如何通过 WebSVN 限制存储库访问?
注意:我最初在 serverfault.com 上提出了这个问题,但是到目前为止只得到了一个回复,我想得越多,我就越意识到它可能在 stackoverflow 上更好。
我有多个通过 Apache 2.2 和 WebDAV 提供的 Subversion 存储库。 它们都位于一个中心位置,我使用了这个 debian-administration.org文章作为基础(不过我放弃了对简单 htpasswd 文件使用数据库身份验证)。
从那时起,我也开始使用 WebSVN。 我的问题是,并非系统上的所有用户都应该能够访问不同的存储库,并且 WebSVN 的默认设置是允许任何可以进行身份验证的人。
根据 WebSVN 文档,解决此问题的最佳方法是使用 subversion 的路径访问系统,因此我希望使用 AuthzSVNAccessFile 指令来创建它。
但当我这样做时,我不断收到“403 Forbidden”消息。
我的文件如下所示:
我在文件中有默认策略设置:
<Location /svn/>
DAV svn
SVNParentPath /var/lib/svn/repository
Order deny,allow
Deny from all
</Location>
每个存储库都有一个如下所示的策略文件:
<Location /svn/sysadmin/>
Include /var/lib/svn/conf/default_auth.conf
AuthName "Repository for sysadmin"
require user joebloggs jimsmith mickmurphy
</Location>
default_auth.conf 文件包含以下内容:
SVNParentPath /var/lib/svn/repository
AuthType basic
AuthUserFile /var/lib/svn/conf/.dav_svn.passwd
AuthzSVNAccessFile /var/lib/svn/conf/svnaccess.conf
我不完全确定为什么需要 default_auth.conf 中的第二个 SVNParentPath,但是我今天刚刚添加了这一点,因为添加 AuthzSVNAccessFile 指令后我收到了错误消息。
使用完全许可的访问文件,
[/]
joebloggs = rw
系统工作正常(并且基本上没有变化),但是当我开始尝试添加任何类型的限制(例如
[sysadmin:/]
joebloggs = rw
相反)时,我再次收到“权限被拒绝”错误。 日志文件条目是:
[Thu May 28 10:40:17 2009] [error] [client 89.100.219.180] Access denied: 'joebloggs' GET websvn:/
[Thu May 28 10:40:20 2009] [error] [client 89.100.219.180] Access denied: 'joebloggs' GET svn:/sysadmin
我需要做什么才能使其正常工作? apache配置错误,还是我对svnaccess.conf文件的理解不正确?
如果我以错误的方式处理这个问题,我对我的整体方法没有特别的依恋,所以也可以随意提供替代方案。
更新(20090528-1600):
我尝试实现这个答案,但我仍然无法让它正常工作。
我知道大部分配置都是正确的,因为我
[/]
joebloggs = rw
在开始时添加了“joebloggs”,然后就拥有了所有正确的访问权限。
当我尝试进入特定于存储库的操作时,做类似的事情,
[/]
joebloggs = rw
[sysadmin:/]
mickmurphy = rw
我收到了 mickmurphy 的权限被拒绝错误(joebloggs 仍然有效),其错误类似于我之前已经遇到的错误
[Thu May 28 10:40:20 2009] [error] [client 89.100.219.180] Access denied: 'mickmurphy' GET svn:/sysadmin
此外,我忘了之前解释我的所有存储库都是下面
/var/lib/svn/repository
更新(20090529-1245):
仍然没有运气让这个工作,但所有迹象似乎都指向问题是颠覆中的路径访问控制无法正常工作。 我的假设是我没有配置 apache 或 svn 来正确识别我的存储库结构。
这是因为“[/]”条目似乎工作得很好。
我还想到这个问题可能更适合放在 StackOverflow 上?
Note: I originally asked this question on serverfault.com but only got one response so far, and the more I think about it, the more I realise it is probably better on stackoverflow.
I have multiple subversion repositories which are served up through Apache 2.2 and WebDAV. They are all located in a central place, and I used this debian-administration.org article as the basis (I dropped the use of the database authentication for a simple htpasswd file though).
Since then, I have also started using WebSVN. My issue is that not all users on the system should be able to access the different repositories, and the default setup of WebSVN is to allow anyone who can authenticate.
According to the WebSVN documentation, the best way around this is to use subversion's path access system, so I looked to create this, using the AuthzSVNAccessFile directive.
When I do this though, I keep getting "403 Forbidden" messages.
My files look like the following:
I have default policy settings in a file:
<Location /svn/>
DAV svn
SVNParentPath /var/lib/svn/repository
Order deny,allow
Deny from all
</Location>
Each repository gets a policy file like below:
<Location /svn/sysadmin/>
Include /var/lib/svn/conf/default_auth.conf
AuthName "Repository for sysadmin"
require user joebloggs jimsmith mickmurphy
</Location>
The default_auth.conf file contains this:
SVNParentPath /var/lib/svn/repository
AuthType basic
AuthUserFile /var/lib/svn/conf/.dav_svn.passwd
AuthzSVNAccessFile /var/lib/svn/conf/svnaccess.conf
I am not fully sure why I need the second SVNParentPath in default_auth.conf, but I just added that today as I was getting error messages as a result of adding the AuthzSVNAccessFile directive.
With a totally permissive access file
[/]
joebloggs = rw
the system worked fine (and was essentially unchanged), but as I soon as I start trying to add any kind of restrictions such as
[sysadmin:/]
joebloggs = rw
instead, I get the 'Permission denied' errors again. The log file entries are:
[Thu May 28 10:40:17 2009] [error] [client 89.100.219.180] Access denied: 'joebloggs' GET websvn:/
[Thu May 28 10:40:20 2009] [error] [client 89.100.219.180] Access denied: 'joebloggs' GET svn:/sysadmin
What do I need to do to get this to work? Have configured apache wrong, or is my understanding of the svnaccess.conf file incorrect?
If I am going about this the wrong way, I have no particular attachment to my overall approach, so feel free to offer alternatives as well.
UPDATE (20090528-1600):
I attempted to implement this answer, but I still cannot get it to work properly.
I know most of the configuration is correct, as I have added
[/]
joebloggs = rw
at the start and 'joebloggs' then has all the correct access.
When I try to go repository-specific though, doing something like
[/]
joebloggs = rw
[sysadmin:/]
mickmurphy = rw
then I got a permission denied error for mickmurphy (joebloggs still works), with an error similar to what I already had previously
[Thu May 28 10:40:20 2009] [error] [client 89.100.219.180] Access denied: 'mickmurphy' GET svn:/sysadmin
Also, I forgot to explain previously that all my repositories are underneath
/var/lib/svn/repository
UPDATE (20090529-1245):
Still no luck getting this to work, but all the signs seem to be pointing to the issue being with path-access control in subversion not working properly. My assumption is that I have not configured apache or svn to properly recognise my repository structure.
This is because the '[/]' entry seems to work perfectly.
It also occurs to me that this is question that may belong better on StackOverflow?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您可以使用 apache 的 htpasswd 实用程序(位于 bin 目录中)生成 md5 密码文件。
然后,在您的 httpd.conf 中:
这将需要用户身份验证,并且仅接受位于密码文件(来自 htpasswd)中的用户名/密码组合进行访问。
此外,您还可以指定每个人的只读访问权限,但通过以下方式使用密码文件进行提交等(在位置标记内):
如果我理解您的需要,这应该可以解决用户级问题使用权。
编辑:
我忘了提及,如果您确实使用密码文件,请确保它无法通过网络访问(即,在存储它的 apache 中没有分配别名或目录)。
You can generate md5 password files using apache's htpasswd utility (located in the bin directory).
Then, in your httpd.conf:
This will require user authentication, and only username/password combinations located in the password file (from htpasswd) will be accepted for access.
In addition, you can also specify read-only access to everyone, but use the password file for commits, etc by the following (within the location tag):
If I'm understanding what you need, this should solve it for user-level access.
EDIT:
I forgot to mention, that if you do use a password file, make sure it is not accessible through the web (ie, no alias or directory are assigned in apache where it is stored).
您必须授予每个人对根目录的读取权限。 然后根据需要从特定存储库中删除读取访问权限。 与用户组合作可能有助于保持较小的配置。
你可以像这样尝试一下:
You have to give everybody read access to the root. Afterwards remove read acces from specific repositories as required. Working with user groups might help to keep the configuration small.
You might give it a try like this: