > # TracUriRoot may or may not be necessary in your setup. > > PythonOption TracUriRoot /trac > > > > AuthType SSPI > > SSPIAuth On > > SSPIOfferSSPI Off > > SSPIAuthoritative On > > SSPIDomain <domaincontroller> > > SSPIOmitDomain Off > > SSPIUsernameCase lower > > SSPIPerRequestAuth On > > SSPIOfferBasic On > > AuthName "TRAC Login (Use domain\userid format)" > > Require valid-user > > </Location> > > > > <Location /trac/login> > > AuthType SSPI > > AuthName "Trac Login" > > SSPIAuth On > > SSPIAuthoritative On > > SSPIDomain MyLocalDomain > > SSPIOfferBasic On > > SSPIOmitDomain Off > > SSPIBasicPreferred On > > Require valid-user > > </Location> > > > > #Include e:/etc/subversion.conf > > > > =============================== > > In the e:/etc/subversion.conf file: > > > > <Location /ARES> > > DAV svn > > SVNPath E:/svn_repository/ARES > > AuthType Basic > > AuthName "Subversion ARES repository" > > Require valid-user > > ErrorDocument 404 default > > </Location> > > > > > > Svn repo for which a TRAC project has been created is > E:\svn_repository\ARES. > > > > On the server, E:\svn_repository\ARES contains the following folders: > > Conf > > Dav > > Db > > Hooks > > Locks > > > > And the following files: > > > > Format > > Readme.txt > > > > =============================== > > > > In the svn access control file, e:\etc\.svnaccess, is: > > > > # Groups are defined. > > [groups] > > admin = domain\beth, domain\eric > > ARES_team = domain\beth, domain\eric, domain\greg, domain\joseph > > > > # Access to the top-level / directory is only for the admin group. > > [/] > > @admin = rw > > > > # Access to the ARES folder is forbidden for all. > > [ARES:/] > > * = > > > > # Access to subfolders under the ARES area is allowed. > > [ARES:/ComponentLibrary] > > @ARES_team = rw > > > > =============================== > > > > Access to the repositories works as it should for all users when using > TortoiseSVN. Only admins have access to the slash repo. No one can access > the ARES repo. Members of the ARES_team can access the > ARES/ComponentLibrary repo. > > > > We want a TRAC project which points to the ARES/ComponentLibrary area. The > following TRAC project is set up associated with the svn repo: > > > > [components] > > tracopt.versioncontrol.svn.* = enabled > > tracstats.* = enabled > > trac.versioncontrol.api.repositorymanager = enabled > > trac.versioncontrol.svn_authz.svnauthzoptions = enabled > > > > # This is an optional 'project root' > > [stats] > > root = e:\svn_repository\ARES\ComponentLibrary > > > > [repositories] > > # > > # It should be noted that the path below doesn’t actually exist. > > # There is no ComponentLibrary subfolder on the server, but it is > > # accessible from the TortoiseSVN repo browser at > > # https://<myserver>/ARES/ComponentLibrary. > # > > ARES_ComponentLibrary.dir = e:\svn_repository\ARES\ComponentLibrary > > ARES_ComponentLibrary.description = This is the 'ARES Component Library' > project repository. > > ARES_ComponentLibrary.type = svn > > ARES_ComponentLibrary.url = https://<myserver>/svn/ARES/ComponentLibrary > > ARES_ComponentLibrary.hidden = true > > tsvn = tsvn: Interact with TortoiseSvn > > > > [trac] > > authz_file = E:\etc\.svnaccess > > authz_module_name = ARES > > permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy, > LegacyAttachmentPolicy > > permission_store = DefaultPermissionStore > > # > > # It should be noted that the path below doesn’t actually exist. > > # There is no ComponentLibrary subfolder on the server, but it is > > # accessible from the TortoiseSVN repo browser at > > # https://<myserver>/ARES/ComponentLibrary. > # > > repository_dir = e:\svn_repository\ARES\ComponentLibrary > > repository_sync_per_request = (default) > > repository_type = svn > > > > TRAC does not seem to follow the svn access controls. Users can only > access the TRAC repository associated with ARES/ComponentLibrary if their > userids are in the admin group. In this case, greg and joseph cannot access > the ARES/ComponentLibrary TRAC project, even though they are in the > ARES_team group which is allowed to access it. (They can access it fine > through TortoiseSVN.) > > > > If I add greg and joseph to the admin group, then they can access the TRAC > ARES/ComponentLibrary project. This is not how the authorization should > work. The behavior should be the same that subversion uses. > > > > Am I missing a setting or have a setting wrong? Thanks in advance. > -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
