dx4.org :: linux :: svnviewvcauthn

20/Oct/2008 13:09
Category: /linux Common authorization between Subversion and ViewVC by Elliot

I just finished setting up a Subversion system with a ViewVC web frontend. I wanted to configure authorization for both components in the same place, but it wasn't clear how to do that. It took me long enough to figure out how to make it work that I figure it's worth posting for anyone out there on Google looking to save a little time.
The standard mod_dav_svn way to handle authorization is with the AuthzSVNAccessFile directive. You create an authorization config file, point AuthzSVNAccessFile at it, and everything works great. For example: 
AuthzSVNAccessFile /path/to/authorization-file

[alice-repo:/]
alice = rw
bob = ro

[bob-repo:/]
bob = rw
alice = ro

[carol-repo:/]
carol = rw
The trouble starts when you install ViewVC for convenient web access to subversion. You probably want to give the same people access to view repositories in ViewVC as are able to check files out. but ViewVC isn't capable of honoring the configuration from AuthzSVNAccessFile.

Instead, you need to use Apache's built-in authorization functionality for both applications. First we need to set up default denies for both applications. In conf.d/subversion.conf: 

<Location /repos>
   DAV svn
   SVNParentPath /svn/repositories
   # Deny all access by default
   Deny from all
</Location>
In conf.d/viewvc.conf: 
<Location "/cgi-bin/viewvc.cgi/">
  Deny from all
</Location>
The second example assumes you've got the root_as_url_component ViewVC config option turned on.

Now define some actual permissions in another conf.d file. This assumes your SVN repositories are in /repos and ViewVC is /cgi-bin/viewvc.cgi. 

<LocationMatch "^/(repos|cgi-bin/viewvc.cgi)/alice-repo">
  Satisfy Any
  # Read-only
  <Limit GET PROPFIND OPTIONS REPORT>
    Require user alice bob
  </Limit>
  # Read-write
  <LimitExcept GET PROPFIND OPTIONS REPORT>
    Require user alice
  </LimitExcept>
</LocationMatch>

<LocationMatch "^/(repos|cgi-bin/viewvc.cgi)/bob-repo">
  Satisfy Any
  # Read-only
  <Limit GET PROPFIND OPTIONS REPORT>
    Require user alice bob
  </Limit>
  # Read-write
  <LimitExcept GET PROPFIND OPTIONS REPORT>
    Require user bob
  </LimitExcept>
</LocationMatch>

<LocationMatch "^/(repos|cgi-bin/viewvc.cgi)/carol-repo">
  Satisfy Any
  # Read-only
  <Limit GET PROPFIND OPTIONS REPORT>
    Require user carol
  </Limit>
  # Read-write
  <LimitExcept GET PROPFIND OPTIONS REPORT>
    Require user carol
  </LimitExcept>
</LocationMatch>