Discussion:
problem authz_svn_module
Henk P. Penning
2017-01-15 09:02:12 UTC
Permalink
Hi,

I use the authz_svn_module in 'repocafe' :

http://repocafe.science.uu.nl/

installed here :

https://svn.science.uu.nl/

My config :

<Location /repos>
DAV svn
SVNParentPath /data/svn/repos
AuthzSVNAccessFile /data/svn/admin/svnaccessfile
!! <LimitExcept PROPFIND>
Satisfy Any
Require valid-user
AuthType Basic
AuthName "Subversion repository"
AuthBasicProvider svnlocal ldap_science
!! </LimitExcept>
</Location>

The problem is with 'private' repos with a 'public' subtree ;

https://svn.science.uu.nl/index.php?RID=1278

From the AuthzSVNAccessFile :

[project.mirmon:/]
penni101 = rw
# anonymous read not allowed
* =

[project.mirmon:/trunk]
penni101 = rw
# anonymous read allowed
* = r

So, https://svn.science.uu.nl/repos/project.mirmon/trunk
should work as if it was 'public' (anonymous access allowed).

But, without the "LimitExcept" lines in the config shown above,
these commands work :

% svn ls //svn.science.uu.nl/repos/project.mirmon/trunk
% svn cat //svn.science.uu.nl/repos/project.mirmon/trunk/probe

but (and this is the PROBLEM) the checkout command prompts
for a username/password :

% svn co //svn.science.uu.nl/repos/project.mirmon/trunk

With the "LimitExcept" lines in the config, the checkout
command works, although some errors appear in the log
(see below).

So, it appears that the 'checkout' command does a

PROPFIND /repos/project.mirmon/!svn/rvr/64/trunk

which causes the username/password-prompt when the
"LimitExcept" lines are omitted.

-- Does this diagnosis make sense ?
-- How do I make this work, without the LimitExcept trick ?

Note :
-- The server is apache-2.4, but 2.2 appears to have probs too.
I wonder how authz_svn_module is supposed to work under 2.4
proper (without the 'old' "satisfy any". Shouldn't authz_svn_module
set an environment variable in the case "r = *" (anonymous read) ?

-- I looked for guidance here :

https://svn.apache.org/repos/asf/subversion/trunk/subversion/mod_authz_svn/INSTALL
G. Example 7: Authenticated access to "Collection of Repositories"

It comes close to my case, but it doesn't work.

Thanks for your help ; much appreciated ; groeten,

Henk Penning

------------------------------------------------------------ _
Henk P. Penning, ICT-beta R Uithof HFG-406 _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Budapestlaan 6, 3584CD Utrecht, NL F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M ***@uu.nl \_/

Log-entries for

% svn co //svn.science.uu.nl/repos/project.mirmon/trunk

37.48.69.238 - - [14/Jan/2017:14:23:10 +0100] "OPTIONS
/repos/project.mirmon/trunk HTTP/1.1" 200 200 "-" "SVN/1.8.8
(x86_64-pc-linux-gnu) serf/1.3.3"
37.48.69.238 - - [14/Jan/2017:14:23:10 +0100] "OPTIONS
/repos/project.mirmon/trunk HTTP/1.1" 200 97 "-" "SVN/1.8.8
(x86_64-pc-linux-gnu) serf/1.3.3"
37.48.69.238 - - [14/Jan/2017:14:23:10 +0100] "OPTIONS
/repos/project.mirmon/trunk HTTP/1.1" 200 200 "-" "SVN/1.8.8
(x86_64-pc-linux-gnu) serf/1.3.3"
37.48.69.238 - - [14/Jan/2017:14:23:10 +0100] "PROPFIND
/repos/project.mirmon/!svn/rvr/64/trunk HTTP/1.1" 207 342 "-" "SVN/1.8.8
(x86_64-pc-linux-gnu) serf/1.3.3"
37.48.69.238 - - [14/Jan/2017:14:23:10 +0100] "OPTIONS
/repos/project.mirmon/trunk HTTP/1.1" 200 200 "-" "SVN/1.8.8
(x86_64-pc-linux-gnu) serf/1.3.3"
37.48.69.238 - - [14/Jan/2017:14:23:10 +0100] "OPTIONS
/repos/project.mirmon/trunk HTTP/1.1" 200 97 "-" "SVN/1.8.8
(x86_64-pc-linux-gnu) serf/1.3.3"
37.48.69.238 - - [14/Jan/2017:14:23:10 +0100] "OPTIONS
/repos/project.mirmon/trunk HTTP/1.1" 200 200 "-" "SVN/1.8.8
(x86_64-pc-linux-gnu) serf/1.3.3"

==> svn/error.log <==
[Sat Jan 14 14:23:10.690943 2017] [authz_svn:error] [pid 31902] [client
37.48.69.238:47680] Access denied: - PROPFIND project.mirmon:/

==> svn/access.log <==
37.48.69.238 - - [14/Jan/2017:14:23:10 +0100] "PROPFIND
/repos/project.mirmon/!svn/rvr/64 HTTP/1.1" 403 234 "-" "SVN/1.8.8
(x86_64-pc-linux-gnu) serf/1.3.3"
37.48.69.238 - - [14/Jan/2017:14:23:10 +0100] "REPORT
/repos/project.mirmon/!svn/me HTTP/1.1" 200 201362 "-" "SVN/1.8.8
(x86_64-pc-linux-gnu) serf/1.3.3
Daniel Shahaf
2017-01-16 18:48:44 UTC
Permalink
Post by Henk P. Penning
Hi,
Hello!
Post by Henk P. Penning
but (and this is the PROBLEM) the checkout command prompts
% svn co //svn.science.uu.nl/repos/project.mirmon/trunk
With the "LimitExcept" lines in the config, the checkout
command works, although some errors appear in the log
(see below).
So, it appears that the 'checkout' command does a
PROPFIND /repos/project.mirmon/!svn/rvr/64/trunk
which causes the username/password-prompt when the
"LimitExcept" lines are omitted.
-- Does this diagnosis make sense ?
-- How do I make this work, without the LimitExcept trick ?
LimitExcept is actually the documented recommendation; see
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz
(second code snippet)

The other option is to set two separate <Location> blocks, one for
anonymous users (that excludes everything-but-trunk unconditionally) and
one for authenticated users (that requires authentication for all
operations).
Post by Henk P. Penning
-- The server is apache-2.4, but 2.2 appears to have probs too.
I wonder how authz_svn_module is supposed to work under 2.4
proper (without the 'old' "satisfy any". Shouldn't authz_svn_module
set an environment variable in the case "r = *" (anonymous read) ?
I'm not sure; ask dev@?

Cheers,

Daniel
Henk P. Penning
2017-01-17 07:49:52 UTC
Permalink
Date: Mon, 16 Jan 2017 19:48:44 +0100
Subject: Re: problem authz_svn_module
Hi Daniel,
Post by Henk P. Penning
but (and this is the PROBLEM) the checkout command prompts
% svn co //svn.science.uu.nl/repos/project.mirmon/trunk
With the "LimitExcept" lines in the config, the checkout
command works, although some errors appear in the log
(see below).
So, it appears that the 'checkout' command does a
PROPFIND /repos/project.mirmon/!svn/rvr/64/trunk
which causes the username/password-prompt when the
"LimitExcept" lines are omitted.
-- Does this diagnosis make sense ?
-- How do I make this work, without the LimitExcept trick ?
LimitExcept is actually the documented recommendation; see
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz
(second code snippet)
Eh ; LimitExcept (together with GET PROPFIND OPTIONS REPORT) is
mentioned in the context of "anonymous read" and "valid-user write"
[the "GET" is a give-away] ; different case, I think.

What I have is a private repo with a public subtree (trunk) :

[project.mirmon:/]
penni101 = rw
# anonymous read not allowed
* =
[project.mirmon:/trunk]
penni101 = rw
# anonymous read allowed
* = r

An 'anonymous' user can browse (svn ls, svn cat)
but not checkout (svn co), because the checkout
does a (note the '!') :

PROPFIND /repos/project.mirmon/!svn/rvr/64/trunk
The other option is to set two separate <Location> blocks, one for
anonymous users (that excludes everything-but-trunk unconditionally) and
one for authenticated users (that requires authentication for all
operations).
Do you mean : use 2 AuthzSVNAccessFile's ?
Daniel
Thanks ; regards,

Henk Penning

------------------------------------------------------------ _
Henk P. Penning, ICT-beta R Uithof HFG-406 _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Budapestlaan 6, 3584CD Utrecht, NL F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M ***@uu.nl \_/
Bert Huijben
2017-01-17 15:25:20 UTC
Permalink
-----Original Message-----
Sent: dinsdag 17 januari 2017 08:50
Subject: Re: problem authz_svn_module
Date: Mon, 16 Jan 2017 19:48:44 +0100
Subject: Re: problem authz_svn_module
Hi Daniel,
Post by Henk P. Penning
but (and this is the PROBLEM) the checkout command prompts
% svn co //svn.science.uu.nl/repos/project.mirmon/trunk
With the "LimitExcept" lines in the config, the checkout
command works, although some errors appear in the log
(see below).
So, it appears that the 'checkout' command does a
PROPFIND /repos/project.mirmon/!svn/rvr/64/trunk
which causes the username/password-prompt when the
"LimitExcept" lines are omitted.
-- Does this diagnosis make sense ?
-- How do I make this work, without the LimitExcept trick ?
LimitExcept is actually the documented recommendation; see
http://svnbook.red-
bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.a
uthz
(second code snippet)
Eh ; LimitExcept (together with GET PROPFIND OPTIONS REPORT) is
mentioned in the context of "anonymous read" and "valid-user write"
[the "GET" is a give-away] ; different case, I think.
Subversion uses a number of methods on both public and private URLs. With
the default configuration the private urls are below the magic '!svn'
subdir, but this may be configured differently (and change in future
versions).

Usually every Subversion client will start by performing one or more OPTIONS
requests, followed by other operations.

LIMITEXCEPT <method>... limits every method except the specified methodss
with whatever is configured in that block. (Apache also has a 'LIMIT'
setting, which works the other way around... But we avoid using that in our
sample configurations as we originally assumed that we may use other methods
in future versions)

A checkout with Subversion 1.8 or later against an 1.8+ server will usually
include at least the GET, OPTIONS and REPORT methods. Older versions of
Subversion and nonstandard configurations may avoid the GET and/or may use
PROPFIND.


To configure your repository in your intended way I know of two common
configurations:
1. Configure the repository to be available anonymously with the standard
LIMITEXCEPT, which I think needs to include more operations than that in
your setting. This setting should be applied on the repository root, not the
trunk subdirectory.
The authz file can then configure specific settings on all subdirectories.

This configuration has some known limitations when hiding subdirectories
below a visible root... But it is the easiest way to expose full
repositories read-only.


2. Create a default guest user (e.g. 'guest' and a blank password)
This requires everybody to login, so everything can be handled by the authz
file.

Products like CollabNet SvnEdge use this configuration to avoid that problem
I just described with hiding subdirectories for specific users.



In your case I think you want to change your httpd.conf block to apply to
the repository root to make it include the private urls, and add the now
missing methods to the LimitExcept.
The authz setting will then handle your other configuration settings.

Thanks / Met vriendelijke groeten,

Bert Huijben
[project.mirmon:/]
penni101 = rw
# anonymous read not allowed
* =
[project.mirmon:/trunk]
penni101 = rw
# anonymous read allowed
* = r
An 'anonymous' user can browse (svn ls, svn cat)
but not checkout (svn co), because the checkout
PROPFIND /repos/project.mirmon/!svn/rvr/64/trunk
The other option is to set two separate <Location> blocks, one for
anonymous users (that excludes everything-but-trunk unconditionally) and
one for authenticated users (that requires authentication for all
operations).
Do you mean : use 2 AuthzSVNAccessFile's ?
Daniel
Thanks ; regards,
Henk Penning
------------------------------------------------------------ _
Henk P. Penning, ICT-beta R Uithof HFG-406 _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Budapestlaan 6, 3584CD Utrecht, NL F +31 30 253 4553 \_/ \_/
Loading...