Access Control for Subversion with Apache2 and Authz

My group project at University now consists of three smaller projects that provide an overall RSS service. I want to let the guys work on these, while still letting me keep my other coursework jut accessible to me. At the moment, I just have basic http authentication set-up which isn’t so great for pulling off what I want.

Please welcome on stage the Apache2 mod, authz_svn…

If you followed my other howto, you’ll have all the pre-requisites for this.

First of all, we need to create an Access Control file.

sudo nano /etc/apache2/svn_access_control

In this file, you’ll want to put some rules. I’ll first of all go over these and then provide some examples.

Permissions

There are only two types of permission:

Read only – r – a user can check-out a copy of a project.
Read and Write – rw – a user can check-out and commit changes to a project.

Users

These are the same usernames that you have set in your password file that you created in the previous howto. You can always add more users to this file using:

sudo htpasswd2 -m /etc/apache2/dav_svn.passwd bill

When prompted, enter the password for the user.

Repository Location

You specify the above rules in certain locations for the repository. These go between square brackets.

[/]

The above will specify rules for the root of the repository.

[/wowapp/trunk]

The above will specify rules for a project named ‘wowapp’ in the trunk location.

User Groups

You can create groups of users and then use those for rules. You do this under a special heading in square brackets:

[groups]
mygroup = dave, mike

This will create a group called ‘mygroup’ which ‘dave’ and ‘mike’ belongs to.

And now for some examples.

Examples

[groups]
team = bob, bill
devteam = bob, barry, brett

[/]
@team = r
bob = rw

[/wowapp/trunk]
@team = r
@devteam = rw
brenda = rw

In this example:

Created a group team which has two members; bob and bill.
Created another group, called devteam which has three members; bob, barry, brett.
In the root of the repository, I’ve given the group team read permissions.
Also, in the root, bob has read and write permissions.
In the trunk of wowapp, the group team has read permission.
Also, the devteam group has read and write permissions.
And another user, called brenda has read and write permissions.

Once you’ve created your desired access controll file, save the changes in nano by hitting CTRL O, hit enter to save the name, then CTRL X to quit Nano.

We just need to now link this access control file with our Subversion set-up.

sudo nano /etc/apache2/mods-enabled/dav_svn.conf

Here’s the example from the previous how-to:

<Location /svn>
  DAV svn
  SVNPath /home/svn

  AuthType Basic
  AuthName "Subversion Repository"
  AuthUserFile /etc/apache2/dav_svn.passwd
  Require valid-user
</Location>

All you need to add is the following line:

AuthzSVNAccessFile /etc/apache2/svn_access_control

So that the file looks like this:

<Location /svn>
  DAV svn
  SVNPath /home/svn

  AuthType Basic
  AuthName "Subversion Repository"
  AuthUserFile /etc/apache2/dav_svn.passwd

  AuthzSVNAccessFile /etc/apache2/svn_access_control

  Require valid-user
</Location>

Save the file, and then restart Apache2:

sudo /etc/init.d/apache2 restart

You should now have access control working for Subversion over Apache2.

2006-03-03 [apache, howto, subversion, ubuntu, uni]

Gunakar

Hey David Can I get any sort of help concern to subversion patch up with apache2 specially Iam stuck up with the httpd.conf file setting

like…… blah blah……

please let me know where Im wrong when I have configured the authz ,passwd , svnserver.cong in the conf folder

I have structure like follows and how created it mentioned blow

repos(mkdir)—>Projectfolder(thru svnadmin create Projectfolder)which by default created the list like Readme.txt,conf,dav,db,hooks,locks….

Please help me in concern
http://www.stoneageblog.com/articles/2007/01/10/debian-on-rails-apache-2-2-mysql-ruby-rails-php-mongrel-mongrel_cluster-subversion-trac-capistrano Debian On Rails : Apache 2.2 + MySQL + Ruby + Rails + PHP + Mongrel + Mongrel_cluster + Subversion + Trac + Capistrano

[...] Access Control for Subversion with Apache2 and Authz [...]
http://stoneage.crystalonrails.com/articles/2007/01/04/debian-on-rails-apache-2-2-mysql-ruby-rails-php-mongrel-mongrel_cluster-subversion-trac-capistrano/ Stoneageblog.com » Archive du blog » Debian On Rails : Apache 2.2 + MySQL + Ruby + Rails + PHP + Mongrel + Mongrel_cluster + Subversion + Trac + Capistrano

[...] Access Control for Subversion with Apache2 and Authz [...]
http://n/a Kiff Turner

Hi,

you mentioned that you’d be putting up a howto on installing php with apache2 and subversion along these lines, any ideas when it might appear and if not do you have a good reference howto from elsewhere?

I can’t seem to get them working together as the default apache2 install that comes with ubuntu 5.10 looks very different to the one you end up with after following your apache2 install guide (it’s in /etc/apache2 for a start, and has mods-available and mods-installed directories).

Thanks.
Gk

Hi David,

Just let me know ,how Harry and sally can access the repositories from the TortoiseSVN. I just uncommneted the commented line in the repository(TEST) conf folder all following three files……Ne thing else I need to do….???

authz passwd svnserver.conf
http://www.javachap.net Praful

Hi ,

Is this configuration work Window base SVN Client such TortoiseSVN.

Thanks in Adavance. Praful
http://davidwinter.me.uk David

I’m not too sure about TortoiseSVN. I wrote the howto based on myself using it via the command line.
Ishmaeel

@Praful : Yes, TortoiseSVN works nicely with this setup. When you try to do something you’re not authorized to do, TSVN just asks for different credentials.

Thanks for the tutorial, David.
http://turnleft.inetsolution.com/2007/07/how_to_setup_subversion_apache_1.html Turn Left

How to Setup Subversion + Apache + WebSVN on Windows…

Subversion is a slick, easy to learn and use version control system for software developers. One nice feature of Subversion is that it runs equally well on Windows and Unix, and it also works over HTTP & HTTPS, which is……
http://www0.kis.uni-freiburg.de/kiss-it/?p=25 kis(s)-it » Blog Archive » Trac + Subversion = KISForge

[...] Access control for Subversion [...]
cjk

Just use /etc/init.d/apache2 reload (reload, not restart!)
http://timvalenta.wordpress.com tim

wonderful. Thanks. Never used modauthzsvn before. You seem to have the only brief, to-the-point, intelligent tutorial on the matter :)
Shane

I have setup an SVN Server for our development department, and have successfully provided access, the problem that I am running into is that I can not limit access to specific repositories or projects/folders in the repository.

My subversion.conf:

DAV svn SVNParentPath /var/www/svn AuthzSVNAccessFile /etc/httpd/conf.d/svn-acl-conf Satisfy Any Require valid-user AuthType Basic AuthName “subversion repository” AuthUserFile /etc/httpd/conf.d/svn-auth-conf

My svn-acl-conf:

names change to protect the innocent…

[groups] admin = user1 developers = dev1, dev2, dev3, user1 externaldev = extdev1, extdev2 readonly = read1, read2

[/] @developers = rw @readonly = r

[/repo1] @developers = rw @readonly = r

[/ext_repo1] @developers = rw @externaldev = rw @readonly = r

If I comment out the root [/] level, or the user/group does not have root level permissions granted in the access control file, I get a “Server sent unexpected return value (403 Forbidden) in response to OPTIONS request for ‘http://ampsvr01/svn/repo1′ Where repo1 can be any repository or directory name. Essentially root level access is the only option I have which will be unaccepatable if I am using an external development team.

We are using Subversion v1.5.5

Thanks, Shane
Igor

Thanks, the best tutorial to configure svn access. Easy and clear and it worked for me in one shot :)
Vijay

Quiet useful but not upto the mark. In real time projects you may need more access control say i have a bunch of 5 developers and i administrate the source archive. All people in the project are granted rw access so that they can check in and our files. But there is also a threat of developers deleting the file from archive by mistake and the file vanishes away. So developers should be masked from delete access on files and only the administrator to have delete access on archive. That’s the way access control should work. Do you have an answer for that? thanks, -Vijay
http://ksniffer.org Giovanni
Hello, I configured SVN by Apache and configured ViewVC too. When I connect by browser I have the correct permissions on the directory of the project, but when I try from an SVN client any user can download the full SVN and I don’t want this.

I have the following ACL:

[ks:/]
- = r
gio = rw fab = rw test = sal = rw

[ks:/trunk/] fab = rw sal = rw gio = rw

[ks:/trunk/testproject/] sal = r fab = r gio = r

[ks:/trunk/ptz/] sal = fab = rw gio = rw

[ks:/trunk/libKS/] sal = rw fab = gio = r

[ks:/branches] * = rw

[ks:/tags] * = rw

From Web the user fab cannot access to the folder /trunk/libKS/ but if the user fab try “svn co …” he can get all the repository including /trunk/libKS/ . Why? Where is the problem?

I have CentOS 5.2 with apache 2.2.3 (httpd-2.2.3-22.el5.centos.2), moddavsvn-1.4.2-4.el53.1, subversion-1.4.2-4.el53.1

Can someone help me?
http://blogs.kis.uni-freiburg.de/kiss-it/2007/07/02/trac-subversion-kisforge/ kis(s)-it · Trac + Subversion = KISForge

[...] Access control for Subversion [...]
Yandros

Hello David…

I’m trying to improve a svn with security groups but in my case, only works correctly the root directory..if I try another directory with any user i can read and write all directories..

My conf

Fichero: /etc/apache2/svnaccesscontrol

[groups] svn = user1, user2 empresa = user3, user4 xx = pepinillo

[/] @svn_sistemas = rw @cimne = rw @xx = rw

[/var/log/svn/empresa] <– (If i try to enter with pepinillo I can read and write…) @empresa = r @svn = rw

Anyone can help me?
http://arahann.elogin.co.kr/blog/?p=595 links for 2010-08-03 « ?? ???;;;

[...] Access Control for Subversion with Apache2 and Authz – david winter (tags: access apache authentication howto installation security scm reference ubuntu tutorial management apache2 sysadmin svn linux integration subversion acl auth authz permissions) [...]