| 1 | I. Installation |
|---|
| 2 | |
|---|
| 3 | mod_authz_svn will be installed alongside mod_dav_svn when the regular |
|---|
| 4 | installation instructions are followed. |
|---|
| 5 | |
|---|
| 6 | NOTE: the module is functional, but you should consider it experimental. |
|---|
| 7 | Some configurations may or may not have the desired effect. Be sure |
|---|
| 8 | to test if your configuration works as intended. |
|---|
| 9 | |
|---|
| 10 | |
|---|
| 11 | II. Configuration |
|---|
| 12 | |
|---|
| 13 | 1. Configuring Apache |
|---|
| 14 | |
|---|
| 15 | Modify your httpd.conf. Add the following line _after_ the one that |
|---|
| 16 | loads mod_dav_svn: |
|---|
| 17 | |
|---|
| 18 | LoadModule authz_svn_module modules/mod_authz_svn.so |
|---|
| 19 | |
|---|
| 20 | There are several ways to setup access checking for your subversion |
|---|
| 21 | location. These are simple examples, for more complex configuration |
|---|
| 22 | of authentication/authorization with Apache, please refer to the |
|---|
| 23 | documentation: http://httpd.apache.org/docs-2.0/. |
|---|
| 24 | |
|---|
| 25 | A. Example 1: Anonymous access only |
|---|
| 26 | |
|---|
| 27 | This configuration will allow access only to the directories everyone |
|---|
| 28 | has permissions to do the operation performed. All other access is |
|---|
| 29 | denied. See section II.2 on how to set up permissions. |
|---|
| 30 | |
|---|
| 31 | <Location /svn> |
|---|
| 32 | DAV svn |
|---|
| 33 | SVNPath /path/to/repos |
|---|
| 34 | |
|---|
| 35 | AuthzSVNAccessFile /path/to/access/file |
|---|
| 36 | </Location> |
|---|
| 37 | |
|---|
| 38 | B. Example 2: Mixed anonymous and authenticated access |
|---|
| 39 | |
|---|
| 40 | This configuration checks to see if anonymous access is allowed |
|---|
| 41 | first, if not, it falls back to checking if the authenticated |
|---|
| 42 | user has permissions to do the operation performed. |
|---|
| 43 | |
|---|
| 44 | <Location /svn> |
|---|
| 45 | DAV svn |
|---|
| 46 | SVNPath /path/to/repos |
|---|
| 47 | |
|---|
| 48 | AuthType Basic |
|---|
| 49 | AuthName "Subversion repository" |
|---|
| 50 | AuthUserFile /path/to/htpasswd/file |
|---|
| 51 | |
|---|
| 52 | AuthzSVNAccessFile /path/to/access/file |
|---|
| 53 | |
|---|
| 54 | # The following line will allow to fall back to authenticated |
|---|
| 55 | # access when anonymous fails. |
|---|
| 56 | Satisfy Any |
|---|
| 57 | Require valid-user |
|---|
| 58 | </Location> |
|---|
| 59 | |
|---|
| 60 | C. Example 3: Authenticated access only |
|---|
| 61 | |
|---|
| 62 | This configuration requires everyone accessing the repository to be |
|---|
| 63 | authenticated. |
|---|
| 64 | |
|---|
| 65 | <Location /svn> |
|---|
| 66 | DAV svn |
|---|
| 67 | SVNPath /path/to/repos |
|---|
| 68 | |
|---|
| 69 | AuthType Basic |
|---|
| 70 | AuthName "Subversion repository" |
|---|
| 71 | AuthUserFile /path/to/htpasswd/file |
|---|
| 72 | |
|---|
| 73 | AuthzSVNAccessFile /path/to/access/file |
|---|
| 74 | |
|---|
| 75 | Require valid-user |
|---|
| 76 | </Location> |
|---|
| 77 | |
|---|
| 78 | NOTE: Because there is no 'Satisfy Any' line, the module acts as if |
|---|
| 79 | though AuthzSVNAnonymous was set to 'No'. The AuthzSVNAnonymous |
|---|
| 80 | directive prevents the anonymous access check from being run. |
|---|
| 81 | |
|---|
| 82 | |
|---|
| 83 | 2. Specifying permissions |
|---|
| 84 | |
|---|
| 85 | The file format of the access file looks like this: |
|---|
| 86 | |
|---|
| 87 | [groups] |
|---|
| 88 | <groupname> = <user>[,<user>...] |
|---|
| 89 | ... |
|---|
| 90 | |
|---|
| 91 | [<path in repository>] |
|---|
| 92 | @<group> = [rw|r] |
|---|
| 93 | <user> = [rw|r] |
|---|
| 94 | * = [rw|r] |
|---|
| 95 | |
|---|
| 96 | [<repository name>:<path in repository>] |
|---|
| 97 | @<group> = [rw|r] |
|---|
| 98 | <user> = [rw|r] |
|---|
| 99 | * = [rw|r] |
|---|
| 100 | |
|---|
| 101 | An example (line continued lines are supposed to be on one line): |
|---|
| 102 | |
|---|
| 103 | [groups] |
|---|
| 104 | subversion = jimb,sussman,kfogel,gstein,brane,joe,ghudson,fitz, \ |
|---|
| 105 | daniel,cmpilato,kevin,philip,jerenkrantz,rooneg, \ |
|---|
| 106 | bcollins,blair,striker,naked,dwhedon,dlr,kraai,mbk, \ |
|---|
| 107 | epg,bdenny,jaa |
|---|
| 108 | subversion-doc = nsd,zbrown,fmatias,dimentiy,patrick |
|---|
| 109 | subversion-bindings = xela,yoshiki,morten,jespersm,knacke |
|---|
| 110 | subversion-rm = mprice |
|---|
| 111 | ...and so on and so on... |
|---|
| 112 | |
|---|
| 113 | [/] |
|---|
| 114 | # Allow everyone read on the entire repository |
|---|
| 115 | * = r |
|---|
| 116 | # Allow devs with blanket commit to write to the entire repository |
|---|
| 117 | @subversion = rw |
|---|
| 118 | |
|---|
| 119 | [/trunk/doc] |
|---|
| 120 | @subversion-doc = rw |
|---|
| 121 | |
|---|
| 122 | [/trunk/subversion/bindings] |
|---|
| 123 | @subversion-bindings = rw |
|---|
| 124 | |
|---|
| 125 | [/branches] |
|---|
| 126 | @subversion-rm = rw |
|---|
| 127 | |
|---|
| 128 | [/tags] |
|---|
| 129 | @subversion-rm = rw |
|---|
| 130 | |
|---|
| 131 | [/branches/issue-650-ssl-certs] |
|---|
| 132 | mass = rw |
|---|
| 133 | |
|---|
| 134 | [/branches/pluggable-db] |
|---|
| 135 | gthompson = rw |
|---|
| 136 | |
|---|
| 137 | ... |
|---|
| 138 | |
|---|
| 139 | [/secrets] |
|---|
| 140 | # Just for demonstration |
|---|
| 141 | * = |
|---|
| 142 | @subversion = rw |
|---|
| 143 | |
|---|
| 144 | # In case of SVNParentPath we can specify which repository we are |
|---|
| 145 | # referring to. If no matching repository qualified section is found, |
|---|
| 146 | # the general unqualified section is tried. |
|---|
| 147 | # |
|---|
| 148 | # NOTE: This will work in the case of using SVNPath as well, only the |
|---|
| 149 | # repository name (the last element of the url) will always be the |
|---|
| 150 | # same. |
|---|
| 151 | [dark:/] |
|---|
| 152 | * = |
|---|
| 153 | @dark = rw |
|---|
| 154 | |
|---|
| 155 | [light:/] |
|---|
| 156 | @light = rw |
|---|
| 157 | |
|---|
