-1

Platform/Versions:
Windows Server 2008 R2 Std SP1 (64 bit)
CollabNet Subversion Apache 2.2.23 (win32)
CollabNet Subversion Client Svnserve V1.7.8
Authentication using SSPI (active directory)
Users run Tortoise SVN Client V1.8.11 (64 bit) or higher versions on Windows 7 Pro

We use an access control file to limit who has access to subversion top-level repositories. We are now wanting to limit access to certain folders under the top-level. We’ve referenced the following examples, but they don’t seem to work for us:

https://nithint.wordpress.com/2009/12/17/format-of-svn-access-file-for-path-based-authorization/
https://www.open.collab.net/community/subversion/svnbook/svn.serverconfig.pathbasedauthz.html

We have found that if you have access at the top level, then you get access to all lower level folders including the folders where someone should be denied access. Additionally, if you don’t have access at the top level but are given access at the lower level, you are still blocked from accessing the lower level. (We’re ok with the latter but find it curious as it seems to contradict what the websites say regarding permissions, that is, permissions at lower levels should override permissions at upper levels.) The access control at the lower level seems to be ignored.

What we want:

Junk_repo – top-level, grant Beth, Eric and Joe access
Junk_repo/Commercial – grant Beth, Eric and Joe access
Junk_repo/Military – grant Beth & Eric access. Deny Joe access

We tried using groups and setting the permissions by group. (We use domain\userid active directory authentication therefore our access control file also uses domain\userid format.)

The groups:

Junk_repo_team = domain\beth, domain\eric, domain\joe
Junk_repo_comm_team = domain\beth, domain\eric, domain\joe
Junk_repo_mil_team = domain\beth, domain\eric (No Joe)

The access: 

[Junk_repo:/]
@Junk_repo_team = rw   //Beth, Eric Joe have access 

[Junk_repo:/Commercial]  
@Junk_repo_comm_team = rw   // commercial team (Beth, Eric, Joe) has access  

[Junk_repo:/Military]  
@Junk_repo_mil_team = rw    // military team (Beth, Eric) has access. No access for Joe

The above failed so we then tried setting permissions by listing the userids at each level: 

[Junk_repo:/]  
domain\beth = rw   //Beth, Eric and Joe have access  
domain\eric = rw   
domain\joe = rw

[Junk_repo:/Commercial]  
domain\beth = rw   //Beth, Eric and Joe have access  
domain\eric = rw   
domain\joe = rw  

[Junk_repo:/Military]  
//Beth and Eric have access.  Joe does not have access. 
domain\beth = rw
domain\eric = rw   
domain\joe=
//We even tried  specifically denying Joe access to the Military folder by listing his id without anything after the equal sign.

In both scenarios Joe was able to access the Junk_repo/Military folder where we specifically did not want him to have access to it.

Do you have any experience with blocking access at various levels of a repo? If so, do you see anything obvious that we’re doing wrong?

SVN-location

<Location /Junk_repo>
DAV svn
SVNPath E:/svn_repository/Junk_repo
AuthType Basic
AuthName "Subversion Junk_repo repository"
Require valid-user
ErrorDocument 404 default
</Location>
Lazy Badger
  • 3,067
  • 14
  • 13
mloftis
  • 1
  • 2

2 Answers2

0

You forgot some obvious things (in attempt 1, which must to fail)

  • ACLs are inherited from parents notes to child
  • If you want to have changed rule, you must to write a rule, modifying access-rights
  • If you use authz-file with Apache-served repository, you must to have
    • related directive in SVN-Location
    • LoadModule for path-based authorization

(and last point may be main reason - you just doesn't have path based authorization, and I can't check default settings of CollabNet)

thus, for group-centric game you have:

  1. @Junk_repo_team have access to root of Junk_repo
  2. @Junk_repo_team and @Junk_repo_comm_team have access to /Commercial node (direct rule and inherited)
  3. @Junk_repo_team and @Junk_repo_mil_team have access to /Military node (direct rule and inherited) - thus, Joe as member of @Junk_repo_team have access to node

Second ruleset with personal access is almost OK on the first sight and only some shortening (due to rule-inheritance) may be applied immediately, something like:

[Junk_repo:/]
domain\beth = rw
domain\eric = rw
domain\joe = rw

[Junk_repo:/Military]
domain\joe=

(inherited from root rules can be skipped, only redefining rules must be used) and in this form I expect to see "No access" for Joe.

But, because you used rather old version of SVN Book (which doesn't note aliases) and I can't recall, is domain\joe applicable form of username in auth-file or not and can't test your setup (you didn't show any log-output for any revision of any user, but LDAP-based names can have different forms) I'll suggest slightly polished setups (with minimal differences: both with aliases, one is group-based, next have group-only rules), based on original SVN Book for SVN 1.8

Some authentication systems expect and carry relatively short usernames of the sorts we've been describing here—harry, sally, joe, and so on. But other authentication systems—such as those which use LDAP stores or SSL client certificates—may carry much more complex usernames. For example, Harry's username in an LDAP-protected system might be CN=Harold Hacker,OU=Engineers,DC=red-bean,DC=com. With usernames like that, the access file can become quite bloated with long or obscure usernames that are easy to mistype. Fortunately, Subversion 1.5 introduced username aliases to the access file syntax. Username aliases allow you to have to type the correct complex username only once, in a statement which assigns to it a more easily digestable alias.

AD-based usernames are exactly the such case, thus we'll aliasing all users before defining rules and groups (for 1-st configuration)

Group-based config

[aliases]
beth = full and tested username of beth
eric = full and tested username of eric
joe = full and tested username of joe
[groups]
Junk_repo_team = &beth, &eric, &joe
Junk_repo_comm_team = &beth, &eric, &joe
Junk_repo_mil_team = &beth, &eric

[Junk_repo:/]
@Junk_repo_team = rw

[Junk_repo:/Commercial]
@Junk_repo_team = // no inheritance mess!!! only direct-rules
@Junk_repo_comm_team = rw

[Junk_repo:/Military]
@Junk_repo_team = // no inheritance mess!!! only direct-rules
@Junk_repo_mil_team = rw

(I can ignore suppressing inherited rules for Commercial, but not for Military and selected sameness for both nodes)

User-based config

[aliases]
beth = full and tested username of beth
eric = full and tested username of eric
joe = full and tested username of joe

[Junk_repo:/]
&beth = rw
&eric = rw
&joe = rw

[Junk_repo:/Military]
&joe =

PS: Collabnet's SVN-stack was good at the times of CollabNet Edge, today's preferable solution (from my POV) is Visual SVN Server with all up-to-date features, GUI management console (for all tasks), remote administration...

Lazy Badger
  • 3,067
  • 14
  • 13
  • We tried also to list all 3 groups at each level with r, rw or no access. Joe (not in the military) group could still access the military folder. This was our latest attempt which failed: – mloftis Feb 24 '16 at 22:14
  • We tried also to list all 3 groups at each level with r, rw or no access. Joe (not in the military) group could still access the military folder. We only have Junk_repo's location listed in the subversion.conf file (read in by http.conf). Do we need to list the location of each subfolder under Junk_repo too? All we have is: DAV svn SVNPath E:/svn_repository/Junk_repo AuthType Basic AuthName "Subversion Junk_repo repository" Require valid-user ErrorDocument 404 default We use mod_authz_svn – mloftis Feb 24 '16 at 23:00
  • Trying to get formatting to work but am unsuccessful. Sorry for ugliness. All we have is: DAV svn SVNPath E:/svn_repository/Junk_repo AuthType Basic AuthName "Subversion Junk_repo repository" Require valid-user ErrorDocument 404 default We use mod_authz_svn. (Using 4 blanks before code isn't formatting properly. Sorry) – mloftis Feb 24 '16 at 23:09
  • I tried adding the sections for the Junk_repo/Military and Junk_repo/Commercial subfolders and setting the permissions for all 3 groups at each level (Junk_repo, Junk_repo/Commercial and Junk_repo/Military) with the Junk_repo_team and Junk_repo_comm_team having no access (nothing set after = sign) and Junk_repo_mil_team having rw access (and Joe not in the Junk_repo_mil_team). Joe could still checkout the Junk_repo_Military folder. – mloftis Feb 25 '16 at 14:08
  • @mloftis - your original `` is non-functional... **totally**. Hire good admin for at least Apache – Lazy Badger Feb 25 '16 at 14:22
  • The original location is fine and we don't need locations for the subfolders. We figured out that the subfolder repo permissions had to be entered as [Junk_repo:/trunk/Military] (trunk was missing in the path), since Military is not an actual folder in the path but rather a folder off the Junk_repo's trunk subversion area.. – mloftis Feb 25 '16 at 19:57
  • @mloftis - [really?](http://www.collab.net/sites/all/themes/collabnet/_media/screenshots/subversionedge/capabilities/images/ldap.jpg). [See also config](http://serverfault.com/questions/431290/svn-authentication-with-ldap-and-active-directory) for LDAP-related SVN – Lazy Badger Feb 25 '16 at 21:14
  • We use SSPI (Active Dir) for authentication. This works: DAV svn SVNParentPath e:/svn_repository SVNIndexXSLT /manual/style/xsl/svnindex.xsl AuthType SSPI SSPIAuth On SSPIOfferSSPI Off SSPIAuthoritative On SSPIDomain # Set SSPIOMITDOMAIN off to allow domain\userid in access file in .svnaccess file. SSPIOmitDomain Off SSPIUsernameCase lower SSPIPerRequestAuth On SSPIOfferBasic On AuthName "UTAS AMS Subversion Login (Use domain\userid format)" AuthzSVNAccessFile "E:/etc/.svnaccess" Require valid-user – mloftis Feb 26 '16 at 15:23
0

We figured out that the subfolder repo permissions had to be entered as
[Junk_repo:/trunk/Military]
rather than [Junk_repo:/Military]. (Trunk was missing in the setting.) Military is not an actual folder in the path but rather a folder off the Junk_repo's trunk subversion area.

mloftis
  • 1
  • 2