Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-1504

svn with crowd integration - unable to create subproject tag in svn without repo root directory write access

    XMLWordPrintable

Details

    • Bug
    • Resolution: Handled by Support
    • Medium
    • None
    • 1.6.1
    • Integration - Apache/Subversion
    • None

    • stand-alone install of crowd in bundled tomcat. centOS 5.2 with kernel 2.6.18-92. jre 1.6.0_12, mysql 5.0.45, apache httpd 2.2.3, summersoft subversion 1.5.6-1

    Description

      I am having a problem with SVN crowd integration. Our crowd instance is licensed to Paige Dunham at Emory University.

      I have a single repository with several directories. Each directory represents a development project. Each directory has subdirectories trunk, tags, and branches.

      I have set up SVN with crowd integration and for the most part things work as expected. Each project has its own crowd group.

      The issue I am running into is that when I try to create a tag within a project, as a member of the project's crowd group, I get the PROPFIND 403 authz failed error trying to access /svn. The project's crowd group does not have access to /svn but has rw access to the project directory /svn/projectX. I am not sure why the authorization for tagging is based on /svn instead of /svn/projectX or /svn/projectX/tags. If I give the project's crowd group write access to /svn, then things work obviously, which is a non-ideal solution as it defeats the purpose of svn access control at all.

      Below are my httpd.conf and my svn authz files. These are created based on the Crowd-Subversion integration documentation.

      httpd.conf:

      1. Needed to do Subversion Apache server.

      LoadModule dav_svn_module modules/mod_dav_svn.so

      1. Only needed if you decide to do "per-directory" access control.

      LoadModule authz_svn_module modules/mod_authz_svn.so

      1. required by crowd, but already loaded

      #LoadModule perl_module modules/mod_perl.so

      1. for crowd integration. crowd does not support SVNParentPath

      <Location /svn>
      DAV svn
      SVNPath /data/svn/cci

      AuthName "Subversion Crowd"
      AuthType Basic

      SSLRequireSSL

      1. do not use crowd for auth for now.
        PerlAuthenHandler Apache::CrowdAuth
        PerlSetVar CrowdAppName subversion
        PerlSetVar CrowdAppPassword passwd
        PerlSetVar CrowdSOAPURL https://hostname/crowd/services/SecurityServ
        er
      1. do not use crowd for authz for now
        PerlAccessHandler Apache::CrowdAuthz->access_handler
        PerlAuthzHandler Apache::CrowdAuthz
        PerlSetVar CrowdAuthzSVNAccessFile /data/svn/dav_svn_crowd.authz
        Satisfy any
        Require valid-user
      1. set caching to on to improve performance.
        PerlSetVar CrowdCacheEnabled on
        PerlSetVar CrowdCacheLocation /tmp/CrowdAuth
        PerlSetVar CrowdCacheExpiry 300

      </Location>

      and the dav_svn_crowd.authz file:

      1. only svn-admin can modify at the root level (e.g. create new directories)

      [/]
      @svn-admin = rw

      1. xmldata service

      [/xservice]
      @svn-xservice = rw

      • = r

      1. cvrg

      [/cvrg]
      @svn-cvrg = rw

      • = r

      1. incubator

      [/incubator]
      @svn-incubator = rw

      • = r

      1. ivi

      [/ivi]
      @svn-ivi = rw

      • = r

      #permissions
      [/permissions]
      @svn-permissions = rw

      • = r

      Thanks for your help.

      Attachments

        Activity

          People

            doflynn David O'Flynn [Atlassian]
            d1454a4cb6ab Tony Pan
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: