Configuring Crowd and Subversion with dav_svn.authz

I'm trying to configure my Subversion server to use AuthzSVNCrowdAccessFile for directory-based authorization and I'm completely stuck. No matter what I try, the restrictions in my dav_svn.authz file are ignored by the server. All users that have access to the application created in Crowd to handle authentication have access to all directories.

My ultimate goal is to have a directory on the Subversion server that holds ~30 SVN repos. Some of the repos will be accessible by group1, some by group2, some by group3, and all by group4. With the setup defined below all users have access to all repos, no matter what the dav_svn.authz says.

In Crowd I've created an application named sse_svn_april with the URL http://10.74.47.100:8080/april. I created Crowd groups sse_oracle_dev and sse_oracle_qa and assigned a user to each group (User: oracle_developer Group: sse_oracle_dev, User: oracle_qa Group: sse_oracle_qa)
I granted both groups access to the sse_svn_april application and verified that both users pass the application's authentication test on the Crowd server.

I've created a directory on the Subversion server that will hold the repos: /var/subversion/april_sse_repositories. In that folder I've created a pair of repositories: rbs and Automation. In my subversion.conf file I created the following Location entry:

<Location /april/>
   DAV svn
   SVNParentPath /var/subversion/april_sse_repositories/
   SVNListParentPath on

   AuthType  Basic
   AuthName  "CROWD Authentication"
   PerlAuthenHandler Apache::CrowdAuth
   PerlSetVar CrowdAppName sse_svn_april
   PerlSetVar CrowdAppPassword password
   PerlSetVar CrowdSOAPURL http://crowdserver:8095/crowd/services/SecurityServer
   PerlSetVar CrowdCacheEnabled on
   PerlSetVar CrowdCacheLocation /tmp/CrowdAuth/sse_svn_april
   PerlSetVar CrowdCacheExpiry 180

    PerlSetVar AuthzSVNCrowdAccessFile /usr/local/apache2/dav_svn.authz

   require valid-user
</Location>

My dav_svn.authz file is below.

[groups]
sse_oracle_dev
sse_oracle_qa
jira-administrators

[/]
* =
@jira-administrators = rw

[rbs:/]
* =
@sse_oracle_dev = r
@sse_oracle_qa =

[automation:/]
* =
@sse_oracle_qa = r
@sse_oracle_dev =

With the above, I expected that user oracle_developer would have read-only access to the rbs repository and no access to the automation repository. The user oracle_qa would have read-only access to the automation repository and no access to the rbs repository. Instead, both users have access to both repositories.

I've tried several combinations of syntaxes for the dav_svn.authz without success. I've tried adding and removing the groups from the [groups] section, adding and removing the @ from the group names, and adding and removing the default "*=" from each section. The result is always the same: all users have access to all repositories. I've tried with both TortoiseSVN and a command-line SVN client and I've made sure to restart Apache after any change to the subversion.conf file or the dav_svn.authzfile.

When I try to browse either repo I can see Crowd authenticate the user but I don't see anything about the dav_svn.authzfile. When I restart Apache I can see that the dav_svn_module has loaded.

I'm using Crowd v2.2.2 and Subversion v1.5.1 on Red Hat Enterprise Linux Server release 5.4 (Tikanga)

I am officially baffled. Any help would be greatly appreciated and go a long way to me not having to pull an all-nighter this week.

1 answer

1 accepted

1 vote
Accepted answer

Hey Byron,

The correct way to configure authorization for the Perl Connector (which is very different than the native connector) is via these lines (example):

PerlAuthzHandler Apache::CrowdAuthz
  PerlSetVar CrowdAuthzSVNAccessFile /usr/local/apache2/dav_svn.authz

Highlighted here: https://confluence.atlassian.com/display/CROWD020/Integrating+Crowd+with+Subversion (older version of the documentation that actually has the Perl connector config. See Step 3)

With this, you shouldn't have to pull an all-nighter anymore!

Foogie

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 06, 2018 in Bitbucket

Upgrade Best Practices

Hello! My name is Mark Askew and I am a Premier Support Engineer for products Bitbucket Server/Data Center, Fisheye & Crucible. Today, I want to bring the discussion that Jennifer, Matt, and ...

204 views 3 7
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you