I. Installation
mod_authz_svn will be installed alongside mod_dav_svn when the regular
installation instructions are followed.
NOTE: the module is functional, but you should consider it experimental.
Some configurations may or may not have the desired effect. Be sure
to test if your configuration works as intended.
II. Configuration
1. Configuring Apache
Modify your httpd.conf. Add the following line _after_ the one that
loads mod_dav_svn:
LoadModule authz_svn_module modules/mod_authz_svn.so
There are several ways to setup access checking for your subversion
location. These are simple examples, for more complex configuration
of authentication/authorization with Apache, please refer to the
documentation: http://httpd.apache.org/docs-2.0/.
A. Example 1: Anonymous access only
This configuration will allow access only to the directories everyone
has permissions to do the operation performed. All other access is
denied. See section II.2 on how to set up permissions.
<Location /svn>
DAV svn
SVNPath /path/to/repos
AuthzSVNAccessFile /path/to/access/file
</Location>
B. Example 2: Mixed anonymous and authenticated access
This configuration checks to see if anonymous access is allowed
first, if not, it falls back to checking if the authenticated
user has permissions to do the operation performed.
<Location /svn>
DAV svn
SVNPath /path/to/repos
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /path/to/htpasswd/file
AuthzSVNAccessFile /path/to/access/file
# The following line will allow to fall back to authenticated
# access when anonymous fails.
Satisfy Any
Require valid-user
</Location>
C. Example 3: Authenticated access only
This configuration requires everyone accessing the repository to be
authenticated.
<Location /svn>
DAV svn
SVNPath /path/to/repos
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /path/to/htpasswd/file
AuthzSVNAccessFile /path/to/access/file
Require valid-user
</Location>
NOTE: Because there is no 'Satisfy Any' line, the module acts as if
though AuthzSVNAnonymous was set to 'No'. The AuthzSVNAnonymous
directive prevents the anonymous access check from being run.
2. Specifying permissions
The file format of the access file looks like this:
[groups]
<groupname> = <user>[,<user>...]
...
[<path in repository>]
@<group> = [rw|r]
<user> = [rw|r]
* = [rw|r]
[<repository name>:<path in repository>]
@<group> = [rw|r]
<user> = [rw|r]
* = [rw|r]
An example (line continued lines are supposed to be on one line):
[groups]
subversion = jimb,sussman,kfogel,gstein,brane,joe,ghudson,fitz, \
daniel,cmpilato,kevin,philip,jerenkrantz,rooneg, \
bcollins,blair,striker,naked,dwhedon,dlr,kraai,mbk, \
epg,bdenny,jaa
subversion-doc = nsd,zbrown,fmatias,dimentiy,patrick
subversion-bindings = xela,yoshiki,morten,jespersm,knacke
subversion-rm = mprice
...and so on and so on...
[/]
# Allow everyone read on the entire repository
* = r
# Allow devs with blanket commit to write to the entire repository
@subversion = rw
[/trunk/doc]
@subversion-doc = rw
[/trunk/subversion/bindings]
@subversion-bindings = rw
[/branches]
@subversion-rm = rw
[/tags]
@subversion-rm = rw
[/branches/issue-650-ssl-certs]
mass = rw
[/branches/pluggable-db]
gthompson = rw
...
[/secrets]
# Just for demonstration
* =
@subversion = rw
# In case of SVNParentPath we can specify which repository we are
# referring to. If no matching repository qualified section is found,
# the general unqualified section is tried.
#
# NOTE: This will work in the case of using SVNPath as well, only the
# repository name (the last element of the url) will always be the
# same.
[dark:/]
* =
@dark = rw
[light:/]
@light = rw