WebFaction
Community site: login faq

Hi,

I'm trying to set permissions properly for HTTPS access to my SVN repository, and am confused about the different places that these permissions are set.

First, there's the webapps/svn/.authz file, which I have set to be:

[/] * = fred = rw

This means, I think, that unauthenticated users have no access, and user 'fred' has read/write access, across the repository.

But when I do:

svn co --username=fred --password=fredpass https://svn.my.domain/repos/project

I get:

svn: access to 'https://svn.botcave.org/repos/jQueryBook' forbidden

Sure enough, if I add "* = r" to the .authz file, then everything works again, indicating that I'm coming in as anonymous.

Is it something I'm doing that isn't passing the user authentication over? I assume the username/password parameters must match the .htpasswd file, but now I'm starting to think that users for this authentication method are coming from somewhere else.

Any pointers in the right direction would be greatly appreciated.. Thanks!

marc

asked 13 May '11, 13:18

marcbot
122
accept rate: 0%


Do you have the authz-db = authz line uncommented in your svnserve.conf.

permanent link

answered 13 May '11, 14:27

bmeyer71 ♦♦
1.5k3613
accept rate: 33%

edited 13 May '11, 14:28

I do, but I didn't uncomment anything else.

Does it use the password file in this directory, as well? I'm really not sure how the password file here relates to the .htpasswd file in the svn/ directory..

permanent link

answered 13 May '11, 14:31

marcbot
122
accept rate: 0%

They are two separate authentications. .htpasswd protects access to svn, but after that, you will need to use the password and authz files if you are using different types of access.

(13 May '11, 15:28) bmeyer71 ♦♦

So does .htpasswd hold the accounts for all http/https access, and the password/authz files control access via svn/svn+ssh? If so, then I'm really confused as to why my command line checkout isn't working when I specify a user with --username and --password, instead just getting a 'Forbidden' from the server. Which, confusingly, I can make go away by removing the .authz file in the ~/webapps/svn directory. So I'm really pretty confused..

(13 May '11, 16:10) marcbot

You've mentioned two different methods of access. Which way are you trying to access svn? Via SSH or over https?

(13 May '11, 16:57) bmeyer71 ♦♦

Over https, from command line and from NetBeans. Get the same error both ways.. so I'm trying to figure out the best way to set up authentication for access via HTTPS.

(13 May '11, 18:41) marcbot

What do you get if you set up a user in authz and an associate password as well as set up an ID and password in your .htpasswd? Try with the same ID's and passwords first.

(13 May '11, 20:53) bmeyer71 ♦♦

So as far as I understand, the authz/password files are irrelevant if you're using http authentication, which seems to be the case. The comment at the top of the svnserve.conf file says:

(If you only allow

access through http: and/or file: URLs, then this file is

irrelevant.)

Which seems to be the case: I added a user to the conf/password file, added a policy for that user to have rw access, and made sure the svnserve.conf file points to conf/authz and conf/password. But, no user in the password file has any access into svn, and no policies in the svnserve.conf take effect (as in, I set anon-access to "read" and I still get "forbidden" when checking the http access).

So I'm down to two files which seem to make any difference at all: The .htpasswd file, and the .authz file in the SVN directory. However, nothing I put in the .authz file makes any difference except if I enable global read by doing:

[/] * = r

So I guess my question is, why aren't individual user permissions in the ~/webapps/svn/.authz file having any affect on the ability for a user to come in to the svn repository? And why is my authentication not being taken?

(14 May '11, 10:54) marcbot

okay I think I have it down to the root of the problem.

the conf/* files only protect access to svn via the svn: protocol (or svn+ssh), and are irrelevant when using http access to svn. Fine, that makes sense.

And it seems the webserver is using my .authz file in the ~/webapps/svn/ directory, because it lets in anonymous users when I give them access in the .authz file.

What is NOT happening is that I am not being prompted for a username when I try to access the site via https://sitename.com in my browser, thus it is always using an anonymous user, and thus always being refused access.

So the question is: Why is my browser always denied access without any password prompting from the webserver? I tried adding a simple .htaccess file that says "Require valid-user", which should override any directive from the server config otherwise, thus should prompt for any user trying to hit the site, but it's not... Hmmm!

(14 May '11, 11:26) marcbot

The svnserve.conf file is irrelevant (unless you are running the stand-alone SVN daemon, which you should not be doing).

Your users defined inside .htpasswd should be taken, as well as their permissions defined in .authz. If this is not the case, please open up a support ticket, so we can inspect your specific setup.

(14 May '11, 11:26) tie

ah, okay. you replied when I did and that makes sense. i'll open a ticket, thanks!

(14 May '11, 11:27) marcbot
showing 5 of 9 show 4 more comments

This one was completely my fault, thanks to the Webfaction support staff for pointing it out.

I had created the SVN app with the "anonymous_read" tag set, which I had forgotten I did when I first created the SVN app months ago.

Removing this tag allowed the server to start processing my .htpasswd users properly and it is now honoring the permissions in the .authz file.

Hope this helps someone down the road. Thanks to everyone who worked on the answer for me!

marc

permanent link

answered 14 May '11, 12:59

marcbot
122
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×41
×37
×31

question asked: 13 May '11, 13:18

question was seen: 5,883 times

last updated: 14 May '11, 12:59

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2019 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM