[prev in list] [next in list] [prev in thread] [next in thread]
List: subversion-users
Subject: Path-Based Authorization behaves differently with SVNParentPath vs. SVNPath
From: Chris Dailey <darcmarc () gmail ! com>
Date: 2020-03-30 21:27:09
Message-ID: CAFEHzq2jQxNTjDbDH67E0DHwU_357p-Ndz9rrWmkU25Tx1L19A () mail ! gmail ! com
[Download RAW message or body]
Hello all,
I'm attempting to move a set of repositories over to using SVNParentPath
for some much needed organization. Currently with our setup, we've got a
separate <Location>, each with it's own SVNPath, basic auth, and
AuthzSVNAccessFile, and everything works like I'd expect. However, moving
to a single <Location>, using SVNParentPath, users with limited permissions
get different responses to the same requests.
I apologize for being verbose, but I'm trying to be thorough and believe
I've checked each spot I might have gone wrong.
My old svn locations are /svn/svn1oldname/, /svn/svn2/. I'm moving them to
/repos/(svn1|svn2)/
Currently, the setup looks like this:
<Location /svn/svn1/>
DAV svn
SVNPath /home/user/repos/svn1
SVNReposName svn1oldname
AuthzSVNAccessFile /home/user/repos/authz
# basic auth omitted for brevity
</Location>
<Location /svn/svn2/>
DAV svn
SVNPath /home/user/repos/svn2
# no SVNReposName, name isn't changing.
AuthzSVNAccessFile /home/user/repos/authz
# basic auth omitted for brevity
</Location>
The setup I'm attempting to move to (and actually have going side-by-side
at the moment, though removing the others help,) is:
<Location /repos/>
DAV svn
SVNParentPath /home/user/repos
SVNListParentPath On
# basic auth omitted for brevity
AuthzSVNAccessFile /home/eaiuser/repos/authz
</Location>
Both repos are sharing the same AuthUserFile and AuthzSVNAccessFile. authz
looks as such:
[groups]
admin = userS
one = userA, userB
two = userA, userB, userC
two-readonly = userRO
[/]
$anonymous =
@admin = rw
[svn1:/]
@one = rw
[svn1oldname:/]
@one= rw
[svn2:/]
@two = rw
@two-readonly =
[svn2:/AllowedPathA]
@two-readonly = r
[svn2:/AllowedPathB]
@firmware-readonly = r
Now, the behavior.
userS: Can GET all urls as you'd expect.
userA: Can GET /svn/svn1oldname/, /svn/svn2/, /repos/ (sees both
repositories in the list), /repos/svn1/, /repos/svn2/, as expected.
Effectively the same as userS, but only listed in @one and @two.
userRO is where things get funny.
userRO: Can GET /svn/svn1oldname/ but sees only the repo name and revision
userRO: Can GET /svn/svn2/ and sees repo name, revision, AllowedPathA, and
AllowedPathB. This is the behavior I expect.
userRO: Can GET /repos/ (the 'collection list), but sees *no* repositories.
userRO: Attempting to GET /repos/svn1/ gets a 403 response. Not the same
behavior as on /svn/svn1oldname/, but completely acceptable (and honestly
would be preferred, I think.)
userRO: Attempting to GET /repos/svn2/ ... also gets a 403 response. This
was unexpected to me, based on how /svn/svn2/ behaved.
userRO: Attempting to GET /repos/svn2/AllowedPathA/ Works. Responds as
expected, so the permission *does* seem to be getting applied properly, but
the visibility of higher requests isn't working in the same way, so unless
I actually tell userRO to act individually on each of the allowed paths,
they'll never know what they have access too through this manner.
I have confirmed this is the behavior using subversion 1.9.7. As that was
the latest available from my distro's repo, I had to build 1.13.0 myself,
and the behavior is the same across the versions. I haven't yet tried on
the 1.14.x branch, as I don't see any notes about behavior such as this.
Thanks everyone.
Cheers,
Chris
[Attachment #3 (text/html)]
<div dir="ltr">Hello all,<div><br></div><div>I'm attempting to move a set of \
repositories over to using SVNParentPath for some much needed organization. Currently \
with our setup, we've got a separate <Location>, each with it's own \
SVNPath, basic auth, and AuthzSVNAccessFile, and everything works like I'd \
expect. However, moving to a single <Location>, using SVNParentPath, users with \
limited permissions get different responses to the same \
requests.</div><div><br></div><div>I apologize for being verbose, but I'm trying \
to be thorough and believe I've checked each spot I might have gone \
wrong.</div><div><br></div><div>My old svn locations are /svn/svn1oldname/, \
/svn/svn2/. I'm moving them to \
/repos/(svn1|svn2)/</div><div><br></div><div>Currently, the setup looks like \
this:</div><div><font face="monospace"><Location /svn/svn1/><br> DAV \
svn<br> SVNPath /home/user/repos/svn1</font></div><div><font face="monospace"> \
SVNReposName svn1oldname<br> AuthzSVNAccessFile /home/user/repos/authz</font><br \
style="font-family:monospace"><span style="font-family:monospace"> # basic auth \
omitted for brevity</span><font \
face="monospace"><br></Location></font></div><div><font \
face="monospace"><Location /svn/svn2/><br></font></div><div></div><div><font \
face="monospace"> DAV svn<br> SVNPath \
/home/user/repos/svn2</font></div><div><font face="monospace"> # no \
SVNReposName, name isn't changing.<br> AuthzSVNAccessFile \
/home/user/repos/authz</font><br style="font-family:monospace"><span \
style="font-family:monospace"> # basic auth omitted for brevity</span><font \
face="monospace"><br></Location></font></div><div><br></div><div>The setup \
I'm attempting to move to (and actually have going side-by-side at the moment, \
though removing the others help,) is:</div><div><br></div><div><font \
face="monospace"><Location /repos/><br> DAV svn<br> SVNParentPath \
/home/user/repos<br> SVNListParentPath On</font>
<br style="font-family:monospace"><span style="font-family:monospace"> # basic \
auth omitted for brevity</span> <font face="monospace"><br> \
AuthzSVNAccessFile /home/eaiuser/repos/authz<br></Location></font><br></div><div><br></div><div>Both \
repos are sharing the same AuthUserFile and AuthzSVNAccessFile. authz looks as \
such:</div><div><br></div><div><font face="monospace">[groups]<br>admin = \
userS<br>one = userA, userB<br>two = userA, userB, userC<br>two-readonly = \
userRO<br><br>[/]<br>$anonymous =<br>@admin = rw<br><br>[svn1:/]<br>@one = \
rw<br><br>[svn1oldname:/]<br>@one= rw<br><br>[svn2:/]<br>@two = rw<br>@two-readonly = \
<br><br>[svn2:/AllowedPathA]<br>@two-readonly = \
r<br><br>[svn2:/AllowedPathB]<br>@firmware-readonly = \
r</font><br></div><div><br></div><div>Now, the \
behavior.</div><div><br></div><div>userS: Can GET all urls as you'd \
expect.</div><div>userA: Can GET /svn/svn1oldname/, /svn/svn2/, /repos/ (sees both \
repositories in the list), /repos/svn1/, /repos/svn2/, as expected. Effectively the \
same as userS, but only listed in @one and <a class="gmail_plusreply" \
id="plusReplyChip-1">@two.</a></div><div><br></div><div>userRO is where things get \
funny.</div><div><br></div><div>userRO: Can GET /svn/svn1oldname/ but sees only the \
repo name and revision</div><div>userRO: Can GET /svn/svn2/ and sees repo name, \
revision, AllowedPathA, and AllowedPathB. This is the behavior I \
expect.</div><div>userRO: Can GET /repos/ (the 'collection list), but sees *no* \
repositories.</div><div>userRO: Attempting to GET /repos/svn1/ gets a 403 response. \
Not the same behavior as on /svn/svn1oldname/, but completely acceptable (and \
honestly would be preferred, I think.)</div><div>userRO: Attempting to GET \
/repos/svn2/ ... also gets a 403 response. This was unexpected to me, based on how \
/svn/svn2/ behaved.</div><div>userRO: Attempting to GET /repos/svn2/AllowedPathA/ \
Works. Responds as expected, so the permission *does* seem to be getting applied \
properly, but the visibility of higher requests isn't working in the same way, so \
unless I actually tell userRO to act individually on each of the allowed paths, \
they'll never know what they have access too through this \
manner.</div><div><br></div><div>I have confirmed this is the behavior using \
subversion 1.9.7. As that was the latest available from my distro's repo, I had \
to build 1.13.0 myself, and the behavior is the same across the versions. I \
haven't yet tried on the 1.14.x branch, as I don't see any notes about \
behavior such as this.</div><div><br></div><div>Thanks \
everyone.</div><div><br></div><div>Cheers,</div><div><br></div><div>Chris</div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic