subversion-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francisco L Fernandez Tortosa <>
Subject propositionl: patching mod_authz_svn to be used as an authz provider for apache 2.4
Date Wed, 23 Jan 2019 10:42:55 GMT

I am involved in a customer project to replace CVS with SVN. SVN was 
chosen against more popular alternatives like git, because it is a free, 
open-source, mature and, this was the main point, centralized version 
control system. Repositories are to be accessed through https protocol, 
served by apache httpd server 2.4. Some features of the actual CVS service 
had to be ported to the SVN setup. For example, normal users shouldn't be 
able to create top (first) level folders and files. The straight forward 
to implement that requisite was through path access cheking. But activate 
mod_authz_svn implies breaking any other authz module, like for example 
mod_authnz_ldap, required for us to control repository access based on 
LDAP group membership, or having true read only service accounts for 
Redmine, to have just two examples. Looking at the source code I have 
found that mod_authz_svn is coded to support apache 2.2 authn / authz 
instead of native 2.4 model. As I didn't consider it a major effort, I 
have dedicated a few hours to analyze and patch the code, resulting in a 
functional 2.4 authz provider. This way it can seamless combine with other 
authz providers like in this example:

svn01:~/src/subversion-1.10.0/source/subversion-1.10.0 # cat 
<IfModule mod_dav_svn.c> 

SetEnvif Request_URI ^/repos/test Repo_test=1 
CustomLog   /svn/logs/repos/test/access.log "%h %t - %{SVN-REPOS-NAME}e - 
%u - %{SVN-ACTION}e" env=Repo_test 
<Location "/repos/test"> 
    DAV svn 
    SVNPath /svn/repos/test 
    AuthzSVNAccessFile /svn/config/auth/accessfile-test 
    SVNReposName "Repositorio de TEST" 
    AuthzSVNAuthoritative Off 
    AuthzSVNAnonymous Off 
    AuthMerging And 
      Require control-point "GuardiasRedes" 
      Require control-point "Administradores Servidores Horizontales" 
      Require svnpathaccess "Granted" 
svn01:~/src/subversion-1.10.0/source/subversion-1.10.0 # 

The "Granted" argument to the "require svnpathaccess" line for the 
provider is just a placeholder / syntax sugar as all the info that the 
provider needs is provided through the directory level clauses 
AuthzSVNAccessFile, SVNReposName... etc.

The patched code suits our needs, but we are very concerned about support 
and maintenance. Would it be possible for the SVN dev team to integrate in 
the official code a patch like this and provide the module full apache 2.4 

Attached goes the  patch for your consideration. It is written against 
1.10 code. Perhaps you should correct some white spaces in the patch to 
apply cleanly because security restrictions at the customer don't allow 
the employes or subcontractors to send any type mail attachments, and I 
had to copy it in the body.

Thanks in advance

Saludos / Regards


Francisco L. Fernández Tortosa
IBM GS Spain - GTS Infrastructure Services Projects
Linux & open source services
Delivery Infrastructure Architect

IBM Global Services España, S.A.
Mar Adriático, 2, 
28830 San Fernando de Henares (Madrid)
Registro Mercantil de Madrid, Folio 49; Tomo 6430; Hoja M-104.742
CIF A80-599459

Sólo conozco dos tipos de personas razonables: las que aman a Dios de todo 
corazón porque lo conocen, y las que lo buscan de todo corazón porque no 
lo conocen.
                                                  Blas Pascal

Two things are infinite: the universe and human stupidity; and I'm not 
sure about the universe.
                                                  Albert Einstein

Salvo indicado de otro modo más arriba / Unless stated otherwise above:
International Business Machines, S.A.
Santa Hortensia, 26-28, 28002 Madrid
Registro Mercantil de Madrid; Folio 1; Tomo 1525; Hoja M-28146
CIF A28-010791

View raw message