I'm trying to configure my Subversion server to use AuthzSVNCrowdAccessFile for directory-based authorization and I'm completely stuck. No matter what I try, the restrictions in my dav_svn.authz file are ignored by the server. All users that have access to the application created in Crowd to handle authentication have access to all directories.
My ultimate goal is to have a directory on the Subversion server that holds ~30 SVN repos. Some of the repos will be accessible by group1, some by group2, some by group3, and all by group4. With the setup defined below all users have access to all repos, no matter what the dav_svn.authz says.
In Crowd I've created an application named sse_svn_april with the URL http://10.74.47.100:8080/april. I created Crowd groups sse_oracle_dev and sse_oracle_qa and assigned a user to each group (User: oracle_developer Group: sse_oracle_dev, User: oracle_qa Group: sse_oracle_qa)
I granted both groups access to the sse_svn_april application and verified that both users pass the application's authentication test on the Crowd server.
I've created a directory on the Subversion server that will hold the repos: /var/subversion/april_sse_repositories. In that folder I've created a pair of repositories: rbs and Automation. In my subversion.conf file I created the following Location entry:
<Location /april/> DAV svn SVNParentPath /var/subversion/april_sse_repositories/ SVNListParentPath on AuthType Basic AuthName "CROWD Authentication" PerlAuthenHandler Apache::CrowdAuth PerlSetVar CrowdAppName sse_svn_april PerlSetVar CrowdAppPassword password PerlSetVar CrowdSOAPURL http://crowdserver:8095/crowd/services/SecurityServer PerlSetVar CrowdCacheEnabled on PerlSetVar CrowdCacheLocation /tmp/CrowdAuth/sse_svn_april PerlSetVar CrowdCacheExpiry 180 PerlSetVar AuthzSVNCrowdAccessFile /usr/local/apache2/dav_svn.authz require valid-user </Location>
My dav_svn.authz file is below.
[groups] sse_oracle_dev sse_oracle_qa jira-administrators [/] * = @jira-administrators = rw [rbs:/] * = @sse_oracle_dev = r @sse_oracle_qa = [automation:/] * = @sse_oracle_qa = r @sse_oracle_dev =
With the above, I expected that user oracle_developer would have read-only access to the rbs repository and no access to the automation repository. The user oracle_qa would have read-only access to the automation repository and no access to the rbs repository. Instead, both users have access to both repositories.
I've tried several combinations of syntaxes for the dav_svn.authz without success. I've tried adding and removing the groups from the [groups] section, adding and removing the @ from the group names, and adding and removing the default "*=" from each section. The result is always the same: all users have access to all repositories. I've tried with both TortoiseSVN and a command-line SVN client and I've made sure to restart Apache after any change to the subversion.conf file or the dav_svn.authzfile.
When I try to browse either repo I can see Crowd authenticate the user but I don't see anything about the dav_svn.authzfile. When I restart Apache I can see that the dav_svn_module has loaded.
I'm using Crowd v2.2.2 and Subversion v1.5.1 on Red Hat Enterprise Linux Server release 5.4 (Tikanga)
I am officially baffled. Any help would be greatly appreciated and go a long way to me not having to pull an all-nighter this week.
The correct way to configure authorization for the Perl Connector (which is very different than the native connector) is via these lines (example):
PerlAuthzHandler Apache::CrowdAuthz PerlSetVar CrowdAuthzSVNAccessFile /usr/local/apache2/dav_svn.authz
Highlighted here: https://confluence.atlassian.com/display/CROWD020/Integrating+Crowd+with+Subversion (older version of the documentation that actually has the Perl connector config. See Step 3)
With this, you shouldn't have to pull an all-nighter anymore!
Hello! My name is Mark Askew and I am a Premier Support Engineer for products Bitbucket Server/Data Center, Fisheye & Crucible. Today, I want to bring the discussion that Jennifer, Matt, and ...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs