I’m having some problems setting up access to my Subversion repositories on a Linux server.
The problem is that I can only seem to get an all-or-nothing structure going. Either everyone gets read access to everything or noone gets read or write access to anything.
The setup:
SVN repos are located in /www/svn/repoA,repoB,repoC…
Repositories are served by Apache, with Locations defined in etc/httpd/conf.d/subversion.conf as:
<Location /svn/repoA>
DAV svn
SVNPath /var/www/svn/repoA
AuthType Basic
AuthName "svn repo"
AuthUserFile /var/www/svn/svn-auth.conf
AuthzSVNAccessFile /var/www/svn/svn-access.conf
Require valid-user
</Location><Location /svn/repoB>
DAV svn
SVNPath /var/www/svn/repoB
AuthType Basic
AuthName "svn repo"
AuthUserFile /var/www/svn/svn-auth.conf
AuthzSVNAccessFile /var/www/svn/svn-access.conf
Require valid-user
</Location>...
svn-access.conf is set up as:
[/]
* =[/repoA]
* =
userA = rw[/repoB]
* =
userB = rw
But checking out URL/svn/repoA as userA results in Access Forbidded.
Changing it to
[/]
* =
userA = r[/repoA]
* =
userA = rw[/repoB]
* =
userB = rw
gives userA read access to ALL repositories (including repoB) but only read access to repoA!
so in order for userA to get read-write access to repoB i need to add
[/]
userA = rw
which is mental.
I also tried changing
Require valid-user
to
Require user userA
for repoA in subversion.conf, but that only gave me read access to it.
I need a way to default deny everyone access to every repository, giving read/write access only when explicitly defined.
Can anyone tell me what I’m doing wrong here? I have spent a couple of hours testing and googling but come up empty, so now I’m doing the post of shame.
EDIT
I went with Shane’s first solution and ended up with the following working config:
/etc/httpd/conf.d/subversion.conf:
<Location /svn>
DAV svn
SVNParentPath /var/www/svn AuthType Basic
AuthName "Subversion repo"
AuthUserFile /var/svn-auth.conf
Require valid-user
</Location>
/var/svn-access.conf:
[/]
* =[repoA:/]
* =
userA = rw[repoB:/]
* =
userB = rw
The common theme in the problems that you’re having is that your [/repoA] and [/repoB] sections are doing nothing whatsoever, right? There’s a reason for that.
The paths you’re authorizing are not relative to the location of the authz access file; they’re relative to the SVN repository that it’s handling access control for.
So, your [/] section? It grants access to both /svn/repoA/ and /svn/repoB/; it does not grant access to /svn/. Similarly, your [/repoA] section grants access to /svn/repoA/repoA and /svn/repoB/repoA; a rule for [/trunk] will grant access to both /svn/repoA/trunk and /svn/repoB/trunk.
You’ve set SVNPath directives for each of your repositories, but you’re pointing to the same authorization files for each – so each repository has identical access rules. There’s a syntax for setting different authorization for different repositories, but that’s for when you’re using SVNParentPath.
So, two options:
-
Switch to using
SVNParentPath /var/www/svninstead of hard-defining each repo in your Apache config, and change your authz file to have repo-targeted permissions:[/] * = userA = r[repoA:/] * = userA = rw[repoB:/] * = userB = rw -
Use different authz files for each repository, keeping in mind that the paths that access is being granted for is relative to the root of the repository.
Check more discussion of this question.