Announcement

Collapse
No announcement yet.

Subversion Access Control at repo sub-folders issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Subversion Access Control at repo sub-folders issue

    Platform/Versions:
    Windows Server 2008 R2 Std SP1 (64 bit)
    CollabNet Subversion Apache 2.2.23 (win32)
    CollabNet Subversion Client Svnserve V1.7.8
    Authentication using SSPI (active directory)
    Tortoise SVN Client V1.8.11 (64 bit) or higher on Windows 7 Pro

    We use an access control file to limit who has access to subversion top-level repositories. We are now wanting to limit access to certain folders under the top-level. We’ve referenced the following examples, but they don’t seem to work for us.


    https://nithint.wordpress.com/2009/12/17/format-of-svn-access-file-for-path-based-authorization/
    https://www.open.collab.net/community/subversion/svnbook/svn.serverconfig.pathbasedauthz.html


    We have found that if you have access at the top level, then you get access to all lower level folders including the folders where someone should be denied access. Additionally, if you don’t have access at the top level but are given access at the lower level, you are still blocked from accessing the lower level. (We’re ok with the latter but find it curious as it seems to contradict what the websites say regarding permissions, that is, permissions at lower levels should override permissions at upper levels.) The access control at the lower level seems to be ignored.


    What we want:
    Junk_repo – top-level, grant Beth, Eric and Joe access
    Junk_repo/Commercial – grant Beth, Eric and Joe access
    Junk_repo/Military – grant Beth & Eric access. Deny Joe access

    We tried using groups and setting the permissions by group. (We use domain\userid active directory authentication therefore our access control file also uses domain\userid format.)

    The groups:
    Junk_repo_team = domain\beth, domain\eric, domain\joe

    Junk_repo_comm_team = domain\beth, domain\eric, domain\joe

    Junk_repo_mil_team = domain\beth, domain\eric (No Joe)


    The access:
    [Junk_repo:/]
    @Junk_repo_team = rw (Beth, Eric Joe have access)

    [Junk_repo:/Commercial]
    @Junk_repo_comm_team = rw (commercial team (Beth, Eric, Joe) has access)

    [Junk_repo:/Military]
    @Junk_repo_mil_team = rw (military team (Beth, Eric) has access. No access for Joe)


    The above failed so we then tried setting permissions by listing the userids at each level:


    [Junk_repo:/]
    domain\beth = rw (Beth, Eric and Joe have access)

    domain\eric = rw

    domain\joe = rw


    [Junk_repo:/Commercial]
    domain\beth = rw (Beth, Eric and Joe have access)

    domain\eric = rw

    domain\joe = rw


    [Junk_repo:/Military]
    domain\beth = rw (Beth and Eric have access. Joe does not have access.)

    domain\eric = rw

    #We even tried specifically denying Joe access to the Military folder:
    domain\joe=


    In both scenarios Joe was able to access the Junk_repo/Military folder where we specifically did not want him to have access to it.


    Do you have any experience with blocking access at various levels of a repo? If so, do you see anything obvious that we’re doing wrong?

  • #2
    It appears that you are using Apache. In this case, the section headers in the AuthZ file are of the format of:

    [<repoPath>:<subRepositoryPath>]
    @group = <privs>
    account = <privs>

    Where "<privs>" can be "rw", "r" or "" (readWrite, readOnly, deny)
    What folks tend to get wrong is the <repoPath> must be whatever path is leftover from the Apache configuration "<Location>" and "SVNParentPath/SVNPath" directives.
    So if you have:

    <Location /svn>
    DAV svn
    SVNParentPath /opt/repo
    ...
    </Location>
    Then an account accesses the URL/path "https://your.server.com/svn/a/b/repo" which actually (on disk) is located at "/opt/repo/a/b/repo" then the section header had better be:

    [a/b/repo:/secrets]
    @noaccessgroup =
    @friendlies = r
    @workers = rw
    If you're in this level of secrecy then you really should have the 1st section be:

    [/]
    * =
    Which will block all accounts from the repository unless you have specifically enabled them access.
    Last edited by DougR; 10-31-2016, 01:07 PM.

    Comment

    Working...
    X