Just got a comment on one of my posts from a while back about public SVN access wondering how to get it configured. The basic idea is to have a single repository with anonymous read-only access, and have the same repository allow read-write access to authenticated users. Further, you want to configure that on a per-directory basis (with inheritance, of course), so you can have different areas require different principals, and allow some sections to require authentication even for read access.
So without further ado, here's the magic configuration bits.
<Location /svn/barneyb>    DAV            svn    SVNPath        /path/to/svnroot/barneyb    AuthType       Basic    AuthName       "Subversion/Trac"    AuthUserFile   /path/to/apache/conf/htpasswd    AuthzSVNAccessFile /path/to/apache/conf/authz.conf    Satisfy    any    Require    valid-user </Location>
In this case I'm just using Basic auth with an htpasswd file for authentication. The magic line is the "AuthzSVNAccessFile" line, which defines the file to use for authorization. Here's a snippet:
[/] barneyb = rw [/bicycle_dashboard] * = r barneyb = rw
The first section says that for the root of the repository (/), only barneyb (me) is allowed access, and I'm allowed to read and write. The second section says that for the /bicycle_dashboard path, I'm still allowed to read and write, but anyone is allowed to read.
The gotcha is that explicitly specified directories do not inherit from their parents. At each specified level, you must define the full auth spec. Full details on the authorization file can be found in the Subversion Book. That link is for the nightly, so if you've got an old version of Subversion, you might want to go grab and older version of the book as well. The general Apache docs can be found here.
Would it be possible to have anonymous read-only access somehow? Or would I have to create an account in the passwords file called "anonymous" with a blank password or something to make this happen?
Nic,
If you use an asterisk for the username, that means anonymous. I.e. SVN won't do any authentication of it's own. You can see that in the snippet of the AuthZ access file (line 5). So if you try to go to the /bicycle_dashboard path in my repository, you'll just get it. Access is read-only, but no need to authenticate with dummy credentials. However, if you try to perform a write operation (e.g. a commit), SVN will prompt for credentials (using HTTP Basic Auth).
Ok, so there's no need to have a username "*" in the specified AuthUserFile? I assumed that apache would authenticate against that file first before passing the request onto modsvn to check the per-directory authentication.
Nic,
Nope, though you do have to ensure that Apache will not require a valid login to access the URL-space that SVN is using. Apache does all the authentication, and it CAN do authorization as well. If you want to use SVN to do authorization, you just need to make sure that Apache's not doing it as well. There are use cases for having both processes do authorization, but they're not for anonymous access.
Hey Barney,
Thanks a lot for this short guide, I was looking for this.
If you don't mind I'll write a blog post on my own blog about this, But I'll note your url as the source.
Regards, TheElitist
My subversion.conf file
DAV svn SVNPath /var/www/svn/repos AuthType Basic AuthName "Authorization Realm" AuthUserFile /etc/svn-auth-conf # AuthUserFile /path/to/passwdfile # SVNParentPath /var/www/svn # AuthzSVNAccessFile /etc/svn-authz Satisfy any Require valid-user # # Limit write permission to list of valid users. # # # Require SSL connection for password protection. # # SSLRequireSSLMy /etc/svn-authz File
Only the santhosh and san are able to do commit. But if am trying from a differnt machine to my SVN server it's not asking for password or username. Please assit me
Santhosh,
I'm not sure what you're trying to accomplish. You've set your entire repository to be anonymously readable, and then restrict write access to san and santhosh. As soon as you attempt to write to the repo, you should be prompted for credentials, but reading will happen without them.
Yes , I agree with your words, The problem is only from one linux system it's not asking for password. I do not know why it is. Except this machine I tried from all other, it is working fine . While configuring for test purpose I used this particular machine as client, I had set ssl that time. I am not sure of the route cause of this.
Now I want to configure SVN as follows..
I have two svn server, if I am commiting from !st server it should reflect in the second server also. Is there any chance to execute this. If Yes, please assist me by telling how?
Thanks for the reply… Waiting for your answer.
Thanks a lot Barneyb……………..
Santhosh Kumar K V
Santhosh,
There are tools to replicate an SVN repository from one server to another. I've not used any of them, so don't know how well they work or what the setup overhead is. Depending on what your load is, you could also do something as simple as a post-commit hook that simply rsyncs the repository from the first server to the second, but that's not going to be as resilient and error-proof as a purpose built solution.
@Santhosh
Hmm for the syncing what you could do is this, you create a post-commit hook, in this post-commit hook script you execute a command on the remote server that pulls in all new changes, (svn export or something).
Or you do something similar but with 10 minute (or more) intervals through a cron-job on the second server.
Hi barneyb and Xeross ..
Thanks for your support. I have done it using rsync. But I have the problem existing still. Only from one client machine it's not asking for password. What could be the reason?
I have used this particular machine while setting up the SVN Server.
Santhosh,
Does it have a non-HTTP repository URL (use `svn info` to see), which would make it bypass Apache's security? Or maybe you already have credentials cached, so there's no need to prompt you?
Yes, It helped me!!!!!! Thanks a lot!!!!!!!!!!!
Hi barneyb
Now I have another requirement… Please help me to solve this.
The SVN User Should be able to change his own password.
How to get this solved
Thanks in advance!!!!
@Santhosh: As you are using a passwd file to store users in you'd have to make that editable, but that would present a security risk, an alternative would be to use the MySQL auth module with Apache but I don't know how well that would work.
Yes! I am facing the same . Is there any alternative for it than MySQL
Santhosh,
If you want your users to be able to change their own password, you can't use Apache password files. You'll either need to use a database and write an application (probably a web app) to allow changing of passwords, or use an external authentication store (like LDAP). The latter should be considered preferable, as it provides various other benefits (it's already built, you can reuse credentials, etc.).
The built-in htpasswd file support that Apache ships with is useful for small, simple installations, but if you have complex requirements, a lot of users, etc., then you're better off with a "real" authentication mechanism.
We have built a product (web application) , which helps you to manage a lot more in addition to user/user group authentication/authorization (htpasswd/path based authorization) , automatic backup scheduling etc for multiple project repositories. If anyone is interested, I can post the screencasts
Can you let me know how to make a trunk in the subversion repository as Read-Only?
we want to use the branch to make all the changes to the code and leave the trunk as read only so that the code is not messed up.
Thank you.
Rakesh, I haven't tested it, but you should be able to do this:
That'll allow anyone read/write access to /, and then constrain everyone to read-only access within /trunk
Barney, don't know if i'm being dumb, but where should I do this?
Rakesh,
authz.conf Check the actual post for specifics of how to set it up.
Hi,
Do you know of anyway in SVN to make a file read-only, besides the svn lock mechanism?
I have a requirement to make one file read-only in SVN but know that SVN locks can be compromised easily.
Thank you.
- Spuds
Spuds,
I've not tried, but I'd expect you can specify a file (instead of a directory) in a security section:
Some people seem to have problems protecting their repositories, I'm the opposite! Tried to add anonymous read access:
but any attempt to access via Apache SSL demands a valid user name and password. How can I fix this?
Counterpoint, I don't use the multi-repository stuff (what I presume the "aliro:" in your path implies), so I'm not sure what to tell yo about that. I just have unprefixed paths in my authz file. Also, what is your Satisfy directive in your httpd.conf? It should be 'any'.
Thanks, Barney. You're right, I didn't have Satisfy Any. Also added AuthzSVNAnonymous On and AuthzSVNNoAuthWhenAnonymousAllowed On. I'm not certain whether they were necessary or not – it seems very difficult to find any relevant documentation. Seems to work though :)
Hi –
Can you please explain what you mean by your last paragraph:
" The gotcha is that explicitly specified directories do not inherit from their parents. At each specified level, you must define the full auth spec."
As per: http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
"Of course, permissions are inherited from parent to child directory."
(The same text is also in version 1.0 of the SVN book – c. 2004?)
Are you referring to something else?
Mike,
The key words are "explicitly specified". If you don't specify permissions for a directory, it inherits permissions from its parent (what the quote from the SVN book is saying). However, if you do specify permissions for a directory, those permissions are the full permission set, so if you want it to share some of the permission from a parent directory, you must respecify those permissions as well as adding the new ones.
Consider the snippet in the body of the post: I MUST respecify "barneyb = rw" for the "/bicycle_dashboard" directory. If I didn't list "/bicycle_dashboard" in my auth file, then it'd inherit the "barneyb = rw", but because I need to add the "* = r" config, I must respecify what I would otherwise inherit.
Thanks, Barney!
Santhosh, you can use system passwd file to authenticate the SVN on SVN server, so if user want to change their password they can login to the server and change their system password which will be used by SVN authentication .
I think above solves your problem.
I have a reverse problem
I wanted every one with valid user id having write access
and a guest account with blank password having readonly access
[groups]
readonly=guest
[/]
@readonly=r
*=rw
this does not work
apache matched guest account with second line (as it is also part of *)
and hence guest gets read write access!
what do i do now?
Am using svnserve 1.4 in windows 7. i want to set permission in authz file.
i want to give the rw permission to the subfolder if root folder is read protected . why bcoz in my repository i have lot of files & folder. so want to give rw permission for some of files & sub folders only . other folders are invisible to the user…. means…. I want to give the rw permissions to the some of the sub folders only not the entire directory….. & sub directory
[/root] group1 = [/root/A/new/Data] group1 = rw [/root/C/Ex/Files] group1 = rwIf i give above code. Nothing is displayed…. Bcoz
[/root] group1 =If i give
[/] group1 = rwAll folders are visible to the "group1″. I dont want like this…
other option is
[root/B] group1 = [root/c] group1 =….
like all sub folder that are not needed for group1. i dont want do like this….
pls anyone help me…………..
Hello barneyb,
I am very new to svn.
I just have setup the server and client.
I have created some repositories.
My question is –>
How do i restrict the access to some folder in a repository ? (That is, those folder should not even be visible to the user).
Kindly suggest with the code.
sanjog, if you don't give read access to "
*", then the folder won't be visible. I don't know what your setup is, but if you have a the root set to allow anonymous read, you need only define a section for the folder you want to restrict and not give read access to it. Basically the reverse of the first example:Now the repository will be readable, except for the '
bicycle_dashboard' folder which is only accessible to 'barneyb'.Hi Barney
I’ve got both authentication and authorization working as they should be in my setup. However, path based restrictions don’t seem to work for sub folders. Please see Authz snippet below:
From the above, I’m restricting write access only to ctrlMusers. But sadly, ControlM folder has too many sub directories (SVNCOPY/ControlM/trunk/AciCore/build/release1)
user3 is not able to commit a file under SVNCOPY/ControlM/trunk/AciCore/build/release1 even though he has RW access at the parent folder level (ControlM). How do I go about resolving this issue? Thanks.
Karthik
Karthik,
I've never done path-based auth with multiple repositories (i.e., using SVNParentPath), but that seems like it should do what you want. Note that I think you have to repository-qualify all your paths (so the first section won't do anything). Also, I'm pretty sure the repo names are case sensitive; is your path really in all caps on the filesystem?
Barney – Thanks for your reply. I have got it working now. Yes, my repo name is all in caps (SVNCOPY) but the actual issue was that I didn't have to specify the repo name at all. Since I declared realm name as SYNCOPY, I guess it only needed to know the parent folder names at the root level. When I corrected, it started working as expected.
Cheers,
Karthik Durairajan
Hi Barney,
I need exaclty what you explained in this post: a repo with RW acces to authenticated users, but with a subpath with anonymous readonly access. So i configured apache as you suggested:
…
# Authorization
AuthzSVNAccessFile my_auth_file
Satisfy any
Require valid-user
And the authz file is as follows
[repo:/]
matteo = rw
[repo:/public]
* = r
mbrunettini = rw
But it does not work on subversion 1.6.17
Where Am I wrong?
Thanks for you help.
Matteo
The problem is that if I do a chekcout of the anonymous-enabled subpath "public"as follows:
svn co https://repo_url/public
Apache always ask for a username and password