SVN authz, path-based authentication woes
Asked Answered
N

3

7
[groups]
developer = a,b,c
doc = r,x

[/doc]
@doc = rw
@developer = rw

[/]
@developer = rw
* =

If now a member of the group doc tries to check out the documentation, it does not work. I want members of doc just to be able to check out the sub-dir doc, anything else is forbidden. Any ideas howto achieve this?

kind regards ronny

[update]

client: svn, version 1.5.4 (r33841) server: svn, Version 1.4.6 (r28521)

access via svn+ssh:/user@host/fullpath-to-repos

  • 1 perfectly works for two years
  • 2 might be - see version numbers above (I'll contant our admin, immediatelly)
  • 3 no? just ssh
  • 4 nope
  • 5 nope

[update]

  • using client version svn 1.4.6 (r28521) does not work either - same errors
  • I use plain command line access. svn co svn+ssh://....

[update]

  • server:Linux 2.6.16.60-0.39.3-default9 i686 athlon i386 GNU/Linux - suse 10? or something like that I think
  • client: Kubuntu 9.04
  • connection via OpenSSH SSH client
  • the server rejects svn:// connections from localhost - any connection --- gotta try it with a copy at home time soon

[update 4] * this is not my own server, I cannot do what I want with it. It is a very old server 10 years at least running, with hundreds of users. Standard things should work. correct me if I am missing something.

[update 5] believe it or not. I was using the wrong path and now everything works perfectly well, I am sorry to have wasted your time. I'll give the bounty to FoxyBOA for his efford.

Nyctalopia answered 11/6, 2009 at 8:39 Comment(4)
This authz file works pretty fine for me. I copy pasted it into one of my apache servers and it worked out of the box, so the problem is in another part of your configuration. Which server do you use? if apache , look into error log, what is the exact error message?Chickpea
I use svn+ssh ... weird thingNyctalopia
did you check the write permissions of the repository? please post more details and error MsgChickpea
there is only the "authentication failed msg". I tried various combinations. I don't know what you expect, but it looks fine to me.Nyctalopia
C
2

Which url @doc members try to checkout?

[UPDATED]

Could you please provide some additional info: version of SVN on server and on client sides. How your clients try to connect to SVN server (e.g. from Eclipse using subclipse library, command prompt etc.).

  1. If you are using svn+ssh your user must have a valid access to your server. Are your users have a correct shell (i.e. bash, tcsh etc.)? /bin/false and other fakes shells will not work with svn+ssh connection type.

  2. Other problem that your may occur - different SVN versions on server and on client sides (e.g. server 1.4, client 1.5 which try to connect using 1.5 technologies).

  3. Are you using SASL authentication with SVN?

  4. Are you using tunelling?

  5. Are you using ssh configuration tricks described in svn docs?

[UPDATED2]

  1. Are you connection to SVN from the command prompt or you are using an IDE? If you are using an IDE, please name it and provide info regarding which addon/library/etc. you are using for connection to the SVN server.

[UPDATED3]

  1. Could you create test account and temporary try to get access to SVN server w/o ssh? Just using plain svn:// protocol. If it works, the issue is in ssh, if it fails - svn.
  2. Which tool are you using for ssh connection and from which OS you are working on?

[UPDATE4] - Are you sure that your svn server started? If your svn works on standard port, try to connect direct at svn port from the server locally:

telnet localhost 3690
  • If it works try to connect from a client (i.e. telnet ip_server 3690).

  • If telnet at the server works, but telnet from client fails, check your firewalls, routers etc.

  • If telnet at server fails. Try to restart svn server and check server logs.

[UPDATE5]

In my mind your svn server stopped. Could you please check if svn service is visible locally (telnet from localhost to 3690) and remotely. If svn service works correctly in both cases you have to get something like

( success ( 1 2 ( ANONYMOUS ) ( edit-pipeline ) ) )

Chladek answered 11/6, 2009 at 10:15 Comment(8)
Did you check that the issue is authentication? If you add a user x to @developer, can he checkout? Did you correctly configure svnserve.conf for path-based authentication?Chladek
I fiddled around pretty hard. So "yes". The redbook and other resources sadly don't help :(Nyctalopia
Could you post your svnserve.conf file?Chladek
I use svn+ssh for access, so I am pretty sure this config does not matter. anywys "anon-access = none auth-access = write password-db = passwd authz-db = authz realm = qva"Nyctalopia
Config looks fine. Not sure if you're need a realm. Should works w/o it. Are you using full path to your svn library or the server is configured to substitute part of path (i.e. svn+ssh://url/var/lib/svn/repo/doc or svn+ssh://url/doc)?Chladek
What you means by "asdfasdfasdf"?Chladek
My comment needs a certain length to get published 8[Nyctalopia
You can edit original post or add a new one reply to your own question.Chladek
H
3

The true way to do this is here :

[groups]
developer = a,b,c
doc = r,x

[doc:/]
* =  
@doc = rw
@developer = rw

[otherPath:/]
* =
@developer = rw
@doc = r

[/] 
* = rw
Hendricks answered 14/5, 2010 at 14:41 Comment(1)
This does not work correctly. Because of the final [/] * = rw it opens rw access to allNawrocki
C
2

Which url @doc members try to checkout?

[UPDATED]

Could you please provide some additional info: version of SVN on server and on client sides. How your clients try to connect to SVN server (e.g. from Eclipse using subclipse library, command prompt etc.).

  1. If you are using svn+ssh your user must have a valid access to your server. Are your users have a correct shell (i.e. bash, tcsh etc.)? /bin/false and other fakes shells will not work with svn+ssh connection type.

  2. Other problem that your may occur - different SVN versions on server and on client sides (e.g. server 1.4, client 1.5 which try to connect using 1.5 technologies).

  3. Are you using SASL authentication with SVN?

  4. Are you using tunelling?

  5. Are you using ssh configuration tricks described in svn docs?

[UPDATED2]

  1. Are you connection to SVN from the command prompt or you are using an IDE? If you are using an IDE, please name it and provide info regarding which addon/library/etc. you are using for connection to the SVN server.

[UPDATED3]

  1. Could you create test account and temporary try to get access to SVN server w/o ssh? Just using plain svn:// protocol. If it works, the issue is in ssh, if it fails - svn.
  2. Which tool are you using for ssh connection and from which OS you are working on?

[UPDATE4] - Are you sure that your svn server started? If your svn works on standard port, try to connect direct at svn port from the server locally:

telnet localhost 3690
  • If it works try to connect from a client (i.e. telnet ip_server 3690).

  • If telnet at the server works, but telnet from client fails, check your firewalls, routers etc.

  • If telnet at server fails. Try to restart svn server and check server logs.

[UPDATE5]

In my mind your svn server stopped. Could you please check if svn service is visible locally (telnet from localhost to 3690) and remotely. If svn service works correctly in both cases you have to get something like

( success ( 1 2 ( ANONYMOUS ) ( edit-pipeline ) ) )

Chladek answered 11/6, 2009 at 10:15 Comment(8)
Did you check that the issue is authentication? If you add a user x to @developer, can he checkout? Did you correctly configure svnserve.conf for path-based authentication?Chladek
I fiddled around pretty hard. So "yes". The redbook and other resources sadly don't help :(Nyctalopia
Could you post your svnserve.conf file?Chladek
I use svn+ssh for access, so I am pretty sure this config does not matter. anywys "anon-access = none auth-access = write password-db = passwd authz-db = authz realm = qva"Nyctalopia
Config looks fine. Not sure if you're need a realm. Should works w/o it. Are you using full path to your svn library or the server is configured to substitute part of path (i.e. svn+ssh://url/var/lib/svn/repo/doc or svn+ssh://url/doc)?Chladek
What you means by "asdfasdfasdf"?Chladek
My comment needs a certain length to get published 8[Nyctalopia
You can edit original post or add a new one reply to your own question.Chladek
M
0

"I use svn+ssh ... weird thing"

svn+ssh uses ssh to connect, then runs svnserve in tunnel mode

When running over a tunnel, authorization is primarily controlled by operating system permissions to the repository's database files; it's very much the same as if Harry were accessing the repository directly via a file:// URL.

svnserve documentation

In other words, it ignores the configuration you've set up.

Mysia answered 15/6, 2009 at 14:30 Comment(1)
err I am not fully convinced, but what would I do to get what I want?Nyctalopia

© 2022 - 2024 — McMap. All rights reserved.