1 | I. Installation |
---|
2 | |
---|
3 | mod_authz_svn will be installed alongside mod_dav_svn when the regular |
---|
4 | installation instructions are followed. |
---|
5 | |
---|
6 | NOTE: the module is functional, but you should consider it experimental. |
---|
7 | Some configurations may or may not have the desired effect. Be sure |
---|
8 | to test if your configuration works as intended. |
---|
9 | |
---|
10 | |
---|
11 | II. Configuration |
---|
12 | |
---|
13 | 1. Configuring Apache |
---|
14 | |
---|
15 | Modify your httpd.conf. Add the following line _after_ the one that |
---|
16 | loads mod_dav_svn: |
---|
17 | |
---|
18 | LoadModule authz_svn_module modules/mod_authz_svn.so |
---|
19 | |
---|
20 | There are several ways to setup access checking for your subversion |
---|
21 | location. These are simple examples, for more complex configuration |
---|
22 | of authentication/authorization with Apache, please refer to the |
---|
23 | documentation: http://httpd.apache.org/docs-2.0/. |
---|
24 | |
---|
25 | A. Example 1: Anonymous access only |
---|
26 | |
---|
27 | This configuration will allow access only to the directories everyone |
---|
28 | has permissions to do the operation performed. All other access is |
---|
29 | denied. See section II.2 on how to set up permissions. |
---|
30 | |
---|
31 | <Location /svn> |
---|
32 | DAV svn |
---|
33 | SVNPath /path/to/repos |
---|
34 | |
---|
35 | AuthzSVNAccessFile /path/to/access/file |
---|
36 | </Location> |
---|
37 | |
---|
38 | B. Example 2: Mixed anonymous and authenticated access |
---|
39 | |
---|
40 | This configuration checks to see if anonymous access is allowed |
---|
41 | first, if not, it falls back to checking if the authenticated |
---|
42 | user has permissions to do the operation performed. |
---|
43 | |
---|
44 | <Location /svn> |
---|
45 | DAV svn |
---|
46 | SVNPath /path/to/repos |
---|
47 | |
---|
48 | AuthType Basic |
---|
49 | AuthName "Subversion repository" |
---|
50 | AuthUserFile /path/to/htpasswd/file |
---|
51 | |
---|
52 | AuthzSVNAccessFile /path/to/access/file |
---|
53 | |
---|
54 | # The following line will allow to fall back to authenticated |
---|
55 | # access when anonymous fails. |
---|
56 | Satisfy Any |
---|
57 | Require valid-user |
---|
58 | </Location> |
---|
59 | |
---|
60 | C. Example 3: Authenticated access only |
---|
61 | |
---|
62 | This configuration requires everyone accessing the repository to be |
---|
63 | authenticated. |
---|
64 | |
---|
65 | <Location /svn> |
---|
66 | DAV svn |
---|
67 | SVNPath /path/to/repos |
---|
68 | |
---|
69 | AuthType Basic |
---|
70 | AuthName "Subversion repository" |
---|
71 | AuthUserFile /path/to/htpasswd/file |
---|
72 | |
---|
73 | AuthzSVNAccessFile /path/to/access/file |
---|
74 | |
---|
75 | Require valid-user |
---|
76 | </Location> |
---|
77 | |
---|
78 | NOTE: Because there is no 'Satisfy Any' line, the module acts as if |
---|
79 | though AuthzSVNAnonymous was set to 'No'. The AuthzSVNAnonymous |
---|
80 | directive prevents the anonymous access check from being run. |
---|
81 | |
---|
82 | |
---|
83 | 2. Specifying permissions |
---|
84 | |
---|
85 | The file format of the access file looks like this: |
---|
86 | |
---|
87 | [groups] |
---|
88 | <groupname> = <user>[,<user>...] |
---|
89 | ... |
---|
90 | |
---|
91 | [<path in repository>] |
---|
92 | @<group> = [rw|r] |
---|
93 | <user> = [rw|r] |
---|
94 | * = [rw|r] |
---|
95 | |
---|
96 | [<repository name>:<path in repository>] |
---|
97 | @<group> = [rw|r] |
---|
98 | <user> = [rw|r] |
---|
99 | * = [rw|r] |
---|
100 | |
---|
101 | An example (line continued lines are supposed to be on one line): |
---|
102 | |
---|
103 | [groups] |
---|
104 | subversion = jimb,sussman,kfogel,gstein,brane,joe,ghudson,fitz, \ |
---|
105 | daniel,cmpilato,kevin,philip,jerenkrantz,rooneg, \ |
---|
106 | bcollins,blair,striker,naked,dwhedon,dlr,kraai,mbk, \ |
---|
107 | epg,bdenny,jaa |
---|
108 | subversion-doc = nsd,zbrown,fmatias,dimentiy,patrick |
---|
109 | subversion-bindings = xela,yoshiki,morten,jespersm,knacke |
---|
110 | subversion-rm = mprice |
---|
111 | ...and so on and so on... |
---|
112 | |
---|
113 | [/] |
---|
114 | # Allow everyone read on the entire repository |
---|
115 | * = r |
---|
116 | # Allow devs with blanket commit to write to the entire repository |
---|
117 | @subversion = rw |
---|
118 | |
---|
119 | [/trunk/doc] |
---|
120 | @subversion-doc = rw |
---|
121 | |
---|
122 | [/trunk/subversion/bindings] |
---|
123 | @subversion-bindings = rw |
---|
124 | |
---|
125 | [/branches] |
---|
126 | @subversion-rm = rw |
---|
127 | |
---|
128 | [/tags] |
---|
129 | @subversion-rm = rw |
---|
130 | |
---|
131 | [/branches/issue-650-ssl-certs] |
---|
132 | mass = rw |
---|
133 | |
---|
134 | [/branches/pluggable-db] |
---|
135 | gthompson = rw |
---|
136 | |
---|
137 | ... |
---|
138 | |
---|
139 | [/secrets] |
---|
140 | # Just for demonstration |
---|
141 | * = |
---|
142 | @subversion = rw |
---|
143 | |
---|
144 | # In case of SVNParentPath we can specify which repository we are |
---|
145 | # referring to. If no matching repository qualified section is found, |
---|
146 | # the general unqualified section is tried. |
---|
147 | # |
---|
148 | # NOTE: This will work in the case of using SVNPath as well, only the |
---|
149 | # repository name (the last element of the url) will always be the |
---|
150 | # same. |
---|
151 | [dark:/] |
---|
152 | * = |
---|
153 | @dark = rw |
---|
154 | |
---|
155 | [light:/] |
---|
156 | @light = rw |
---|
157 | |
---|