Just got a comment on one of my posts from a while back about public SVN access wondering how to get it configured. The basic idea is to have a single repository with anonymous read-only access, and have the same repository allow read-write access to authenticated users. Further, you want to configure that on a per-directory basis (with inheritance, of course), so you can have different areas require different principals, and allow some sections to require authentication even for read access.
So without further ado, here's the magic configuration bits.
<Location /svn/barneyb> DAV svn SVNPath /path/to/svnroot/barneyb AuthType Basic AuthName "Subversion/Trac" AuthUserFile /path/to/apache/conf/htpasswd AuthzSVNAccessFile /path/to/apache/conf/authz.conf Satisfy any Require valid-user </Location>
In this case I'm just using Basic auth with an htpasswd file for authentication. The magic line is the "AuthzSVNAccessFile" line, which defines the file to use for authorization. Here's a snippet:
[/] barneyb = rw [/bicycle_dashboard] * = r barneyb = rw
The first section says that for the root of the repository (/), only barneyb (me) is allowed access, and I'm allowed to read and write. The second section says that for the /bicycle_dashboard path, I'm still allowed to read and write, but anyone is allowed to read.
The gotcha is that explicitly specified directories do not inherit from their parents. At each specified level, you must define the full auth spec. Full details on the authorization file can be found in the Subversion Book. That link is for the nightly, so if you've got an old version of Subversion, you might want to go grab and older version of the book as well. The general Apache docs can be found here.
Would it be possible to have anonymous read-only access somehow? Or would I have to create an account in the passwords file called "anonymous" with a blank password or something to make this happen?
Nic,
If you use an asterisk for the username, that means anonymous. I.e. SVN won't do any authentication of it's own. You can see that in the snippet of the AuthZ access file (line 5). So if you try to go to the /bicycle_dashboard path in my repository, you'll just get it. Access is read-only, but no need to authenticate with dummy credentials. However, if you try to perform a write operation (e.g. a commit), SVN will prompt for credentials (using HTTP Basic Auth).
Ok, so there's no need to have a username "*" in the specified AuthUserFile? I assumed that apache would authenticate against that file first before passing the request onto modsvn to check the per-directory authentication.
Nic,
Nope, though you do have to ensure that Apache will not require a valid login to access the URL-space that SVN is using. Apache does all the authentication, and it CAN do authorization as well. If you want to use SVN to do authorization, you just need to make sure that Apache's not doing it as well. There are use cases for having both processes do authorization, but they're not for anonymous access.
Hey Barney,
Thanks a lot for this short guide, I was looking for this.
If you don't mind I'll write a blog post on my own blog about this, But I'll note your url as the source.
Regards, TheElitist
My subversion.conf file
DAV svn
SVNPath /var/www/svn/repos
AuthType Basic
AuthName "Authorization Realm"
AuthUserFile /etc/svn-auth-conf
# AuthUserFile /path/to/passwdfile
# SVNParentPath /var/www/svn
#
AuthzSVNAccessFile /etc/svn-authz
Satisfy any
Require valid-user
# # Limit write permission to list of valid users.
#
# # Require SSL connection for password protection.
# # SSLRequireSSL
#
#
My /etc/svn-authz File
———————————–
[/]
* = r
[/]
san = rw
santhosh = rw
——————————-
Only the santhosh and san are able to do commit. But if am trying from a differnt machine to my SVN server it's not asking for password or username. Please assit me
Santhosh,
I'm not sure what you're trying to accomplish. You've set your entire repository to be anonymously readable, and then restrict write access to san and santhosh. As soon as you attempt to write to the repo, you should be prompted for credentials, but reading will happen without them.
Yes , I agree with your words, The problem is only from one linux system it's not asking for password. I do not know why it is. Except this machine I tried from all other, it is working fine . While configuring for test purpose I used this particular machine as client, I had set ssl that time. I am not sure of the route cause of this.
Now I want to configure SVN as follows..
I have two svn server, if I am commiting from !st server it should reflect in the second server also. Is there any chance to execute this. If Yes, please assist me by telling how?
Thanks for the reply… Waiting for your answer.
Thanks a lot Barneyb……………..
Santhosh Kumar K V
Santhosh,
There are tools to replicate an SVN repository from one server to another. I've not used any of them, so don't know how well they work or what the setup overhead is. Depending on what your load is, you could also do something as simple as a post-commit hook that simply rsyncs the repository from the first server to the second, but that's not going to be as resilient and error-proof as a purpose built solution.
@Santhosh
Hmm for the syncing what you could do is this, you create a post-commit hook, in this post-commit hook script you execute a command on the remote server that pulls in all new changes, (svn export or something).
Or you do something similar but with 10 minute (or more) intervals through a cron-job on the second server.
Hi barneyb and Xeross ..
Thanks for your support. I have done it using rsync. But I have the problem existing still. Only from one client machine it's not asking for password. What could be the reason?
I have used this particular machine while setting up the SVN Server.
Santhosh,
Does it have a non-HTTP repository URL (use `svn info` to see), which would make it bypass Apache's security? Or maybe you already have credentials cached, so there's no need to prompt you?
Yes, It helped me!!!!!! Thanks a lot!!!!!!!!!!!
Hi barneyb
Now I have another requirement… Please help me to solve this.
The SVN User Should be able to change his own password.
How to get this solved
Thanks in advance!!!!
@Santhosh: As you are using a passwd file to store users in you'd have to make that editable, but that would present a security risk, an alternative would be to use the MySQL auth module with Apache but I don't know how well that would work.
Yes! I am facing the same . Is there any alternative for it than MySQL
Santhosh,
If you want your users to be able to change their own password, you can't use Apache password files. You'll either need to use a database and write an application (probably a web app) to allow changing of passwords, or use an external authentication store (like LDAP). The latter should be considered preferable, as it provides various other benefits (it's already built, you can reuse credentials, etc.).
The built-in htpasswd file support that Apache ships with is useful for small, simple installations, but if you have complex requirements, a lot of users, etc., then you're better off with a "real" authentication mechanism.
We have built a product (web application) , which helps you to manage a lot more in addition to user/user group authentication/authorization (htpasswd/path based authorization) , automatic backup scheduling etc for multiple project repositories. If anyone is interested, I can post the screencasts