httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Johnson <...@indietorrent.org>
Subject Re: [users@httpd] Apache authentication - require group AND (not OR) user
Date Thu, 16 Aug 2012 15:28:50 GMT


On 8/15/2012 7:45 AM, Rainer Jung wrote:
> On 14.08.2012 23:30, Ben Johnson wrote:
>> Hello,
>>
>> I've scoured the Internet for examples of how to implement logical
>> operators where the "require" directive is concerned.
>>
>> The dearth of documentation and discussion regarding this subject leads
>> me to believe that it has not been implemented, or was implemented at
>> one time and then removed.
>>
>> This is the most thorough discussion I can find on the subject, which
>> dead-ends:
>> http://www.mombu.com/programming/linux/t-apache-22-both-require-user-and-require-group-739013.html
>>
>>
>> My location block, which, at present, only allows one group
>> ("programmers"), looks something like this:
>>
>> <Location /svn/project>
>> AuthType Basic
>> AuthName "SVN Repository"
>> AuthBasicProvider dbm
>> AuthDBMType DB
>> AuthDBMUserFile "/var/www/apache-users"
>> AuthDBMGroupFile "/var/www/apache-users"
>> require group programmers
>> DAV svn
>> AuthzSVNAccessFile /var/www/projects/svn-access-control.cfg
>> SVNPath /var/www/svn/project
>> </Location>
>>
>> Ideally, I wish to do something like the following (I'm using
>> pseudo-code here, because it's probably easier to understand than plain
>> English):
>>
>> if ($group === 'programmers' || ($group === 'clients && $user ===
>> 'joe')) {
>>       //Allow access.
>> }
>> else {
>>       //Deny access.
>> }
>>
>> Is this possible? Or do I need to give-up on controlling authentication
>> at this level and instead focus on authorization within
>> "svn-access-control.cfg"?
>>
>> Thanks for any help!
> 
> You might be looking for the RequireAny and RequireAll container
> directives:
> 
> http://httpd.apache.org/docs/2.4/en/mod/mod_authz_core.html#requireall
> 
> See also
> 
> httpd.apache.org/docs/2.4/en/mod/mod_authz_core.html#requireall
> 
> and finally the How To
> 
> http://httpd.apache.org/docs/2.4/en/howto/auth.html
> 
> Regards,
> 
> Rainer

Thanks, Rainer! This is exactly what I was looking for: the ability to
implement complex authorization containers.

That said, as I explained in my reply to Hugh (on this same subject), it
seems that the AuthzSVN module (and the directives defined in
AuthzSVNAccessFile) is taking precedence over Basic authorization
module. I found the following excerpt at
http://www.csparks.com/Subversion.xhtml :

"The Satisfy Any directive tells Apache to allow access if either the
Allow directive is satisfied or one of the Auth modules is satified. The
"Allow from all" is always satisfied. But we have two Auth modules:
AuthzSVN and AuthDigest. In this case AuthzSVN will look into the
svnusers.conf file. If no user name is required for the requested
resource, no prompt for authentication will occur. But if a username is
required, the AuthDigest module will come into play and prompt for
credentials. The authorized name is allowed to do whatever the
AuthzSVNAccessFile permits."

This statement seems consistent with the observed behavior. And it bears
mention that in my example directives (and those at the above-cited
resource), "require" directives come before the "AuthzSVNAccessFile"
directive, which seems to indicate that the order is irrelevant.

Do you have any experience or advice in this regard?

Basically, I am trying to determine how much of the access control
should be done in the <Location></Location> block and how much of it
should be done in the AuthzSVNAccessFile. My primary concern is that we
have dozens of SVN repositories and I don't want to have to define the
"[groups]" for every single repository when the groups are the same for
all of them.

In fact, I would prefer to use a single AuthzSVNAccessFile that has some
very basic rules and handle all other aspects of access control in the
Location blocks in which each repository is defined.

Does this make any sense at all?

Thanks again,

-Ben

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message