Blanket Access Control
Description
This section is from the "Version Control with Subversion" book, by Ben Collins-Sussman, Brian W. Fitzpatrick and C. Michael Pilato. Also available from Amazon: Version Control with Subversion.
The simplest form of access control is to authorize certain users for either read-only access to a repository, or read/write access to a repository.
You can restrict access on all repository operations by
adding the Require valid-user directive
to your <Location> block. Using
our previous example, this would mean that only clients that
claimed to be either harry or
sally, and provided the correct
password for their respective username, would be allowed to
do anything with the Subversion repository:
<Location /svn> DAV svn SVNParentPath /var/svn # how to authenticate a user AuthType Basic AuthName "Subversion repository" AuthUserFile /path/to/users/file # only authenticated users may access the repository Require valid-user </Location>
Sometimes you don't need to run such a tight ship. For
example, Subversion's own source code repository at
http://svn.collab.net/repos/svn allows anyone
in the world to perform read-only repository tasks (like
checking out working copies and browsing the repository with
a web browser), but restricts all write operations to
authenticated users. To do this type of selective
restriction, you can use the Limit and
LimitExcept configuration directives.
Like the Location directive, these blocks
have starting and ending tags, and you would nest them
inside your <Location>
block.
The parameters present on the Limit
and LimitExcept directives are HTTP
request types that are affected by that block. For example,
if you wanted to disallow all access to your repository
except the currently supported read-only operations, you
would use the LimitExcept directive,
passing the GET,
PROPFIND, OPTIONS, and
REPORT request type parameters. Then the
previously mentioned Require valid-user
directive would be placed inside the
<LimitExcept> block instead of just
inside the <Location> block.
<Location /svn>
DAV svn
SVNParentPath /var/svn
# how to authenticate a user
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /path/to/users/file
# For any operations other than these, require an authenticated user.
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>
These are only a few simple examples. For more in-depth
information about Apache access control and the
Require directive, take a look at the
Security section of the Apache
documentation's tutorials collection at http://httpd.apache.org/docs-2.0/misc/tutorials.html.
Books on Subversion:
My Books
