[Gllug] Subversion Authorisation

Steve Nelson sanelson at gmail.com
Wed Feb 28 12:06:42 UTC 2007 

Hello chums,

I have two svn repositories with two subdirectories each, and four groups
of users.  I have written an authz file to describe the ACL I require
- namely that the root of both repository be anonymous read-only, and
that different control is imposed per group each subdirectory, with
inheritance taking place on anything beneath them.

Following the advice of the subversion book, I have set up my apache container
with both Satisfy Any and Require Valid User, to provide a combination
of authentication and anonymous access.

I am finding that with Satisfy Any, all users can browse anywhere in
either repository, even if this is specifically restricted in the
authz file.

If I remove Satisfy Any, I find that every time a user moves within
the repos they are challenged for a password.  The ACL is honoured -
ie the users are only allowed to do as the ACL describes, but they are
challenged even for areas where they should have anonymous, read-only
access.

What I want is a combination - but I cannot see what I have done
wrong.  My container and authz file are below.

Any suggestions?  Or am I missing something obvious?

S.

<Location /repos>
       DAV svn
       SVNParentPath /local/svn
       SVNIndexXSLT /svnindex.xsl

       # Require SSL connection for password protection.
       SSLRequireSSL

       # our access control policy
        /etc/httpd/conf/.svnauthz


       # try anonymous access first, resort to real
       # authentication if necessary.
       Satisfy Any
       Require valid-user

       # How to authenticate if needed
       AuthType Basic
       AuthName "De La Rue Subversion Repositories"
       AuthUserFile /etc/httpd/conf/.htpasswd
</Location>

And my AuthzSVN acl is:

[groups]
coe = sanjay, darryl
im =  witcharp, nelsonst
general = subversion
atos = berry, fred

[/]
* = r
[devrep:/]
@coe = r
@im = r
@general = r
@atos = r

[devrep:/dlr]
@coe = rw
@im = rw
@general =
@atos = r

[devrep:/atos]
@coe =
@im = r
@general =
@atos = rw

[prdrep:/]
@coe = r
@im = r
@general = r
@atos = r

[prdrep:/prdobj]
@coe =
@im = rw
@general =
@atos =

[prdrep:/prddoc]
@coe = rw
@im = r
@general = r
@atos = r
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list