I'm having some problems setting up access to my Subversion repositories on a Linux server.
The problem is that I can only seem to get an all-or-nothing structure going. Either everyone gets read access to everything or noone gets read or write access to anything.
The setup:
SVN repos are located in /www/svn/repoA,repoB,repoC…
Repositories are served by Apache, with Locations defined in etc/httpd/conf.d/subversion.conf as:
<Location /svn/repoA>
DAV svn
SVNPath /var/www/svn/repoA
AuthType Basic
AuthName "svn repo"
AuthUserFile /var/www/svn/svn-auth.conf
AuthzSVNAccessFile /var/www/svn/svn-access.conf
Require valid-user
</Location>
<Location /svn/repoB>
DAV svn
SVNPath /var/www/svn/repoB
AuthType Basic
AuthName "svn repo"
AuthUserFile /var/www/svn/svn-auth.conf
AuthzSVNAccessFile /var/www/svn/svn-access.conf
Require valid-user
</Location>
...
svn-access.conf is set up as:
[/]
* =
[/repoA]
* =
userA = rw
[/repoB]
* =
userB = rw
But checking out URL/svn/repoA as userA results in Access Forbidded.
Changing it to
[/]
* =
userA = r
[/repoA]
* =
userA = rw
[/repoB]
* =
userB = rw
gives userA read access to ALL repositories (including repoB) but only read access to repoA!
so in order for userA to get read-write access to repoB i need to add
[/]
userA = rw
which is mental.
I also tried changing
Require valid-user
to
Require user userA
for repoA in subversion.conf, but that only gave me read access to it.
I need a way to default deny everyone access to every repository, giving read/write access only when explicitly defined.
Can anyone tell me what I'm doing wrong here? I have spent a couple of hours testing and googling but come up empty, so now I'm doing the post of shame.
EDIT
I went with Shane's first solution and ended up with the following working config:
/etc/httpd/conf.d/subversion.conf:
<Location /svn>
DAV svn
SVNParentPath /var/www/svn
AuthType Basic
AuthName "Subversion repo"
AuthUserFile /var/svn-auth.conf
Require valid-user
</Location>
/var/svn-access.conf:
[/]
* =
[repoA:/]
* =
userA = rw
[repoB:/]
* =
userB = rw
Best Answer
The common theme in the problems that you're having is that your
[/repoA]
and[/repoB]
sections are doing nothing whatsoever, right? There's a reason for that.The paths you're authorizing are not relative to the location of the authz access file; they're relative to the SVN repository that it's handling access control for.
So, your
[/]
section? It grants access to both/svn/repoA/
and/svn/repoB/
; it does not grant access to/svn/
. Similarly, your[/repoA]
section grants access to/svn/repoA/repoA
and/svn/repoB/repoA
; a rule for[/trunk]
will grant access to both/svn/repoA/trunk
and/svn/repoB/trunk
.You've set
SVNPath
directives for each of your repositories, but you're pointing to the same authorization files for each - so each repository has identical access rules. There's a syntax for setting different authorization for different repositories, but that's for when you're usingSVNParentPath
.So, two options:
Switch to using
SVNParentPath /var/www/svn
instead of hard-defining each repo in your Apache config, and change your authz file to have repo-targeted permissions:Use different authz files for each repository, keeping in mind that the paths that access is being granted for is relative to the root of the repository.