It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Configuring Crowd and Subversion with dav_svn.authz

I'm trying to configure my Subversion server to use AuthzSVNCrowdAccessFile for directory-based authorization and I'm completely stuck. No matter what I try, the restrictions in my dav_svn.authz file are ignored by the server. All users that have access to the application created in Crowd to handle authentication have access to all directories.

My ultimate goal is to have a directory on the Subversion server that holds ~30 SVN repos. Some of the repos will be accessible by group1, some by group2, some by group3, and all by group4. With the setup defined below all users have access to all repos, no matter what the dav_svn.authz says.

In Crowd I've created an application named sse_svn_april with the URL http://10.74.47.100:8080/april. I created Crowd groups sse_oracle_dev and sse_oracle_qa and assigned a user to each group (User: oracle_developer Group: sse_oracle_dev, User: oracle_qa Group: sse_oracle_qa)
I granted both groups access to the sse_svn_april application and verified that both users pass the application's authentication test on the Crowd server.

I've created a directory on the Subversion server that will hold the repos: /var/subversion/april_sse_repositories. In that folder I've created a pair of repositories: rbs and Automation. In my subversion.conf file I created the following Location entry:

<Location /april/>
   DAV svn
   SVNParentPath /var/subversion/april_sse_repositories/
   SVNListParentPath on

   AuthType  Basic
   AuthName  "CROWD Authentication"
   PerlAuthenHandler Apache::CrowdAuth
   PerlSetVar CrowdAppName sse_svn_april
   PerlSetVar CrowdAppPassword password
   PerlSetVar CrowdSOAPURL http://crowdserver:8095/crowd/services/SecurityServer
   PerlSetVar CrowdCacheEnabled on
   PerlSetVar CrowdCacheLocation /tmp/CrowdAuth/sse_svn_april
   PerlSetVar CrowdCacheExpiry 180

    PerlSetVar AuthzSVNCrowdAccessFile /usr/local/apache2/dav_svn.authz

   require valid-user
</Location>

My dav_svn.authz file is below.

[groups]
sse_oracle_dev
sse_oracle_qa
jira-administrators

[/]
* =
@jira-administrators = rw

[rbs:/]
* =
@sse_oracle_dev = r
@sse_oracle_qa =

[automation:/]
* =
@sse_oracle_qa = r
@sse_oracle_dev =

With the above, I expected that user oracle_developer would have read-only access to the rbs repository and no access to the automation repository. The user oracle_qa would have read-only access to the automation repository and no access to the rbs repository. Instead, both users have access to both repositories.

I've tried several combinations of syntaxes for the dav_svn.authz without success. I've tried adding and removing the groups from the [groups] section, adding and removing the @ from the group names, and adding and removing the default "*=" from each section. The result is always the same: all users have access to all repositories. I've tried with both TortoiseSVN and a command-line SVN client and I've made sure to restart Apache after any change to the subversion.conf file or the dav_svn.authzfile.

When I try to browse either repo I can see Crowd authenticate the user but I don't see anything about the dav_svn.authzfile. When I restart Apache I can see that the dav_svn_module has loaded.

I'm using Crowd v2.2.2 and Subversion v1.5.1 on Red Hat Enterprise Linux Server release 5.4 (Tikanga)

I am officially baffled. Any help would be greatly appreciated and go a long way to me not having to pull an all-nighter this week.

1 answer

1 accepted

1 vote
Answer accepted

Hey Byron,

The correct way to configure authorization for the Perl Connector (which is very different than the native connector) is via these lines (example):

PerlAuthzHandler Apache::CrowdAuthz
  PerlSetVar CrowdAuthzSVNAccessFile /usr/local/apache2/dav_svn.authz

Highlighted here: https://confluence.atlassian.com/display/CROWD020/Integrating+Crowd+with+Subversion (older version of the documentation that actually has the Perl connector config. See Step 3)

With this, you shouldn't have to pull an all-nighter anymore!

Foogie

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bitbucket Pipelines

Building a Bitbucket Pipe as a casual coder

...ipe.sh :  #!/bin/bash source "$(dirname "$0")/common.sh" enable_debug extra_args="" if [[ "${DEBUG}" == "true" ]]; then extra_args="--verbose" fi # mandatory variables R...

4,055 views 4 22
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you