This page last changed on May 05, 2008 by smaddox.
Install the Crowd Apache connector first

To use the Subversion connector, you will need to have the Crowd Apache Connector already installed.

Crowd's Subversion connector allows you to password-protect a Subversion repository and provide fine grained access by group or user.

Prerequisites

Configuring Crowd Authentication for Subversion

If you are using Apache to manage access to a Subversion repository (instructions), and are using Crowd to manage the Subversion authentication, then you can use the same configuration method to delegate user authentication to Crowd.

Example:

<Location /svn>

 # Uncomment this to enable the repository,
 DAV svn

 # Set this to the path to your repository
 SVNPath /var/lib/svn

 AuthName crowd
 AuthType Basic

 PerlAuthenHandler Apache::CrowdAuth
 PerlSetVar CrowdAppName subversion
 PerlSetVar CrowdAppPassword svn
 PerlSetVar CrowdSOAPURL http://localhost:8095/crowd/services/SecurityServer

 require valid-user

 # The following three lines allow anonymous read, but make
 # committers authenticate themselves.
 <LimitExcept GET PROPFIND OPTIONS REPORT>
 Require valid-user
 </LimitExcept>

</Location>

Note that Apache will have to be restarted before any changes to its config files will take effect.

Configuring Crowd Authorisation for Subversion

To restrict Subversion repository access to certain groups and/or users, you can add the Apache::CrowdAuthz module and the CrowdAllowedGroups and CrowdAllowedUsers directives (described here).

For more fine-grained access, the CrowdAuthzSVNAccessFile directive is provided. For example:

  PerlAuthzHandler Apache::CrowdAuthz
  PerlSetVar CrowdAuthzSVNAccessFile /etc/apache2/dav_svn.authz

The CrowdAuthzSVNAccessFile setting lets you define a file where you can configure group and user access on a per-directory level.

The format of the file is the same as that used by Subversion's own authorisation module, mod_authz_svn. Here's a small example:

# Everyone has read access to the repository
# (unless modified below).
[/]
* = r

# Members of the bazdevelopers group can
# read and write to the BazWord project
[/BazWord]
@bazdevelopers = rw

# Members of the foodevelopers group can read and write
# to the FooCalc project
[/FooCalc]
@foodevelopers = rw

# Members of foodevelopers can read the branches
# directory but only user juliag (the release manager)
# can write to this path
[/FooCalc/branches]
juliag = rw
@foodevelopers = r

# peterc is a contractor, so he's denied all access to the statistics
# module (which is full of trade secrets).
[/FooCalc/trunk/statistics]
peterc =

Some notes:

  • The format is a series of one or more repository paths (minus the leading URL) followed by one or more group or user directives for each path.
  • You don't have to include every single path. If an exact path match isn't found, the settings for the nearest parent directory are used.
  • A user or group can be set to one of:
    • rw: read and write access.
    • r: read-only access.
    • <blank>: no access.
  • Group names are indicated by a leading '@' character.
  • Lines starting with a '#' are comments.
  • Note that the [groups] section of the file described in the Subversion docs is ignored by Apache::CrowdAuthz as group memberships come from Crowd.
  • Don't prefix the paths in the file with the repository name (e.g. '[calc:/foo]') (see note on SVNParentPath below).
  • If you specify a CrowdAuthzSVNAccessFile as well as one or both of CrowdAllowedGroups and CrowdAllowedUsers, only the CrowdAuthzSVNAccessFile is used for authorisation.
    SVNParentPath Not Supported
    Subversion provides the SVNParentPath directive, which allows multiple repositories in the same directory to use the same URL. The Crowd Apache integration modules do not support the use of SVNParentPath.
    For a detailed description of this file format, see the Subversion documentation.
RELATED TOPICS

Crowd Documentation


Atlassian-Crowd-0.02.zip (application/zip)
Apache-CrowdAuth-0.08.zip (application/zip)
Apache-CrowdAuthz-0.01.zip (application/zip)
Document generated by Confluence on May 08, 2008 19:36