Crowd 2.0 : Integrating Crowd with Subversion
This page last changed on Mar 02, 2009 by smaddox.
Crowd's Subversion connector allows you to password-protect a Subversion repository and provide fine grained access by group or user. PrerequisitesConfiguring Crowd Authentication for SubversionIf you are using Apache to manage access to a Subversion repository (instructions), and are using Crowd to manage the Apache authentication, then you can use the same configuration method to delegate Subversion's user authentication to Crowd. Example: <Location /svn> # Uncomment this to enable the repository DAV svn # Set this to the path to your repository SVNPath /var/lib/svn AuthName crowd AuthType Basic PerlAuthenHandler Apache::CrowdAuth PerlSetVar CrowdAppName subversion PerlSetVar CrowdAppPassword svn PerlSetVar CrowdSOAPURL http://localhost:8095/crowd/services/SecurityServer require valid-user # The following three lines allow anonymous read, but make # committers authenticate themselves. <LimitExcept GET PROPFIND OPTIONS REPORT> Require valid-user </LimitExcept> </Location> Note that you will need to restart Apache before any changes to its configuration files will take effect. Configuring Crowd Authorisation for SubversionTo restrict Subversion repository access to certain groups and/or users, you can add the Apache::CrowdAuthz module and the CrowdAllowedGroups and CrowdAllowedUsers directives (described here). For more fine-grained access, Crowd provides the CrowdAuthzSVNAccessFile directive which allows you to define path-based access rules. Add the following lines (modifying the file location to fit your configuration) to the example above to enable the CrowdAuthzSVNAccessFile directive. PerlAuthzHandler Apache::CrowdAuthz PerlSetVar CrowdAuthzSVNAccessFile /etc/apache2/dav_svn.authz The CrowdAuthzSVNAccessFile setting lets you define a file where you can configure group and user access at directory level. The format of the file is the same as that used by Subversion's own authorisation module, mod_authz_svn. Here is a small example: # Everyone has read access to the repository # (unless modified below). [/] * = r # Members of the bazdevelopers group can # read and write to the BazWord project [/BazWord] @bazdevelopers = rw # Members of the foodevelopers group can read and write # to the FooCalc project [/FooCalc] @foodevelopers = rw # Members of foodevelopers can read the branches # directory but only user juliag (the release manager) # can write to this path [/FooCalc/branches] juliag = rw @foodevelopers = r # peterc is a contractor, so he's denied all access to the statistics # module (which is full of trade secrets). [/FooCalc/trunk/statistics] peterc = Some notes:
Mixing Authenticated and Anonymous AccessA common requirement for Subversion access is to have a combination of anonymous (where a username and password is not required) and authenticated access. For example, many administrators want to allow anonymous users to read certain repository directories, but want only authenticated users to read (or write) more sensitive areas. To enable anonymous access, add the following lines to the Apache configuration file: PerlAccessHandler Apache::CrowdAuthz->access_handler PerlAuthzHandler Apache::CrowdAuthz PerlSetVar CrowdAuthzSVNAccessFile /etc/apache2/dav_svn.authz Satisfy Any When anonymous access is enabled as shown above, Apache will not require a password for any part of the repository that matches the '*' user in the CrowdAuthzSVNAccessFile file. For example, if you wanted to allow anonymous read access to most of a repository but require authentication for a private section, the CrowdAuthzSVNAccessFile file would look like this: # login not required to read, only members of the 'developers' group can check in changes [/] * = r @developers = rw # anonymous access denied to /private directory [/private] @developers = rw See also this example in the Subversion documentation. For a detailed description of the AuthzSVNAccessFile file format, see the Subversion documentation. RELATED TOPICS
![]() ![]() ![]() |
![]() |
Document generated by Confluence on Jul 30, 2009 01:29 |