apache 如何通过 WebSVN 限制存储库访问?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/939119/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How Do I Restrict Repository Access via WebSVN?
提问by kaybenleroll
Note: I originally asked this question on serverfault.combut only got one response so far, and the more I think about it, the more I realise it is probably better on stackoverflow.
注意:我最初在serverfault.com上问过这个问题,但到目前为止只得到一个答复,我想得越多,我就越意识到它在 stackoverflow 上可能更好。
I have multiple subversion repositories which are served up through Apache 2.2 and WebDAV. They are all located in a central place, and I used this debian-administration.orgarticle as the basis (I dropped the use of the database authentication for a simple htpasswd file though).
我有多个 Subversion 存储库,它们通过 Apache 2.2 和 WebDAV 提供。它们都位于一个中心位置,我以这篇debian-administration.org文章为基础(尽管我放弃了对简单 htpasswd 文件使用数据库身份验证)。
Since then, I have also started using WebSVN. My issue is that not all users on the system should be able to access the different repositories, and the default setup of WebSVN is to allow anyone who can authenticate.
从那时起,我也开始使用WebSVN。我的问题是并非系统上的所有用户都应该能够访问不同的存储库,并且 WebSVN 的默认设置是允许任何可以进行身份验证的人。
According to the WebSVN documentation, the best way around this is to use subversion's path access system, so I looked to create this, using the AuthzSVNAccessFile directive.
根据 WebSVN 文档,解决此问题的最佳方法是使用 subversion 的路径访问系统,因此我希望使用 AuthzSVNAccessFile 指令来创建它。
When I do this though, I keep getting "403 Forbidden" messages.
但是,当我这样做时,我不断收到“403 Forbidden”消息。
My files look like the following:
我的文件如下所示:
I have default policy settings in a file:
我在文件中有默认策略设置:
<Location /svn/>
DAV svn
SVNParentPath /var/lib/svn/repository
Order deny,allow
Deny from all
</Location>
Each repository gets a policy file like below:
每个存储库都有一个如下所示的策略文件:
<Location /svn/sysadmin/>
Include /var/lib/svn/conf/default_auth.conf
AuthName "Repository for sysadmin"
require user joebloggs jimsmith mickmurphy
</Location>
The default_auth.conf file contains this:
default_auth.conf 文件包含以下内容:
SVNParentPath /var/lib/svn/repository
AuthType basic
AuthUserFile /var/lib/svn/conf/.dav_svn.passwd
AuthzSVNAccessFile /var/lib/svn/conf/svnaccess.conf
I am not fully sure why I need the second SVNParentPath in default_auth.conf, but I just added that today as I was getting error messages as a result of adding the AuthzSVNAccessFile directive.
我不完全确定为什么我需要 default_auth.conf 中的第二个 SVNParentPath,但我今天刚刚添加了它,因为我因为添加 AuthzSVNAccessFile 指令而收到错误消息。
With a totally permissive access file
使用完全许可的访问文件
[/]
joebloggs = rw
the system worked fine (and was essentially unchanged), but as I soon as I start trying to add any kind of restrictions such as
系统运行良好(并且基本上没有变化),但是当我开始尝试添加任何类型的限制时,例如
[sysadmin:/]
joebloggs = rw
instead, I get the 'Permission denied' errors again. The log file entries are:
相反,我再次收到“权限被拒绝”错误。日志文件条目是:
[Thu May 28 10:40:17 2009] [error] [client 89.100.219.180] Access denied: 'joebloggs' GET websvn:/
[Thu May 28 10:40:20 2009] [error] [client 89.100.219.180] Access denied: 'joebloggs' GET svn:/sysadmin
What do I need to do to get this to work? Have configured apache wrong, or is my understanding of the svnaccess.conf file incorrect?
我需要做什么才能让它发挥作用?apache配置错误,还是我对svnaccess.conf文件的理解有误?
If I am going about this the wrong way, I have no particular attachment to my overall approach, so feel free to offer alternatives as well.
如果我以错误的方式解决这个问题,我对我的整体方法没有特别的依恋,所以也可以随意提供替代方案。
UPDATE (20090528-1600):
更新(20090528-1600):
I attempted to implement this answer, but I still cannot get it to work properly.
我试图实现这个答案,但我仍然无法让它正常工作。
I know most of the configuration is correct, as I have added
我知道大部分配置是正确的,因为我已经添加
[/]
joebloggs = rw
at the start and 'joebloggs' then has all the correct access.
在开始时,'joebloggs' 然后拥有所有正确的访问权限。
When I try to go repository-specific though, doing something like
当我尝试去特定于存储库时,做一些类似的事情
[/]
joebloggs = rw
[sysadmin:/]
mickmurphy = rw
then I got a permission denied error for mickmurphy (joebloggs still works), with an error similar to what I already had previously
然后我收到了 mickmurphy 的权限被拒绝错误(joebloggs 仍然有效),错误类似于我之前已经遇到的错误
[Thu May 28 10:40:20 2009] [error] [client 89.100.219.180] Access denied: 'mickmurphy' GET svn:/sysadmin
Also, I forgot to explain previously that all my repositories are underneath
另外,我之前忘了解释我所有的存储库都在下面
/var/lib/svn/repository
UPDATE (20090529-1245):
更新(20090529-1245):
Still no luck getting this to work, but all the signs seem to be pointing to the issue being with path-access control in subversion not working properly. My assumption is that I have not configured apache or svn to properly recognise my repository structure.
仍然没有运气让它工作,但所有的迹象似乎都指向了subversion中的路径访问控制无法正常工作的问题。我的假设是我没有配置 apache 或 svn 来正确识别我的存储库结构。
This is because the '[/]' entry seems to work perfectly.
这是因为 '[/]' 条目似乎工作得很好。
It also occurs to me that this is question that may belong better on StackOverflow?
我也想到这个问题可能更适合 StackOverflow?
回答by Chris S
You can generate md5 password files using apache's htpasswd utility (located in the bin directory).
您可以使用 apache 的 htpasswd 实用程序(位于 bin 目录中)生成 md5 密码文件。
Then, in your httpd.conf:
然后,在您的 httpd.conf 中:
<Location /svn>
DAV svn
SVNParentPath "repo path"
AuthType Basic
AuthName "Repository"
AuthUserFile "password file path"
Require valid-user
SVNListParentPath on #if you want a repository listing for the whole svn directory
</Location>
This will require user authentication, and only username/password combinations located in the password file (from htpasswd) will be accepted for access.
这将需要用户身份验证,并且仅接受位于密码文件(来自 htpasswd)中的用户名/密码组合进行访问。
In addition, you can also specify read-only access to everyone, but use the password file for commits, etc by the following (within the location tag):
此外,您还可以指定每个人的只读访问权限,但使用密码文件进行提交等(在位置标记内):
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
If I'm understanding what you need, this should solve it for user-level access.
如果我了解您的需求,这应该可以解决用户级访问问题。
EDIT:
编辑:
I forgot to mention, that if you do use a password file, make sure it is not accessible through the web (ie, no alias or directory are assigned in apache where it is stored).
我忘了提及,如果您确实使用了密码文件,请确保它不能通过网络访问(即,在存储它的 apache 中没有指定别名或目录)。
回答by Lars
You have to give everybody read access to the root. Afterwards remove read acces from specific repositories as required. Working with user groups might help to keep the configuration small.
您必须授予每个人对根目录的读取权限。然后根据需要从特定存储库中删除读取访问权限。与用户组合作可能有助于保持配置较小。
You might give it a try like this:
你可以这样试一试:
[/]
* = r
[sysadmin:/]
mickmurphy =
joebloggs = rw
