Details
-
Bug
-
Resolution: Handled by Support
-
Medium
-
None
-
1.6.1
-
None
-
stand-alone install of crowd in bundled tomcat. centOS 5.2 with kernel 2.6.18-92. jre 1.6.0_12, mysql 5.0.45, apache httpd 2.2.3, summersoft subversion 1.5.6-1
Description
I am having a problem with SVN crowd integration. Our crowd instance is licensed to Paige Dunham at Emory University.
I have a single repository with several directories. Each directory represents a development project. Each directory has subdirectories trunk, tags, and branches.
I have set up SVN with crowd integration and for the most part things work as expected. Each project has its own crowd group.
The issue I am running into is that when I try to create a tag within a project, as a member of the project's crowd group, I get the PROPFIND 403 authz failed error trying to access /svn. The project's crowd group does not have access to /svn but has rw access to the project directory /svn/projectX. I am not sure why the authorization for tagging is based on /svn instead of /svn/projectX or /svn/projectX/tags. If I give the project's crowd group write access to /svn, then things work obviously, which is a non-ideal solution as it defeats the purpose of svn access control at all.
Below are my httpd.conf and my svn authz files. These are created based on the Crowd-Subversion integration documentation.
httpd.conf:
1. Needed to do Subversion Apache server.
LoadModule dav_svn_module modules/mod_dav_svn.so
1. Only needed if you decide to do "per-directory" access control.
LoadModule authz_svn_module modules/mod_authz_svn.so
1. required by crowd, but already loaded
#LoadModule perl_module modules/mod_perl.so
1. for crowd integration. crowd does not support SVNParentPath
<Location /svn>
DAV svn
SVNPath /data/svn/cci
AuthName "Subversion Crowd"
AuthType Basic
SSLRequireSSL
- do not use crowd for auth for now.
PerlAuthenHandler Apache::CrowdAuth
PerlSetVar CrowdAppName subversion
PerlSetVar CrowdAppPassword passwd
PerlSetVar CrowdSOAPURL https://hostname/crowd/services/SecurityServ
er
- do not use crowd for authz for now
PerlAccessHandler Apache::CrowdAuthz->access_handler
PerlAuthzHandler Apache::CrowdAuthz
PerlSetVar CrowdAuthzSVNAccessFile /data/svn/dav_svn_crowd.authz
Satisfy any
Require valid-user
- set caching to on to improve performance.
PerlSetVar CrowdCacheEnabled on
PerlSetVar CrowdCacheLocation /tmp/CrowdAuth
PerlSetVar CrowdCacheExpiry 300
</Location>
and the dav_svn_crowd.authz file:
1. only svn-admin can modify at the root level (e.g. create new directories)
[/]
@svn-admin = rw
1. xmldata service
[/xservice]
@svn-xservice = rw
- = r
1. cvrg
[/cvrg]
@svn-cvrg = rw
- = r
1. incubator
[/incubator]
@svn-incubator = rw
- = r
1. ivi
[/ivi]
@svn-ivi = rw
- = r
#permissions
[/permissions]
@svn-permissions = rw
- = r
Thanks for your help.