2

I have apache subversion 1.7.14 hosted on CentOS 7.4 and am having trouble getting path based authorization such that a restricted group to a specific branch, can navigate to the branch from the apache web server.

The example structure is:

/svn/repo/projA
/svn/repo/projA/trunk
/svn/repo/projA/branches
/svn/repo/projA/branches/branch1
/svn/repo/projA/branches/branch2
/svn/repo/projB
/svn/repo/projC

I have a couple groups of users, for example:

[groups]
svn-group1 = ...
svn-group2 = ...

My goal is to have svn-group2 restricted to /svn/repo/projA/branches/branch1 explicitly and not have any access to any other branch, such as:

[/]
* =
@svn-group1 = rw

[repo:/projA/branches/branch1]
@svn-group2 = rw

However when navigation to https://svn.example.com/repo/projA the svn-group2 users will get a Forbidden error. Only if they go to the full URL https://svn.example.com/repo/projA/branches/branch1 do they get access. Ideally I would like svn-group2 to see all parent leaves up to the root directory so they "know" what they have access to from https://svn.example.com.

I can get the right behavior by explicitly excluding every sibling leaf:

[/]
* =
@svn-group1 = rw

[repo:/projA/branches/branch1]
@svn-group2 = rw

[repo:/projA]
@svn-group2 = r

[repo:/projA/trunk]
@svn-group2 =

[repo:/projA/branches/branch2]
@svn-group2 =

[repo:/projB]
@svn-group2 =

[repo:/projC]
@svn-group2 =

This even has the benefit of the user not even seeing links to projB and projC from https://svn.example.com/repo. Only projA would be seen, followed by only branches, followed by only branch1.

However, this doesn't guarantee that svn-group2 would only see branch1. I would like to guarantee if svn-group1 creates some new branch that svn-group2 would not see this by default.

I have found some hints of a :glob: rule with some wildcard functionality but I have not been able to get it to work. I could imagine something like below, where the wildcards are excluding sibling branches.

[:glob:repo:/]
@svn-group2 = r

[:glob:repo:/*/]
@svn-group2 =

[repo:/projA]
@svn-group2 = r

[:glob:repo:/projA/*/]
@svn-group2 = 

[repo:/projA/branches/]
@svn-group2 = r

[:glob:repo:/projA/branches/*/]
@svn-group2 =

[repo:/projA/branches/branch1]
@svn-group2 = rw

Thanks!

Jacob Block
  • 435
  • 5
  • 15

1 Answers1

2

Okay so there's a couple things I'll try to clarify for you.

[/]
* =
@svn-group1 = rw

The first * = is not necessary. You only need to specify forbidden accessors when there is a parent directory that they have access to.

Ideally I would like svn-group2 to see all parent leaves up to the root directory so they "know" what they have access to from https://svn.example.com

I can see the train of thought you were going with this, unfortunately it's not possible unless, as you said, explicitly forbid them access in every sub-directory created. The moment you gave group 2 read access to the base URL of projA, they will inherently have read access to any new sub-directories you've created which will means any new branches/tags you make, they will see until you update the authz file to do so.

I haven't tried the wildcard stuff yet, and I don't have access to my server at the moment, but when I get home, I might be able to test that out for a more convenient way of doing this.

Chris
  • 2,254
  • 8
  • 22