How Do I Restrict Repository Access via WebSVN?
I have multiple subversion repositories which are served up through Apache 2.2 and WebDAV. They are all located in a central place, and I used this debian-administration.org article as the basis (I dropped the use of the database authentication for a simple htpasswd file though).
Since then, I have also started using WebSVN. My issue is that not all users on the system should be able to access the different repositories, and the default setup of WebSVN is to allow anyone who can authenticate.
According to the WebSVN documentation, the best way around this is to use subversion's path access system, so I looked to create this, using the AuthzSVNAccessFile directive.
When I do this though, I keep getting "403 Forbidden" messages.
My files look like the following:
I have default policy settings in a file:
<Location /svn/>
DAV svn
SVNParentPath /var/lib/svn/repository
Order deny,allow
Deny from all
</Location>
Each repository gets a policy file like below:
<Location /svn/sysadmin/>
Include /var/lib/svn/conf/default_auth.conf
AuthName "Repository for sysadmin"
require user joebloggs jimsmith mickmurphy
</Location>
The default_auth.conf file contains this:
SVNParentPath /var/lib/svn/repository
AuthType basic
AuthUserFile /var/lib/svn/conf/.dav_svn.passwd
AuthzSVNAccessFile /var/lib/svn/conf/svnaccess.conf
I am not fully sure why I need the second SVNParentPath in default_auth.conf, but I just added that today as I was getting error messages as a result of adding the AuthzSVNAccessFile directive.
With a totally permissive access file
[/]
joebloggs = rw
the system worked fine (and was essentially unchanged), but as I soon as I start trying to add any kind of restrictions such as
[sysadmin:/]
joebloggs = rw
instead, I get the 'Permission denied' errors again. The log file entries are:
[Thu May 28 10:40:17 2009] [error] [client 89.100.219.180] Access denied: 'joebloggs' GET websvn:/
[Thu May 28 10:40:20 2009] [error] [client 89.100.219.180] Access denied: 'joebloggs' GET svn:/sysadmin
What do I need to do to get this to work? Have configured apache wrong, or is my understanding of the svnaccess.conf file incorrect?
If I am going about this the wrong way, I have no particular attachment to my overall approach, so feel free to offer alternatives as well.
UPDATE (20090528-1600):
I attempted to implement this answer, but I still cannot get it to work properly.
I know most of the configuration is correct, as I have added
[/]
joebloggs = rw
at the start and 'joebloggs' then has all the correct access.
When I try to go repository-specific though, doing something like
[/]
joebloggs = rw
[sysadmin:/]
mickmurphy = rw
then I got a permission denied error for mickmurphy (joebloggs still works), with an error similar to what I already had previously
[Thu May 28 10:40:20 2009] [error] [client 89.100.219.180] Access denied: 'mickmurphy' GET svn:/sysadmin
Also, I forgot to explain previously that all my repositories are underneath
/var/lib/svn/repository
UPDATE (20090529-1245):
Still no luck getting this to work, but all the signs seem to be pointing to the issue being with path-access control in subversion not working properly. My assumption is that I have not configured apache or svn to properly recognise my repository structure.
This is because the '[/]' entry seems to work perfectly.
It also occurs to me that this is question that may belong better on StackOverflow?
UPDATE (20090603-1740):
In response to one of the comments to this question, my WebDAV setup for subversion itself is given the location /svn/repos but websvn is set to /websvn.
Solution 1:
The issue is probably relating to the splitting of configuration between two location directives, but I'm not sure.
Rather than defining permissions in two places (apache config and the authz file), just define them in the authz file. Like so:
httpd.conf
<Location /svn>
DAV svn
SVNParentPath /var/lib/svn/repository
Require valid-user
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /path/to/.htpasswd
SVNPathAuthz on
AuthzSVNAccessFile /path/to/svn.authz
</Location>
svn.authz
[groups]
sysadmins = joebloggs jimsmith mickmurphy
# By default, nobody has any permissions
[/]
* =
# sysadmins get access to the sysadmin repository
[sysadmin:/]
@sysadmins = rw
You would need the appropriate users in the htpasswd file too, obviously.
Solution 2:
Have no idea whether or not you have solved this issue, but this is the procedure that works for me.
Forget fiddling with apache directives, instead edit WebSVN's config.php file and include/uncomment the following directive:
$config->useAuthenticationFile('/path/to/your/authz/file');