Bug #17277 for SVN-Web: SVN::Web does not honour ACL

Wed Jan 25 14:23:43 2006 Guest - Ticket created

Subject:

SVN::Web does not honour ACL

I don't think this is a bug, because you don't claim to honour ACLs but perhaps it could be filed as a feature request. I have an ACL set up on our repos that allows some people read access to only certain projects with the repository. Using SVN::Web however, they have access to all of the projects. It would be an excellent addition if the ACLs could be checked and prevent access to projects, branches etc if the user doesn't have rights. We use basic auth (over SSL) to restrict access to the repository so this could be picked up from the environment. I've got too many projects on already but if you can tell me where to start poking I might be able to contribute. Many thanks. Simon.

Thu Jan 26 15:51:17 2006 nik [...] ngo.org.uk - Correspondence added

Subject:	Re: [rt.cpan.org #17277] SVN::Web does not honour ACL
Date:	Thu, 26 Jan 2006 10:24:01 +0000
To:	bug-SVN-Web [...] rt.cpan.org
From:	Nik Clayton <nik [...] ngo.org.uk>

Simon, Guest via RT wrote: Show quoted text

> I don't think this is a bug, because you don't claim to honour ACLs but > perhaps it could be filed as a feature request. > > I have an ACL set up on our repos that allows some people read access to > only certain projects with the repository. Using SVN::Web however, they > have access to all of the projects. > > It would be an excellent addition if the ACLs could be checked and > prevent access to projects, branches etc if the user doesn't have rights. > > We use basic auth (over SSL) to restrict access to the repository so > this could be picked up from the environment. > > I've got too many projects on already but if you can tell me where to > start poking I might be able to contribute.

I *suspect* this is something that you can configure in Apache. At this point I should confess that I know very little about how you'd configure Apache to do this -- what follows is based on reading the documentation, I've not tested any of it. As described in the SVN::Web documentation, an SVN::Web URL looks like this: .../<repo>/<action>/<path>?<arguments> Since the <path> is normally present, you can use this to authenticate the user. Say your repo has two top level directories, /group1, and /group2, with projects underneath: /group1/project1 /group1/project2 /group2/project1 /group2/project2 and you don't want people in group1 to be able to see the projects under /group2, and vice-versa. In theory (as I say, this is untested) you should be able to do this. First, configure SVN::Web as normal, and make sure it works. Suppose you're single repo is called 'repo', so the URLs look like this: .../repo/browse/group1/project1 .../repo/browse/group1/project2 .../repo/browse/group2/project1 .../repo/browse/group2/project2 (if you're browsing -- 'browse' may also be 'view', 'log', 'checkout', and so on). Add the necessary directives to your apache configuration to enforce authentication. <LocationMatch ".../repo/.*/group1/.*"> AuthType Basic AuthName "Group 1 projects" AuthUserFile /path/to/your/password/file Require valid-user </LocationMatch> Where "..." is the beginning of the URL to your SVN::Web installation. You'd have a similar LocationMatch directive that would match group2's projects. You should be able to use the same AuthName and AuthUserFile that you're using to do your existing user authentication, so users should find that the same user names and passwords work from the commandline and when using the web interface. Obviously you can have as many LocationMatch directives as you want, to make the control as finegrained as necessary. I couldn't find information about Apache's regex format in the documentation I have, so that LocationMatch example might not be quite right. Hopefully it gives you an idea of how to proceed though. There's one fly in this ointment -- the 'revision' action doesn't act on a repository path, it acts on a repository revision number. Because of this, you can't use the path to authenticate the user. Since a particular revision could in theory affect paths under both /group1 and /group2 there's no easy way around this, short of disabling the 'revision' action entirely (which you can do -- it's a simple edit to config.yaml). This does lose some valuable functionality from SVN::Web though. An approach which would solve this is to give each group their own Subversion repository. SVN::Web can display both those repos, and you can use the <repo> part of the URL in the LocationMatch statement instead of the <path>. Since each repo is completely separate, the 'revision' action issue doesn't come up. I hope that helps -- as I say, I don't have much experience with configuring Apache to carry out authentication, so take the above with a grain of salt. If you do get this working I'd be grateful if you could write up the process so that I can include it in the documentation for future versions of SVN::Web. N

Thu Jan 26 15:51:18 2006 The RT System itself - Status changed from 'new' to 'open'

Thu Jan 26 16:19:16 2006 simonw [...] digitalcraftsmen.net - Correspondence added

Subject:	Re: [rt.cpan.org #17277] SVN::Web does not honour ACL
Date:	Thu, 26 Jan 2006 21:18:26 +0000 (GMT)
To:	"nik [...] ngo.org.uk via RT" <bug-SVN-Web [...] rt.cpan.org>
From:	Simon Wilcox <simonw [...] digitalcraftsmen.net>

Hi Nic, On Thu, 26 Jan 2006, nik@ngo.org.uk via RT wrote: Show quoted text

> I *suspect* this is something that you can configure in Apache. At this > point I should confess that I know very little about how you'd configure > Apache to do this -- what follows is based on reading the documentation, > I've not tested any of it.

I think that may be a workaround but it would require us to maintain the ACL in two places, svn and apache. There ought to be some way to access the acl from within the Perl bindings. I'll try and have a look. Show quoted text

> If you do get this working I'd be grateful if you could write up the > process so that I can include it in the documentation for future versions of > SVN::Web.

Will do. Simon Wilcox -- Digital Craftsmen Ltd 213 Coppergate House, 16 Brune Street, London. E1 7NJ t 020 7953 7768 f 020 7953 7709 m 07951 758698 w http://www.digitalcraftsmen.net/

Fri Jan 27 03:33:26 2006 nik [...] ngo.org.uk - Correspondence added

Subject:	Re: [rt.cpan.org #17277] SVN::Web does not honour ACL
Date:	Fri, 27 Jan 2006 08:31:46 +0000
To:	bug-SVN-Web [...] rt.cpan.org
From:	Nik Clayton <nik [...] ngo.org.uk>

simonw@digitalcraftsmen.net via RT wrote: Show quoted text

> <URL: http://rt.cpan.org/Ticket/Display.html?id=17277 > > > Hi Nic, > > On Thu, 26 Jan 2006, nik@ngo.org.uk via RT wrote: >

>> I *suspect* this is something that you can configure in Apache. At this >> point I should confess that I know very little about how you'd configure >> Apache to do this -- what follows is based on reading the documentation, >> I've not tested any of it.

> > I think that may be a workaround but it would require us to maintain the > ACL in two places, svn and apache. There ought to be some way to access > the acl from within the Perl bindings. I'll try and have a look.

Ah. Sorry, I thought you meant you were using Apache to provide access to the repo, and wanted to use Apache ACLs that you already had. I don't know anything about the API, but it should make things easier. I'm off to the US for a couple of weeks -- I'm either going to be horrendously busy all the time, or I'll have evenings holed up in a hotel with Internet access. If it's the former then don't expect much progress. If it's the latter then I may have a solution worked out by the time I get back :-) Show quoted text

>> If you do get this working I'd be grateful if you could write up the >> process so that I can include it in the documentation for future versions of >> SVN::Web.

> > Will do.

That would also help :-) N

Tue May 23 17:27:50 2006 NIKC [...] cpan.org - Correspondence added

Simon, I don't think this is going to be possible. At least, not without duplicating a lot of Subversion's existing auth functionality. Broadly, there are three ways you can access an svn repo. ra_dav (http or https schemes) ra_svn (connecting to svnserve) ra_file (opening a repo on a local disk) ra_dav and ra_svn support authentication and authorization. ra_file doesn't (or if it does I've failed to find the bit of the documentation that talks about it). But SVN::Web uses the ra_file approach exclusively. So it can't hook in to the existing Subversion approaches. I'm willing to be proved wrong, but I don't see a seamless way to approach this at the moment. N

Wed Jun 28 05:22:38 2006 NIKC [...] cpan.org - Correspondence added

On Tue May 23 17:27:50 2006, NIKC wrote: Show quoted text

> I don't think this is going to be possible. At least, not without > duplicating a lot of Subversion's existing auth functionality. > > Broadly, there are three ways you can access an svn repo. > > ra_dav (http or https schemes) > > ra_svn (connecting to svnserve) > > ra_file (opening a repo on a local disk) > > ra_dav and ra_svn support authentication and authorization. ra_file > doesn't (or if it does I've failed to find the bit of the documentation > that talks about it). > > But SVN::Web uses the ra_file approach exclusively. So it can't hook in > to the existing Subversion approaches. > > I'm willing to be proved wrong, but I don't see a seamless way to > approach this at the moment.

FWIW I'm looking at migrating away from the ra_file approach and using the other layers. This should allow what you want, and also means that SVN::Web will be runnable on hosts other than the repo host. Not sure when I'll have that functionality ready yet, but I'll let you know when it's done. N

Sun Feb 25 04:49:16 2018 dean [...] fragfest.com.au - Correspondence added

I doubt youre still interested in this. I will leave this as stalled in case anyone wants to submit a patch.

Sun Feb 25 04:49:17 2018 dean [...] fragfest.com.au - Status changed from 'open' to 'stalled'