Monday, July 5, 2010

SVN Access Control with Apache

Subversion Setup.

Prerequisites are that subversion is installed on the host where you wish to configure
your svn repository.
If not, use the following commands.

sudo apt-get install subversion libapache2-svn
1. Create a group called subversion for accessing the repository.
sudo addgroup subversion

2. Add users to the host.
a. www-data, and list of users needing access to the tool.

sudo adduser [username] subversion // This handles both new and existing users.
   or
  sudo moduser -aG subversion [username]
3. Creating the SVN repository.
We are using [/opt/svn/repos/] as the base for multiple subversion repositories.
sudo mkdir -p /opt/svn/repos/anonyrep
 sudo mkdir -p /opt/svn/repos/mgmtrep
 sudo mkdir -p /opt/svn/repos/enggrep
 sudo mkdir -p /opt/svn/repos/opsrep
 sudo mkdir -p /opt/svn/repos/DemoRep
 sudo mkdir -p /opt/svn/repos/SalesRep
 
 sudo svnadmin create /opt/svn/repos/anonyrep
 sudo svnadmin create /opt/svn/repos/mgmtrep
 sudo svnadmin create /opt/svn/repos/enggrep
 sudo svnadmin create /opt/svn/repos/opsrep
 sudo svnadmin create /opt/svn/repos/DemoRep
 sudo svnadmin create /opt/svn/repos/SalesRep
 
 cd /opt/svn/
 sudo chown -R www-data:subversion repos
 sudo chmod -R g+rws repos
This completes the setup for the subversion repositories and the
directories.

4. Apache setup.
if Apache svn module is not installed, then install it using the following

sudo apt-get install libapache2-svn
After the above steps have been completed, now to setup access to the repository via http.

Since we have multiple repositories here, make the following entries in 
/etc/apache2/mods-available/dav_svn.conf

                         
     DAV svn       // Uncomment this if commented, to enable SVN access over HTTP
     SVNParentPath /opt/svn/repos       // This is the path for the repository
     SVNListParentPath On
     AuthType Basic
     AuthName "Subversion Repository"
     AuthUserFile /etc/subversion/passwd  // File which contains list of authorized users.
     
        Require valid-user
If you have only one repository, you can use the following entry.

     DAV svn
     SVNPath /opt/svn/repos/devrepos
     AuthType Basic
     AuthName "devrepos subversion repository"
     AuthUserFile /etc/subversion/passwd
     
        Require valid-user

5. Restart apache 
/etc/init.d/apache2 restart


6. Since, we have defined an AuthUserFile, we need to setup authorized users for 
 this repository. To do that, we need to perform the following steps.


sudo htpasswd -c /etc/subversion/passwd [username]
 
 Note: The -c flag is to be used only for the first entry. If you use -c flag for
 each entry, then you would end up overwriting the file.
 For subsequent entries to the file, use the following command.
 sudo htpasswd /etc/subversion/passwd [username]
 
 Use the command above to add subsequent users to the access list.

7. Create a new file for defining access control at the directory level.
   For example we will add an entry to the file dav_svn.conf, which refers to 
   this file.
   For the repository I am setting up, I created it in /opt/svn/repos/svn_acl.conf
   

Following are the contents of the file.
---------------------   
[mgmtrep:/]
ceo = rw

[enggrep:/]
cto = rw
demouser = rw
developer1 = rw
ceo = rw

[opsrep:/]
coo = rw
ceo = rw

[DemoRep:/]
cmo = rw
ceo = rw

[SalesRep:/]
cso = rw
ceo = rw

[anonyrep:/]
developer1 = rw
demouser = rw
---------------------

The entries in the square brackets correspond to the repositories in this svn
installation.

You can also refer to the document below to look at further examples for 
setting up finer path based authorization.


http://svnbook.red-bean.com/en/1.5/svn.serverconfig.pathbasedauthz.html

The above entry is for a environment with very small number of users. 
Ideally, you should be able to create groups and leverage them. You 
can do that using the following setup.


-----------------------
[groups]
mgmteam = ceo, cto, coo, cmo, cso
enggteam = developer1, demouser

[mgmtrep:/]
@mgmteam

[enggrep:/]
@mgmteam = r
@enggteam = rw
------------------------

8. Now comes the part where you uncomment/make entries in dav_svn.conf file.


sudo vi /etc/apache2/mods-available/dav_svn.conf

The entry in this file should now look as below.


                       
     DAV svn       
     SVNParentPath /opt/svn/repos       // This is the path for the repository
     SVNListParentPath On
     AuthType Basic
     AuthName "Subversion Repository"
     AuthUserFile /etc/subversion/passwd  // File which contains list of authorized users.
     AuthzSVNAccessFile /opt/svn/repos/svn_acl.conf // File which contains acl for each repository.
  Require valid-user
  
        Require valid-user
     
  
  
Now restart the apache server to reflect these changes.
 

/etc/init.d/apache2 restart
 
Now, you are all set with access control enabled subversion.
 
 

Please note, this was a setup that worked for me and my friend. 
 If you intend to use this as is, then,  try this on a test setup, before 
 you actually implement it on an SVN setup. That way, you wont end up messing 
 an existing repository.
I have followed the Ubuntu server guide as well as the subversion guide to setup svn.
https://help.ubuntu.com/community/Subversion
http://svnbook.red-bean.com/en/1.5/svn.serverconfig.pathbasedauthz.html










Posted by



at





No comments:
  























Labels:























        

      









Subscribe to:
Posts (Atom)







Search