blog | news | projects | notebooks | politics | github

SVN Authz access control with Apache

Every year, the college requires dozens of new SVN repositories for the researchers, professors, students, and management that work there. Last semester, both computer science courses I was enrolled in used an SVN repo to manage and submit coursework. A streamlined version control system like SVN can be integral to a University's work cycle.

SVN here can be a real pain to set up, especially since we have so many repo owners. Right now, SVN repositories are spawned from ticket requests - if a professor needs a repository for a class she is teaching, she has to manually open a ticket/email the systems group, and someone from systems has to manually create the repo, and them manually edit the permissions file for the SVN server to give access to the appropriate users.

One of my coworkers was given the task of creating an automated system to update these permissions, and I've adopted it for work over the summer. The solution requires that an svn server's permissions be set through apache access, so I set out to do just that.

Making the access control and passwd files

So it turns out that there is an Apache2 module called authz_svn that makes this whole process pretty easy. All it requires is a little editing of configuration files in both apache and SVN. I'll walk you through the steps.

First, you need to make an access control file that details the access that will be given to users and user groups on the SVN server. It uses the same formatting and rule system as SVN Authz files. If you are unfamiliar with SVN authz files, I suggest reading this stackoverflow page, or this red-book article on path-based authentication.

After you've made your access control file, you'll need to make a passwd file that will store the usernames and passwords of the users that will be accessing this svn server. Mine is stored in /etc/ and is called svn.passwd. You can add users to this file at any time by using the passwd command as root:

sudo htpasswd -m /etc/svn.passwd _username_

Where _username_ is the name of the user you would like to add. It should prompt you for a password. The -m flag ensures that the passwords are not stored in plaintext.

Adding users and setting permissions

After you've made both the access control and passwd files, it's time to add users and edit directory permissions. To populate the passwd file with users, add users using the htpasswd command detailed above.

There are really only a few permissions you can set:

r   - Read only . Check-out privileges.
rw  - Read and Write. Check-out and commit privileges.

If you looked at the links above related to SVN Authz files, this will be an easy step. In the access control file, make sections that create user groups and dictate repository and project access. Different sections of the file are indicated by square brackets, such as [groups]. Here's a sample authz file:

[groups]
group1 = user1, user2
group2 = user3, user4

[/]
@group1 = rw
@group2 = rw

[/someproject]
@group1 = r
@group2 = rw

In the [groups] section, this authz file declares two groups: group1 and group2, each with different users. Then, in the [/] section, it gives both group1 and group2 read-write permission. This gives both groups read-write permission to the root of the repository. If no other permissions were explicitly given, this would give both groups read-write access to every project on the repository. However, it then dictates permissions for the [/someproject] project.

Linking the files to the subversion repo

This section assumes that you have a subversion repository up and running. The subversion repo settings are in:

/etc/apache2/mods-enabled/dav_svn.conf

Open it up with sudo and go down to the bottom of the file, past all the generated comments. Add this, tailored to your specific svn repo:

<Location /url_to_svn_repo>
  DAV svn
  SVNPath       path_to_svn_repo

  AuthType      Basic
  AuthName      "Subversion Repository"
  AuthUserFile  path_to_passwd_file

  AuthzSVNAccessFile path_to_authz_file

  Require       valid-user
</Location>

the url_to_svn_repo will be the url extension you want to point to your repository. For example, if the repo directory is /svn, and you're hosting it on localhost, you will access your repo from http://localhost/svn.

After you save this file and restart Apache2, you should have path-based access control working properly.


About Me

I'm interested in building technological platforms that leverage what we know about social dynamics to help people live their lives better.

I'm currently working at the Human Dynamics Group at the MIT Media Lab, creating systems that attempt to measure and impact human social and health behaviors.

I've also worked with the Lazer Lab, inferring partisan dynamics from congressional public statements.

You can e-mail me at dan@dcalacci.net

Send me encrypted messages using my PGP key. (via keybase)

Resume here.

see what music I listen to