Just got a comment on one of my posts from a while back about public SVN access wondering how to get it configured. The basic idea is to have a single repository with anonymous read-only access, and have the same repository allow read-write access to authenticated users. Further, you want to configure that on a per-directory basis (with inheritance, of course), so you can have different areas require different principals, and allow some sections to require authentication even for read access.
So without further ado, here's the magic configuration bits.
<Location /svn/barneyb> DAV svn SVNPath /path/to/svnroot/barneyb AuthType Basic AuthName "Subversion/Trac" AuthUserFile /path/to/apache/conf/htpasswd AuthzSVNAccessFile /path/to/apache/conf/authz.conf Satisfy any Require valid-user </Location>
In this case I'm just using Basic auth with an htpasswd file for authentication. The magic line is the "AuthzSVNAccessFile" line, which defines the file to use for authorization. Here's a snippet:
[/] barneyb = rw [/bicycle_dashboard] * = r barneyb = rw
The first section says that for the root of the repository (/), only barneyb (me) is allowed access, and I'm allowed to read and write. The second section says that for the /bicycle_dashboard path, I'm still allowed to read and write, but anyone is allowed to read.
The gotcha is that explicitly specified directories do not inherit from their parents. At each specified level, you must define the full auth spec. Full details on the authorization file can be found in the Subversion Book. That link is for the nightly, so if you've got an old version of Subversion, you might want to go grab and older version of the book as well. The general Apache docs can be found here.
Would it be possible to have anonymous read-only access somehow? Or would I have to create an account in the passwords file called "anonymous" with a blank password or something to make this happen?
Nic,
If you use an asterisk for the username, that means anonymous. I.e. SVN won't do any authentication of it's own. You can see that in the snippet of the AuthZ access file (line 5). So if you try to go to the /bicycle_dashboard path in my repository, you'll just get it. Access is read-only, but no need to authenticate with dummy credentials. However, if you try to perform a write operation (e.g. a commit), SVN will prompt for credentials (using HTTP Basic Auth).
Ok, so there's no need to have a username "*" in the specified AuthUserFile? I assumed that apache would authenticate against that file first before passing the request onto modsvn to check the per-directory authentication.
Nic,
Nope, though you do have to ensure that Apache will not require a valid login to access the URL-space that SVN is using. Apache does all the authentication, and it CAN do authorization as well. If you want to use SVN to do authorization, you just need to make sure that Apache's not doing it as well. There are use cases for having both processes do authorization, but they're not for anonymous access.
Hey Barney,
Thanks a lot for this short guide, I was looking for this.
If you don't mind I'll write a blog post on my own blog about this, But I'll note your url as the source.
Regards, TheElitist