Announcement

Collapse
No announcement yet.

user should only get tags with defined folders

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • user should only get tags with defined folders

    Hello members,

    I want to know, if it is possible to give "normal" users (without a special permission) the possibility to allow them only to get the tags and furthermore only a defined folder.
    The situation is that I have a repository about a source code which includes the build folders.
    For normal users it should be impossible to get the source code or do a commit but it should be possible to get all builds from all versions.

    And how can I give a defined group of users or single users to get the full permissions?

    Thank you very much for your post!

    Setup:
    Windows 7
    TortoiseSVN 1.8.10, Build 26129 - 64 Bit

  • #2
    With full SVN AuthZ you can lock down the repository as much as you want.

    See the man page here: [url]http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html[/url]
    The 1.10 wildcard improvements: [url]https://wiki.apache.org/subversion/AuthzImprovements[/url]
    More explanation of the wildcards: [url]https://svn.haxx.se/dev/archive-2017-02/att-0188/SubversionWildcards.pptx[/url]

    A good example is discussed here: [url]https://stackoverflow.com/questions/48295508/svn-restrict-access-to-everything-but-subdirectory[/url]

    Comment


    • #3
      Hy DougR,

      thanks a lot for the url's. This is very nice...

      Up to now I have no entry in authz and passwd file.

      If I understood the manuals I have to write the following lines in the authz file:

      [CODE][groups]
      admin = loginName

      [this_repos:/]
      * = rw

      [this_repos:/tags]
      * = r[/CODE]

      The admin has full access for the whole repository witha all subfolders and files.
      All other users have no access (insight), read and write to the whole repository.
      Only for the folder /tags all other users have the "read".
      Have the only the "read" for the /tags or also the "read" for all subfolders in the /tags/.../ ?

      Up to now I (admin) havent a password. Is a password explicit needed, because the admin is already authenticated with the login from the windows?

      Comment


      • #4
        The '*' means "every account". If you're using a group it would look like:
        ------------------------------
        [groups]
        admgrp = loginName

        [/]
        * =

        [this_repo:/]
        @admgrp = rw

        [this_repo:/tags]
        * = r
        ------------------------------

        From /tags on downwards everyone has read-only.
        From / the "admgrp" group has full access (entire repository).
        Last edited by DougR; 07-19-2018, 09:23 AM. Reason: Fix "all repo" rule.

        Comment


        • #5
          Thanks,

          what's the difference between:
          []
          * =

          [/]
          * =

          [this_repo/]
          * =

          Is this maybe all the same?

          Could you please give me your argument about;
          [QUOTE]Up to now I (admin) havent a password. Is a password explicit needed, because the admin is already authenticated with the login from the windows?[/QUOTE]

          Comment


          • #6
            Typo above (I just fixed): the "[]" should have been "[/]". Sorry. That rule is for "all repos".

            Your 3rd is broken: should be "[this_repo:/]". It would be specific to "this_repo" and cover the entire repository.

            There is a way to setup "single sign on" (SSO) on Windows - I don't have any experience with it. Check with your Active Domain team for more details.

            However, if not configured for SSO then Authentication is done either via Apache or svnserve. They can be configured to use either LDAP as the Authentication Authority or their own password management.

            Comment


            • #7
              Ok, you can use this authz file for more repositorys, but this file is located in one of the repository (this_repos/conf). Could you define a special location for one authz and passw file for all repositories?
              With Authentication with SSO, Apache or svnserve i'm not familiar...
              In my case, I want at first use the repository on a network drive where the other user have access. But I'm not really sure how the users are authenticated in svn ?

              Comment


              • #8
                For single repo AuthZ files simply remove the "repo:" part of the stuff between the square brackets.

                The "repo:" is really more complicated: it's "<pathToRepo>:" and it is the "<pathToRepo>" from either the Apache SVNParentPath or the "-r <rootDir>" option (or the current working directory of svnserve if that option is not provided).

                Authentication in Apache is by whatever you've configured for Authentication. Authorization is via the AuthzSVNAccessFile specified in the <Location> block.

                Authentication in svnserve is however you've configured it OR however you've enabled access to it (e.g. via SSH). This gets arcane fast. Authorization is via the "svnserve.conf" file's "authz-db" configuration setting.

                Comment


                • #9
                  Ok, to refer to all repositories I have to remove the "repo:" this is clear. But this file is located in one of the repository (this_repos/conf). How should another repository know where the global authz file is located?

                  Where I can find this file "AuthzSVNAccessFile specified in the <Location> block" ?

                  Authentication in my case: If I understood it right, I should uncomment the "# authz-db = authz" line in svnserve.conf and then the authz file is working for authentication ?
                  Sorry but I can't imagine how a network user login to the repository, I mean which username he has, maybe his windows login ?

                  Comment


                  • #10
                    If Apache is doing the AuthN and within Apache SVN is doing the AuthZ then the AuthZ file need not be inside of the repository (it could be there but that would be unusual). In general, I would put it in the same directory as all of the repositories. I would use "SVNParentPath" to specify that directory. Then you would *need* to use the repository's name construct in the AuthZ file to specify the "<pathToRepo>" as I noted above.

                    As for "svnserve", no, uncommenting out the "authz-db" line does not enable it to do AuthN (only AuthZ). Configuring "svnserve" for AuthN is medium for local password file but hard for LDAP, etc.

                    Here's an example of a working Apache config for 2.2 (Apache 2.4 would be slightly different).
                    ---------------------
                    LoadModule dav_svn_module modules/mod_dav_svn.so
                    LoadModule authz_svn_module modules/mod_authz_svn.so
                    ServerName 192.168.56.32
                    NameVirtualHost *:80

                    <VirtualHost *:80>
                    <Location /svn>
                    DAV svn
                    SVNParentPath /opt/repo
                    SVNListParentPath On
                    AuthType Basic
                    AuthBasicProvider ldap
                    AuthName "SVN Repo"
                    AuthLDAPURL "ldap://192.168.56.222/ou=people,dc=ds,dc=example,dc=com?uid"
                    Require valid-user
                    AuthzSVNAccessFile /opt/repo/AuthZ.conf
                    </Location>
                    </VirtualHost>
                    ---------------------

                    The above uses LDAP. I'm sure you can find examples via google for the htpasswd file model.

                    Comment


                    • #11
                      DougR, thank you very much for your detailed answer !!!

                      Comment

                      Working...
                      X