Crowd 2.1 : Integrating Crowd with Subversion
This page last changed on Nov 30, 2010 by ahempel.
Crowd's Subversion connector allows you to password-protect a Subversion repository and provide fine grained access by group or user. The following features are supported:
Step 1. Integrating Crowd with ApacheTo use the Subversion connector, you will need to have the Crowd Apache connector already installed. Please follow the instructions on integrating Crowd with Apache. Note that you do not need to define Subversion as an application in Crowd. Subversion and Apache will both use the same Crowd application. Step 2. Configuring Crowd Authentication for SubversionIf you are using Apache to manage access to a Subversion repository (instructions) and are using Crowd to manage the Apache authentication (instructions) then you can use the same configuration method to delegate Subversion's user authentication to Crowd. Example: Note that you will need to restart Apache before any changes to its configuration files will take effect. Step 3. Configuring Crowd Authorisation for SubversionTo restrict Subversion repository access to certain groups and/or users, you can add the Require group and Require user directives, described in the page on integrating Crowd with Apache. For more fine-grained access, Crowd provides the AuthzSVNCrowdAccessFile directive which allows you to define path-based access rules. Example: The AuthzSVNCrowdAccessFile setting lets you define a file where you can configure group and user access at directory level. The format of the file is the same as that used by Subversion's own authorisation module, mod_authz_svn. Here is a short example: [groups] # Groups referred to in other sections must be listed here, but group membership is obtained from Crowd. bazdevelopers= foodevelopers= # Everyone has read access to the repository # (unless modified below). [/] * = r # Members of the bazdevelopers group can # read and write to the BazWord project [/BazWord] @bazdevelopers = rw # Members of the foodevelopers group can read and write # to the FooCalc project [/FooCalc] @foodevelopers = rw # Members of foodevelopers can read the branches # directory but only user juliag (the release manager) # can write to this path [/FooCalc/branches] juliag = rw @foodevelopers = r # peterc is a contractor, so he's denied all access to the statistics # module (which is full of trade secrets). [/FooCalc/trunk/statistics] peterc = Notes:
Mixing Authenticated and Anonymous AccessA common requirement for Subversion access is to have a combination of anonymous access (where a username and password is not required) and authenticated access. For example, many administrators want to allow anonymous users to read certain repository directories, but want only authenticated users to read (or write) more sensitive areas. To enable anonymous access, add the following line to the Apache configuration file: AuthzSVNCrowdAccessFile /etc/apache2/dav_svn.authz AuthzSVNCrowdNoAuthWhenAnonymousAllowed On Satisfy Any Require valid-user When anonymous access is enabled as shown above, Apache will not require a password for any part of the repository that matches the '*' user in the AuthzSVNCrowdAccessFile file. For example, if you wanted to allow anonymous read access to most of a repository but require authentication for a private section, the AuthzSVNCrowdAccessFile file would look like this: [groups] developers= # login not required to read, only members of the 'developers' group can check in changes [/] * = r @developers = rw # anonymous access denied to /private directory [/private] * = @developers = rw See also this example in the Subversion documentation. For a detailed description of the AuthzSVNCrowdAccessFile file format, see the Subversion documentation. Additional Configuration OptionsYou may customise your configuration further with the following optional commands:
RELATED TOPICS
![]() ![]() ![]() |
![]() |
Document generated by Confluence on Nov 30, 2010 23:53 |