-
Suggestion
-
Resolution: Fixed
-
None
As of Crowd 1.2, the support for using subversion authorization files to control access on a per directory basis doesn't work if the SVNParentPath directive is used in the apache config file. This is a known limitation.
SVNParentPath allows you to put multiple svn repositories in a directory and access them through a single URL (see http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html and http://svnbook.red-bean.com/nightly/en/svn.ref.mod_dav_svn.conf.html).
If you do have multiple repositories you can make it work by defining apache <Location> blocks for each one and using a separate authz file for each, but it's a bit more work to set up and maintain.
Example:
<Location /svn/tools1> DAV svn SVNPath /usr/local/svnrepos/tools1 ... </Location> <Location /svn/tools2> DAV svn SVNPath /usr/local/svnrepos/tools2 ... </Location> <Location /svn/tools3> DAV svn SVNPath /usr/local/svnrepos/tools3 ... </Location>
[CWD-776] Apache module's Subversion support should support the SVNParentPath directive
| Workflow | Original: JAC Suggestion Workflow [ 3389137 ] | New: JAC Suggestion Workflow 3 [ 3629565 ] |
| Status | Original: RESOLVED [ 5 ] | New: Closed [ 6 ] |
| Workflow | Original: Simplified Crowd Development Workflow v2 [ 1393178 ] | New: JAC Suggestion Workflow [ 3389137 ] |
| Assignee | Original: Adrian Hempel [Atlassian] [ ahempel ] | |
| Issue Type | Original: Improvement [ 4 ] | New: Suggestion [ 10000 ] |
| Workflow | Original: Crowd Development Workflow v2 [ 272025 ] | New: Simplified Crowd Development Workflow v2 [ 1393178 ] |
| Workflow | Original: Feature Request Workflow [ 173750 ] | New: Crowd Development Workflow v2 [ 272025 ] |
Adrian Hempel [Atlassian]
made changes -
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: In Progress [ 3 ] | New: Resolved [ 5 ] |
Adrian Hempel [Atlassian]
made changes -
| Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
| Assignee | Original: David O'Flynn [Atlassian] [ doflynn ] | New: Adrian Hempel [Atlassian] [ ahempel ] |
David O'Flynn [Atlassian]
made changes -
| Fix Version/s | New: 2.1 [ 14496 ] |
Here is what I did to get SVNParentPath to work. No guarantees. Apply the following patch to Crowd-Apache-Connector-1.2.3.zip, and install as normally. This patch will do the path check as before, but if it fails it will take the first element in the path and treat it as the repository, so for example when checking for access to /bar/trunk/folder it will first check that folder in the svn.auth file. If no match is found it will check for bar:/trunk/folder in the svn.auth file.
diff -cr apachecrowd.orig/Atlassian-Crowd-1.2.3/lib/Atlassian/Crowd.pm apachecrowd/Atlassian-Crowd-1.2.3/lib/Atlassian/Crowd.pm
*** apachecrowd.orig/Atlassian-Crowd-1.2.3/lib/Atlassian/Crowd.pm 2009-03-02 05:08:25.000000000 -0600
--- apachecrowd/Atlassian-Crowd-1.2.3/lib/Atlassian/Crowd.pm 2010-06-21 23:40:22.750190714 -0500
***************
*** 387,392 ****
--- 387,393 ----
my $access_specified = '';
my $access_granted = 0;
my $working_path = $repos_path;
+ my $parentpath;
if($access eq "rw") {
$access = "wr";
***************
*** 405,411 ****
PATH: while($working_path ne '') {
$access_specified = evaluate_single_path_authz($section_hash, $working_path, $user, $groups);
!
#Test::More::diag("WORKING_PATH: $working_path -> $access_specified");
if($access_specified ne 'n') {
last PATH;
--- 406,416 ----
PATH: while($working_path ne '') {
$access_specified = evaluate_single_path_authz($section_hash, $working_path, $user, $groups);
! if($access_specified eq 'n' && $working_path ne '/') {
! ($parentpath = $working_path) =~ s/^\/([^\/]*)\/?/$1:\//;
! $access_specified = evaluate_single_path_authz($section_hash, $parentpath, $user, $groups);
! }
!
#Test::More::diag("WORKING_PATH: $working_path -> $access_specified");
if($access_specified ne 'n') {
last PATH;
Next make sure your svn.auth file uses [<repository>:<path>] notations, you can also use [<repository>/<path>] if you want. For example, the following will give anybody read access and only those in group 'foo' write access to repository 'bar':
[/] * = r [bar:/] @foo = rw
Finally mke sure you set up your location for SSL, this is what we use:
# SVN
<Location /svn>
# Uncomment this to enable the repository
DAV svn
# Set this to the path to your repository
SVNParentPath /home/svn
SVNListParentPath on
# use autoversioning for dav clients
SVNAutoVersioning on
# Authentication
AuthName crowd
AuthType Basic
PerlAuthenHandler Apache::CrowdAuth
PerlSetVar CrowdAppName subversion
PerlSetVar CrowdAppPassword xyz
PerlSetVar CrowdSOAPURL http://localhost:8095/crowd/services/SecurityServer
# Autorization
PerlAccessHandler Apache::CrowdAuthz->access_handler
PerlAuthzHandler Apache::CrowdAuthz
PerlSetVar CrowdAuthzSVNAccessFile /home/svn/svn.auth
Satisfy Any
Require valid-user
# The following three lines allow anonymous read, but make
# committers authenticate themselves.
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>
Please let me know if this does or does not work, it seems to work in our case.
I figured out a hack with Apache configfile Macros.
Not soo nice but minimal config overhead for a bunch of repositories:
<Macro crowd $svn_path $crowd_group> <Location /svn/$svn_path/> DAV svn SVNPath /mnt/svnroot/$svn_path/ AuthName Crowd-Login AuthType Basic require valid-user PerlAuthenHandler Apache::CrowdAuth PerlAuthzHandler Apache::CrowdAuthz PerlSetVar CrowdAppName user PerlSetVar CrowdAppPassword pass PerlSetVar CrowdSOAPURL localhost:8095/crowd/services/SecurityServer PerlSetVar CrowdAllowedGroups '$crowd_group' </Location> </Macro>For instancing the repository from inside the apache config file:
For geting the SVNParentPath listing:
So finaly you can use:
hxxp://localhost/svnlist (to display the repository listing)
hxxp://localhost/svn/foo_repo/ (to access a single repository)
Does anybody know how to get my listing to hxxp://localhost/svn ?