subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bert Huijben" <b...@qqmail.nl>
Subject RE: problem authz_svn_module
Date Tue, 17 Jan 2017 15:25:20 GMT


> -----Original Message-----
> From: Henk P. Penning [mailto:penning@uu.nl]
> Sent: dinsdag 17 januari 2017 08:50
> To: Daniel Shahaf <d.s@daniel.shahaf.name>
> Cc: users@subversion.apache.org
> Subject: Re: problem authz_svn_module
> 
> On Mon, 16 Jan 2017, Daniel Shahaf wrote:
> 
> > Date: Mon, 16 Jan 2017 19:48:44 +0100
> > From: Daniel Shahaf <d.s@daniel.shahaf.name>
> > To: Henk P. Penning <penning@uu.nl>
> > Cc: users@subversion.apache.org
> > Subject: Re: problem authz_svn_module
> >
> > Henk P. Penning wrote on Sun, Jan 15, 2017 at 10:02:12 +0100:
> 
> Hi Daniel,
> 
> >>    but (and this is the PROBLEM) the checkout command prompts
> >>    for a username/password :
> >>
> >>     %  svn co //svn.science.uu.nl/repos/project.mirmon/trunk
> >>
> >>    With the "LimitExcept" lines in the config, the checkout
> >>    command works, although some errors appear in the log
> >>    (see below).
> >>
> >>   So, it appears that the 'checkout' command does a
> >>
> >>     PROPFIND /repos/project.mirmon/!svn/rvr/64/trunk
> >>
> >>    which causes the username/password-prompt when the
> >>    "LimitExcept" lines are omitted.
> >>
> >>    -- Does this diagnosis make sense ?
> >>    -- How do I make this work, without the LimitExcept trick ?
> >
> > LimitExcept is actually the documented recommendation; see
> > http://svnbook.red-
> bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.a
> uthz
> > (second code snippet)
> 
>    Eh ; LimitExcept (together with GET PROPFIND OPTIONS REPORT) is
>    mentioned in the context of "anonymous read" and "valid-user write"
>    [the "GET" is a give-away] ; different case, I think.

Subversion uses a number of methods on both public and private URLs. With
the default configuration the private urls are below the magic '!svn'
subdir, but this may be configured differently (and change in future
versions).

Usually every Subversion client will start by performing one or more OPTIONS
requests, followed by other operations.

LIMITEXCEPT <method>... limits every method except the specified methodss
with whatever is configured in that block. (Apache also has a 'LIMIT'
setting, which works the other way around... But we avoid using that in our
sample configurations as we originally assumed that we may use other methods
in future versions)

A checkout with Subversion 1.8 or later against an 1.8+ server will usually
include at least the GET, OPTIONS and REPORT methods. Older versions of
Subversion and nonstandard configurations may avoid the GET and/or may use
PROPFIND.


To configure your repository in your intended way I know of two common
configurations:
1. Configure the repository to be available anonymously with the standard
LIMITEXCEPT, which I think needs to include more operations than that in
your setting. This setting should be applied on the repository root, not the
trunk subdirectory.
The authz file can then configure specific settings on all subdirectories.

This configuration has some known limitations when hiding subdirectories
below a visible root... But it is the easiest way to expose full
repositories read-only.


2. Create a default guest user (e.g. 'guest' and a blank password)
This requires everybody to login, so everything can be handled by the authz
file.

Products like CollabNet SvnEdge use this configuration to avoid that problem
I just described with hiding subdirectories for specific users.



In your case I think you want to change your httpd.conf block to apply to
the repository root to make it include the private urls, and add the now
missing methods to the LimitExcept.
The authz setting will then handle your other configuration settings.

Thanks / Met vriendelijke groeten,

	Bert Huijben

> 
>    What I have is a private repo with a public subtree (trunk) :
> 
>      [project.mirmon:/]
>      penni101 = rw
>      # anonymous read not allowed
>      * =
>      [project.mirmon:/trunk]
>      penni101 = rw
>      # anonymous read allowed
>      * = r
> 
>    An 'anonymous' user can browse (svn ls, svn cat)
>    but not checkout (svn co), because the checkout
>    does a (note the '!') :
> 
>      PROPFIND /repos/project.mirmon/!svn/rvr/64/trunk
> 
> > The other option is to set two separate <Location> blocks, one for
> > anonymous users (that excludes everything-but-trunk unconditionally) and
> > one for authenticated users (that requires authentication for all
> > operations).
> 
>    Do you mean : use 2 AuthzSVNAccessFile's ?
> 
> > Daniel
> 
>    Thanks ; regards,
> 
>    Henk Penning
> 
> ------------------------------------------------------------   _
> Henk P. Penning, ICT-beta                 R Uithof HFG-406   _/ \_
> Faculty of Science, Utrecht University    T +31 30 253 4106 / \_/ \
> Budapestlaan 6, 3584CD Utrecht, NL        F +31 30 253 4553 \_/ \_/
> http://www.staff.science.uu.nl/~penni101/ M penning@uu.nl     \_/


Mime
View raw message