Hello, I am involved in a customer project to replace CVS with SVN. SVN was chosen against more popular alternatives like git, because it is a free, open-source, mature and, this was the main point, centralized version control system. Repositories are to be accessed through https protocol, served by apache httpd server 2.4. Some features of the actual CVS service had to be ported to the SVN setup. For example, normal users shouldn't be able to create top (first) level folders and files. The straight forward to implement that requisite was through path access cheking. But activate mod_authz_svn implies breaking any other authz module, like for example mod_authnz_ldap, required for us to control repository access based on LDAP group membership, or having true read only service accounts for Redmine, to have just two examples. Looking at the source code I have found that mod_authz_svn is coded to support apache 2.2 authn / authz instead of native 2.4 model. As I didn't consider it a major effort, I have dedicated a few hours to analyze and patch the code, resulting in a functional 2.4 authz provider. This way it can seamless combine with other authz providers like in this example:
svn01:~/src/subversion-1.10.0/source/subversion-1.10.0 # cat
/etc/apache2/vhosts.d/svn.d/repos/test.conf
<IfModule mod_dav_svn.c>
SetEnvif Request_URI ^/repos/test Repo_test=1
CustomLog /svn/logs/repos/test/access.log "%h %t - %{SVN-REPOS-NAME}e -
%u - %{SVN-ACTION}e" env=Repo_test
<Location "/repos/test">
DAV svn
SVNPath /svn/repos/test
AuthzSVNAccessFile /svn/config/auth/accessfile-test
SVNReposName "Repositorio de TEST"
AuthzSVNAuthoritative Off
AuthzSVNAnonymous Off
AuthMerging And
<RequireAll>
<RequireAny>
Require control-point "GuardiasRedes"
Require control-point "Administradores Servidores Horizontales"
</RequireAny>
Require svnpathaccess "Granted"
</RequireAll>
</Location>
</IfModule>
svn01:~/src/subversion-1.10.0/source/subversion-1.10.0 #
The "Granted" argument to the "require svnpathaccess" line for the
provider is just a placeholder / syntax sugar as all the info that the
provider needs is provided through the directory level clauses
AuthzSVNAccessFile, SVNReposName... etc.
The patched code suits our needs, but we are very concerned about support
and maintenance. Would it be possible for the SVN dev team to integrate in
the official code a patch like this and provide the module full apache 2.4
integration?.
Attached goes the patch for your consideration. It is written against
1.10 code. Perhaps you should correct some white spaces in the patch to
apply cleanly because security restrictions at the customer don't allow
the employes or subcontractors to send any type mail attachments, and I
had to copy it in the body.
Thanks in advance
Saludos / Regards
--
Francisco L. Fernández Tortosa
IBM GS Spain - GTS Infrastructure Services Projects
Linux & open source services
Delivery Infrastructure Architect
email: fco.luis.f...@es.ibm.com
phone:(+34)635520045
IBM Global Services España, S.A.
Mar Adriático, 2,
28830 San Fernando de Henares (Madrid)
Registro Mercantil de Madrid, Folio 49; Tomo 6430; Hoja M-104.742
CIF A80-599459
-------------------------------------------------------------
Sólo conozco dos tipos de personas razonables: las que aman a Dios de todo
corazón porque lo conocen, y las que lo buscan de todo corazón porque no
lo conocen.
Blas Pascal
Two things are infinite: the universe and human stupidity; and I'm not
sure about the universe.
Albert Einstein
Salvo indicado de otro modo más arriba / Unless stated otherwise above:
International Business Machines, S.A.
Santa Hortensia, 26-28, 28002 Madrid
Registro Mercantil de Madrid; Folio 1; Tomo 1525; Hoja M-28146
CIF A28-010791
svn-1.10-authz.patch
Description: Binary data
