Google Git
Sign in
apache / subversion / ad1c789941f3d332f041d00e0e507391063f24bd / . / subversion / mod_authz_svn / INSTALL
blob: 6882a0771cc26fb452837beb0b75f05243fdd6ee [file] [log] [blame]
I. Installation
mod_authz_svn will be installed alongside mod_dav_svn when the regular
installation instructions are followed.
NOTE: the module is functional, but you should consider it experimental.
Some configurations may or may not have the desired effect. Be sure
to test if your configuration works as intended.
II. Configuration
1. Configuring Apache
Modify your httpd.conf. Add the following line _after_ the one that
loads mod_dav_svn:
LoadModule authz_svn_module modules/mod_authz_svn.so
There are several ways to setup access checking for your subversion
location. These are simple examples, for more complex configuration
of authentication/authorization with Apache, please refer to the
documentation: http://httpd.apache.org/docs-2.0/.
A. Example 1: Anonymous access only
This configuration will allow access only to the directories everyone
has permissions to do the operation performed. All other access is
denied. See section II.2 on how to set up permissions.
<Location /svn>
DAV svn
SVNPath /path/to/repos
AuthzSVNAccessFile /path/to/access/file
</Location>
B. Example 2: Mixed anonymous and authenticated access
This configuration checks to see if anonymous access is allowed
first, if not, it falls back to checking if the authenticated
user has permissions to do the operation performed.
<Location /svn>
DAV svn
SVNPath /path/to/repos
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /path/to/htpasswd/file
AuthzSVNAccessFile /path/to/access/file
# The following line will allow to fall back to authenticated
# access when anonymous fails.
Satisfy Any
Require valid-user
</Location>
NOTE: The access control is designed to never display entries that
the user does not have access to. Combining anonymous access on the
top levels while restricting read access lower in the directory
structure makes it difficult to browse because the server will not
request authentication.
C. Example 3: Authenticated access only
This configuration requires everyone accessing the repository to be
authenticated.
<Location /svn>
DAV svn
SVNPath /path/to/repos
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /path/to/htpasswd/file
AuthzSVNAccessFile /path/to/access/file
Require valid-user
</Location>
NOTE: Because there is no 'Satisfy Any' line, the module acts as if
though AuthzSVNAnonymous was set to 'No'. The AuthzSVNAnonymous
directive prevents the anonymous access check from being run.
D. Example 4: Per-repository access file
This configuration allows to use SVNParentPath but have
different authz files per repository.
<Location /svn>
DAV svn
SVNParentPath /path/to/reposparent
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /path/to/htpasswd/file
AuthzSVNReposRelativeAccessFile filename
Require valid-user
</Location>
NOTE: AuthzSVNReposRelativeAccessFile filename causes the authz file
to be read from <repo path>/conf/<filename>
E. Example 5: Authz file stored in a Subversion repository
This configuration allows storing of the authz file in a repository.
<Location /svn>
DAV svn
SVNParentPath /path/to/reposparent
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /path/to/htpasswd/file
AuthzSVNAccessFile file:///path/to/repos/authz
Require valid-user
</Location>
NOTE: http:// and svn:// URLs are not supported, only local file://
absolute URLs may be used. The URL does not have to point to the
same repository as the repository being accessed. If you wish to
restrict access to this authz file and it is in the same repository
you should include a rule for it.
F. Example 6: Authz file stored inside the repository being accessed.
This configuration allows providing a relative path within the
repository being accessed.
<Location /svn>
DAV svn
SVNParentPath /path/to/reposparent
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /path/to/htpasswd/file
AuthzSVNAccessFile ^/authz
Require valid-user
</Location>
NOTE: You should include rules in your authz file to restirct access
to the authz file as desired.
G. Example 7: Authenticated access to "Collection of Repositories"
The "Collection of Repositories" is filtered based on read access to
the root of each repository, i.e. consistent with the directory lists
within repositories. If read access is restricted in repository roots,
it is typically desirable to require authentication for "Collection of
Repositories" in order to ensure that repositories where the user has
access are displayed.
This is accomplished by specifying "Satisfy All" (which is the default
setting):
<Location /svn>
DAV svn
SVNParentPath /path/to/reposparent
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /path/to/htpasswd/file
AuthzSVNAccessFile /path/to/access/file
# implicit Satisfy All
Require valid-user
</Location>
If the same server must be able to serve paths with anonymous access,
it can be defined using an additional location.
<LocationMatch "^/svn/.+">
Satisfy Any
Require valid-user
</LocationMatch>
The "Require" statement in the previous example is not strictly
needed, but has been included for clarity.
H. Example 8: Separating groups and authorization rules
It may be convenient to maintain group definitions separately from
the authorization rules. This configuration allows splitting them
into two separate files.
The file specified by the AuthzSVNGroupsFile directive uses the
same format as the ordinary authz file and should contain a single
section with the group definitions. See section II.2.B for more
details.
<Location /svn>
DAV svn
SVNParentPath /path/to/reposparent
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /path/to/htpasswd/file
AuthzSVNAccessFile /path/to/access/file
AuthzSVNGroupsFile /path/to/groups/file
Require valid-user
</Location>
Configurations with per-repository access files may also use a
single file containing the group definitions. This configuration
avoids the need to duplicate the group definitions across multiple
per-repository access files.
AuthzSVNReposRelativeAccessFile filename
AuthzSVNGroupsFile /path/to/groups/file
NOTE: When the AuthzSVNGroupsFile directive is enabled, the
file specified with the AuthzSVNReposRelativeAccessFile or
AuthzSVNAccessFile directive cannot contain any group definitions.
2. Specifying permissions
A. File format of the access file
The file format of the access file looks like this:
[groups]
<groupname> = <user>[,<user>...]
...
[<path in repository>]
@<group> = [rw|r]
<user> = [rw|r]
* = [rw|r]
[<repository name>:<path in repository>]
@<group> = [rw|r]
<user> = [rw|r]
* = [rw|r]
An example (line continued lines are supposed to be on one line):
[groups]
subversion = jimb,sussman,kfogel,gstein,brane,joe,ghudson,fitz, \
daniel,cmpilato,kevin,philip,jerenkrantz,rooneg, \
bcollins,blair,striker,naked,dwhedon,dlr,kraai,mbk, \
epg,bdenny,jaa
subversion-doc = nsd,zbrown,fmatias,dimentiy,patrick
subversion-bindings = xela,yoshiki,morten,jespersm,knacke
subversion-rm = mprice
...and so on and so on...
[/]
# Allow everyone read on the entire repository
* = r
# Allow devs with blanket commit to write to the entire repository
@subversion = rw
[/trunk/doc]
@subversion-doc = rw
[/trunk/subversion/bindings]
@subversion-bindings = rw
[/branches]
@subversion-rm = rw
[/tags]
@subversion-rm = rw
[/branches/issue-650-ssl-certs]
mass = rw
[/branches/pluggable-db]
gthompson = rw
...
[/secrets]
# Just for demonstration
* =
@subversion = rw
# In case of SVNParentPath we can specify which repository we are
# referring to. If no matching repository qualified section is
# found, the general unqualified section is tried.
#
# NOTE: This will work in the case of using SVNPath as well, only
# the repository name (the last element of the url) will always be
# the same.
[dark:/]
* =
@dark = rw
[light:/]
@light = rw
B. File format of the groups file
The file format of the groups file looks like this:
[groups]
<groupname> = <user>[,<user>...]
...
An example:
[groups]
developers = harry,sally,john
managers = jim,joe