This page last changed on Mar 02, 2009 by smaddox.
Install the Crowd Apache connector first
To use the Subversion connector, you will need to have the Crowd Apache Connector already installed.

Crowd's Subversion connector allows you to password-protect a Subversion repository and provide fine grained access by group or user.

Prerequisites

Configuring Crowd Authentication for Subversion

If you are using Apache to manage access to a Subversion repository (instructions), and are using Crowd to manage the Apache authentication, then you can use the same configuration method to delegate Subversion's user authentication to Crowd.

Example:

<Location /svn>

 # Uncomment this to enable the repository
 DAV svn

 # Set this to the path to your repository
 SVNPath /var/lib/svn

 AuthName crowd
 AuthType Basic

 PerlAuthenHandler Apache::CrowdAuth
 PerlSetVar CrowdAppName subversion
 PerlSetVar CrowdAppPassword svn
 PerlSetVar CrowdSOAPURL http://localhost:8095/crowd/services/SecurityServer

 require valid-user

 # The following three lines allow anonymous read, but make
 # committers authenticate themselves.
 <LimitExcept GET PROPFIND OPTIONS REPORT>
 Require valid-user
 </LimitExcept>

</Location>

Note that you will need to restart Apache before any changes to its configuration files will take effect.

Configuring Crowd Authorisation for Subversion

To restrict Subversion repository access to certain groups and/or users, you can add the Apache::CrowdAuthz module and the CrowdAllowedGroups and CrowdAllowedUsers directives (described here).

For more fine-grained access, Crowd provides the CrowdAuthzSVNAccessFile directive which allows you to define path-based access rules. Add the following lines (modifying the file location to fit your configuration) to the example above to enable the CrowdAuthzSVNAccessFile directive.

  PerlAuthzHandler Apache::CrowdAuthz
  PerlSetVar CrowdAuthzSVNAccessFile /etc/apache2/dav_svn.authz

The CrowdAuthzSVNAccessFile setting lets you define a file where you can configure group and user access at directory level.

The format of the file is the same as that used by Subversion's own authorisation module, mod_authz_svn. Here is a small example:

# Everyone has read access to the repository
# (unless modified below).
[/]
* = r

# Members of the bazdevelopers group can
# read and write to the BazWord project
[/BazWord]
@bazdevelopers = rw

# Members of the foodevelopers group can read and write
# to the FooCalc project
[/FooCalc]
@foodevelopers = rw

# Members of foodevelopers can read the branches
# directory but only user juliag (the release manager)
# can write to this path
[/FooCalc/branches]
juliag = rw
@foodevelopers = r

# peterc is a contractor, so he's denied all access to the statistics
# module (which is full of trade secrets).
[/FooCalc/trunk/statistics]
peterc =

Some notes:

  • The format is a series of one or more repository paths (minus the leading URL) followed by one or more group or user directives for each path.
  • You don't have to include every single path. If an exact path match is not found, the settings for the nearest parent directory are used.
  • Access for the user or group can be set to one of:
    • rw: read and write access.
    • r: read-only access.
    • <blank>: no access.
  • Group names are indicated by a leading '@' character.
  • Lines starting with a '#' are comments.
  • Note that the [groups] section of the file described in the Subversion documentation is ignored by Apache::CrowdAuthz, because group memberships come from Crowd.
  • Do not prefix the paths in the file with the repository name (e.g. '[calc:/foo]'). (See note on SVNParentPath below.)
  • If you specify a CrowdAuthzSVNAccessFile as well as one or both of CrowdAllowedGroups and CrowdAllowedUsers, only the CrowdAuthzSVNAccessFile is used for authorisation.
SVNParentPath Not Supported with CrowdAuthzSVNAccessFile
Subversion provides the SVNParentPath directive, which allows multiple repositories in the same directory to use the same URL. The Crowd Apache integration modules do not support the use of SVNParentPath if you are using the CrowdAuthzSVNAccessFile directive to define permissions. (Using SVNParentPath without the CrowdAuthzSVNAccessFile directive works fine.)

Mixing Authenticated and Anonymous Access

A common requirement for Subversion access is to have a combination of anonymous (where a username and password is not required) and authenticated access. For example, many administrators want to allow anonymous users to read certain repository directories, but want only authenticated users to read (or write) more sensitive areas. To enable anonymous access, add the following lines to the Apache configuration file:

PerlAccessHandler Apache::CrowdAuthz->access_handler
PerlAuthzHandler Apache::CrowdAuthz
PerlSetVar CrowdAuthzSVNAccessFile /etc/apache2/dav_svn.authz
Satisfy Any

When anonymous access is enabled as shown above, Apache will not require a password for any part of the repository that matches the '*' user in the CrowdAuthzSVNAccessFile file. For example, if you wanted to allow anonymous read access to most of a repository but require authentication for a private section, the CrowdAuthzSVNAccessFile file would look like this:

# login not required to read, only members of the 'developers' group can check in changes
[/]
* = r
@developers = rw

# anonymous access denied to /private directory 
[/private]
@developers = rw

See also this example in the Subversion documentation.

For a detailed description of the AuthzSVNAccessFile file format, see the Subversion documentation.

RELATED TOPICS

Crowd Documentation


Atlassian-Crowd-0.02.zip (application/zip)
Apache-CrowdAuth-0.08.zip (application/zip)
Apache-CrowdAuthz-0.01.zip (application/zip)
Document generated by Confluence on Jul 30, 2009 01:29