restricting user-groups to specific subversion repos, served up using apache2?

[warz]

I'm using Ubuntu, and have been trying to get Subversion to authorize authenticated users to write only to their respective repositories. (Think: google code, or sourceforge) I'm not using the generic svnserve daemon - I'm using Apache2 to serve up the repos. I'm also using the basic HTTP authorization, and know that it can achieve what I'm trying to do.

I know this can be done by manually editing apache2.conf, and adding new Location blocks for each repository, but I cannot imagine that google code, or sourceforge does this. I've also looked into the vhost files that Ubuntu's Apache2 build is forced to use by default, but I'm not sure if those look very promising.

Svnserve has some very easy options that allow this kind of authorization to take place, but it doesn't offer a lot of the goodies that Apache2 does. I'd like to use https:// for write connections in the future, too.

The relevant portions of my apache2.conf file look like this...

Code Select Expand


# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.

# Include generic snippets of statements
Include /etc/apache2/conf.d/

# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/

<Location /svn>
        DAV svn
        SVNParentPath /home/ryan/repos
        SVNListParentPath on
        AuthType Basic
        AuthName "subversion repository"
        AuthUserFile /etc/subversion/svn-auth-file

        <LimitExcept GET PROPFIND OPTIONS REPORT>
                Require valid-user
        </LimitExcept>
</Location>


My repository directory's layout just looks like this...

Code Select Expand


/home/ryan/repos
-> repo1
- - > ...
- > repo2
- - > ...


Does anyone have experience setting up Subversion, and Apache like I am trying to? I'm just trying to make it so that when a users creates a new repo, they're only given write access to their repo, not any of the other existing ones.

Edit: I should also mention that I've looked into the authz file. I'm not sure if each repository can have its own authz file associated with it, though, when using Apache. I know svnserve gives each repo its own authz, though.

[warz]

so i see we're all noobs at this, together!

[warz]

Well, upon further review, I've basically concluded that you cannot delegate the handling of the authz authorization files to the individual repos. You must use a single authz file, and either generate it dynamically based on your users, and groups, or just keep up with it manually. (eww, wtf mod_dav_svn?)

[Chavo]

I know this can be done by manually editing apache2.conf, and adding new Location blocks for each repository, but I cannot imagine that google code, or sourceforge does this. I've also looked into the vhost files that Ubuntu's Apache2 build is forced to use by default, but I'm not sure if those look very promising.

My understanding is that this is the proper way to delegate the different repositories.  There are plenty of commercial apps that can handle that part for you, although I can't say if any of them support subversion.  I only have one repo and don't care to setup more so I have not run into your problem.

[warz]

Well, the proper way depends on what server you're using with subversion. The standard svnserve server does what I was describing by default, and can also be told to use one single authz file. Apache, on the other hand, is not as dynamic in that sense, because you'd have to modify apache2.conf every time you added a new repository, telling it where to look for the authz file.

So, what I've done is written a simple Python application to generate this authz file for me, based on my users, groups and permissions in a sql database.