Svn – Subversion all or nothing access to repo tree

apache-2.2authorizationconfigurationsvn

I'm having some problems setting up access to my Subversion repositories on a Linux server.
The problem is that I can only seem to get an all-or-nothing structure going. Either everyone gets read access to everything or noone gets read or write access to anything.

The setup:

SVN repos are located in /www/svn/repoA,repoB,repoC…

Repositories are served by Apache, with Locations defined in etc/httpd/conf.d/subversion.conf as:

<Location /svn/repoA>
 DAV svn
 SVNPath /var/www/svn/repoA
 AuthType Basic
 AuthName "svn repo"
 AuthUserFile /var/www/svn/svn-auth.conf
 AuthzSVNAccessFile /var/www/svn/svn-access.conf
 Require valid-user
</Location>

<Location /svn/repoB>
 DAV svn
 SVNPath /var/www/svn/repoB
 AuthType Basic
 AuthName "svn repo"
 AuthUserFile /var/www/svn/svn-auth.conf
 AuthzSVNAccessFile /var/www/svn/svn-access.conf
 Require valid-user
</Location>

...

svn-access.conf is set up as:

[/]
* =

[/repoA]
* =
userA = rw

[/repoB]
* =
userB = rw

But checking out URL/svn/repoA as userA results in Access Forbidded.

Changing it to

[/]
* =
userA = r

[/repoA]
* =
userA = rw

[/repoB]
* =
userB = rw

gives userA read access to ALL repositories (including repoB) but only read access to repoA!

so in order for userA to get read-write access to repoB i need to add

[/]
userA = rw

which is mental.

I also tried changing

 Require valid-user

 Require user userA

for repoA in subversion.conf, but that only gave me read access to it.

I need a way to default deny everyone access to every repository, giving read/write access only when explicitly defined.

Can anyone tell me what I'm doing wrong here? I have spent a couple of hours testing and googling but come up empty, so now I'm doing the post of shame.

EDIT

I went with Shane's first solution and ended up with the following working config:

/etc/httpd/conf.d/subversion.conf:

<Location /svn>
    DAV svn
    SVNParentPath /var/www/svn

    AuthType Basic
    AuthName "Subversion repo"
    AuthUserFile /var/svn-auth.conf
    Require valid-user
</Location>

/var/svn-access.conf:

[/]
* =

[repoA:/]
* =
userA = rw

[repoB:/]
* =
userB = rw

Best Answer

The common theme in the problems that you're having is that your [/repoA] and [/repoB] sections are doing nothing whatsoever, right? There's a reason for that.

The paths you're authorizing are not relative to the location of the authz access file; they're relative to the SVN repository that it's handling access control for.

So, your [/] section? It grants access to both /svn/repoA/ and /svn/repoB/; it does not grant access to /svn/. Similarly, your [/repoA] section grants access to /svn/repoA/repoA and /svn/repoB/repoA; a rule for [/trunk] will grant access to both /svn/repoA/trunk and /svn/repoB/trunk.

You've set SVNPath directives for each of your repositories, but you're pointing to the same authorization files for each - so each repository has identical access rules. There's a syntax for setting different authorization for different repositories, but that's for when you're using SVNParentPath.

So, two options:

Switch to using SVNParentPath /var/www/svn instead of hard-defining each repo in your Apache config, and change your authz file to have repo-targeted permissions:
```
[/]
* =
userA = r

[repoA:/]
* =
userA = rw

[repoB:/]
* =
userB = rw
```
Use different authz files for each repository, keeping in mind that the paths that access is being granted for is relative to the root of the repository.

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

I recently struggled with the same problem on my Fedora 10 system. In my case the culprit was some odd redirection that I was doing in Apache. Specifically, I use a content management system (Drupal, to be exact) that within it's .htaccess includes the following redirection logic to redirect missing files to a PHP script:

# Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

It makes sense that the above only affects the PUT method since in that case REQUEST_FILENAME does not exist.

Not having the WebDAV area inside of the Drupal area, which seems like a reasonable constraint, fixes the problem.

Also, I think it is likely that SELinux would result in a different error, but it's not mentioned in the discussion above. Did you try disabling SELinux?

Svn – How to configure Apache to redirect a subdirectory to a subversion repo

Short answer: Use the PT flag on your RewriteRule.

First, a little Apache backstory. When Apache receives a request, it goes though a process of mapping that request to the local storage. After that, Apache actually has two pieces of data on what you requested. The request url, and the file path. So a request for /svn/blah is translated into /var/www/vhosts/myserver.com/html/svn/blah and that path is stored separately. mod_rewrite lets you tweak this behavior to route urls where you want.

Now, the two RewriteRules you have there are implicitly doing different things.

The first one you have there is a rewrite. It takes a url like /svn/blah and instead of using the behavior above, it maps it as if you actually requested /svn/myrepo/blah, so the resulting filepath would be /var/www/vhosts/myserver.com/html/svn/myrepo/blah. However, and here's the sticking point, it does not modify the requested url. The request url is still /svn/blah, apache just now thinks that file is to be found at .../svn/myrepo/blah rather than .../svn/blah.

Why does this matter you ask? Because the subversion module doesn't use the filepath. It looks at the request url. So apache and mod_rewrite just wasted time doing all that, because mod_dav_svn just ignores it. What you need is for mod_rewrite to change the request url. And that's what PT does. It modifies both the request url and the file path, so later when it gets to mod_dav_svn, it will see the changed url.
The second one is a redirect. Since the substitution starts with http:// and apache doesn't have a virtualhost named 192.168.0.1, it assumes you actually meant to put an R in your flags, since it can't translate that into a filepath. That is sending back a "Hey, it's over here" message to the subversion client, and it's making another request for it.

Now, having said all that, you're never going to have more than one repository on there anyway with this setup unless you do something to force mod_rewrite to skip the urls of the other repositories. mod_rewrite will cheerfully change /svn/bignewproject/blah into /svn/myrepo/bignewproject/blah for you every time. You could add a rule before the RewriteRule you have such as:

RewriteRule ^/svn/(myrepo|myotherrepo|coolproject|stuff|etc)/ - [S=1]

That will cause it to skip the next rule. However, you're going to be updating it by hand from here on out. You might be able to pull off something automated with some RewriteCond magic, but it'll probably be tricky. I'm not really familiar with that, so someone else would have to help you out there.

If this is only used by a small group of people, then you might be better off skipping this rewriting stuff entirely and just update everyone's working copies. svn switch --relocate is meant specifically for situations where the repos is moved and you just want to update your working copy without checking it out again. I understand there are situations where this simply isn't feasible though.

Best Answer

Related Solutions

Centos – WebDAV on CentOS – getting 403 error when attempt to upload

Svn – How to configure Apache to redirect a subdirectory to a subversion repo

Related Topic