SVN: Restricting Access: Difference between revisions

From The Uniform Server Wiki
Jump to navigation Jump to search
No edit summary
m (Reverted edits by Upazixorys (Talk); changed back to last version by Ric)
 
Line 1: Line 1:
=[http://ujybyqum.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=
{{SVN Nav}}
{{SVN Nav}}
'''Restring Access'''
'''Restring Access'''
Line 19: Line 18:
|
|
* Create the folder C:\a_svn\UniServer\htpasswd\'''svn'''
* Create the folder C:\a_svn\UniServer\htpasswd\'''svn'''
* Copy an existing '''.htpasswd''' password file to the above folder. Windows is a pain if a file has no name!    
* Copy an existing '''.htpasswd''' password file to the above folder. Windows is a pain if a file has no name!    
* Edit the file copied. Add name and passwords pairs accordingly, example on right:
* Edit the file copied. Add name and passwords pairs accordingly, example on right:
|
|
<pre>
<pre>
   mike:root   
   mike:root   
   john:123
   john:123
   fred:pas123   
   fred:pas123   
&lt;/pre&gt;
</pre>
|}
|}


Line 43: Line 42:
|-
|-
|
|
&lt;pre&gt;
<pre>
&lt;location /svn&gt;
<location /svn>
  DAV svn
  DAV svn
  SVNListParentPath on
  SVNListParentPath on
Line 50: Line 49:


  AuthType Basic
  AuthType Basic
  AuthName &quot;Subversion repositories&quot;
  AuthName "Subversion repositories"
  AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
  AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
  Require valid-user
  Require valid-user
&lt;/location&gt;
</location>
&lt;/pre&gt;
</pre>
|
|
* '''AuthType Basic''' - Type of authentication is basic
* '''AuthType Basic''' - Type of authentication is basic
Line 64: Line 63:
=== Test 1 ===
=== Test 1 ===
{|
{|
|-valign=&quot;top&quot;
|-valign="top"
|
|
'''''Browser'':'''
'''''Browser'':'''
* Restart servers
* Restart servers
* Type into browser
* Type into browser
** Either &lt;nowiki&gt;http://localhost/svn/&lt;/nowiki&gt;
** Either <nowiki>http://localhost/svn/</nowiki>
** Or '''&lt;nowiki&gt;http://localhost/svn/myproject/&lt;/nowiki&gt;'''  
** Or '''<nowiki>http://localhost/svn/myproject/</nowiki>'''  
* Challenged for a name and password.
* Challenged for a name and password.
** Enter one of the name/password pairs in the above list
** Enter one of the name/password pairs in the above list
* You can now browse the repository
* You can now browse the repository
|
|
&amp;nbsp;&amp;nbsp;
&nbsp;&nbsp;
|
|
'''''Client'':'''
'''''Client'':'''
* Restart servers
* Restart servers
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)  
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)  
* In bookmarks click on &lt;nowiki&gt;http://localhost/svn/myproject&lt;/nowiki&gt;
* In bookmarks click on <nowiki>http://localhost/svn/myproject</nowiki>
* Challenged for a name and password.
* Challenged for a name and password.
** Enter one of the name/password pairs in the above list
** Enter one of the name/password pairs in the above list
Line 96: Line 95:
Replace the above line '''Require valid-user''' with this block of code.
Replace the above line '''Require valid-user''' with this block of code.
The line has been wrapped within a '''LimitExcept''' directive. This targets any requests other than a read and forces authentication.
The line has been wrapped within a '''LimitExcept''' directive. This targets any requests other than a read and forces authentication.
&lt;pre&gt;
<pre>
# For any operations other than these, require an authenticated user.
# For any operations other than these, require an authenticated user.
# Hence this block limits write permission to list of valid users.
# Hence this block limits write permission to list of valid users.
&lt;LimitExcept GET PROPFIND OPTIONS REPORT&gt;
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
Require valid-user
&lt;/LimitExcept&gt;
</LimitExcept>
&lt;/pre&gt;
</pre>
Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf and add the above as shown below:
Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf and add the above as shown below:
{|
{|
|-
|-
|
|
&lt;pre&gt;
<pre>
&lt;location /svn&gt;
<location /svn>
  DAV svn
  DAV svn
  SVNListParentPath on
  SVNListParentPath on
Line 114: Line 113:


  AuthType Basic
  AuthType Basic
  AuthName &quot;Subversion repositories&quot;
  AuthName "Subversion repositories"
  AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
  AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd


# For any operations other than these, require an authenticated user.
# For any operations other than these, require an authenticated user.
# Hence this block limits write permission to list of valid users.
# Hence this block limits write permission to list of valid users.
&lt;LimitExcept GET PROPFIND OPTIONS REPORT&gt;
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
Require valid-user
&lt;/LimitExcept&gt;
</LimitExcept>


&lt;/location&gt;
</location>
&lt;/pre&gt;
</pre>
|
|
* '''AuthType Basic''' - Type of authentication is basic
* '''AuthType Basic''' - Type of authentication is basic
Line 131: Line 130:




* '''&lt;LimitExcept&gt;&lt;/LimitExcept&gt;''' Separate '''Require valid-user''' and target write requests.  
* '''<LimitExcept></LimitExcept>''' Separate '''Require valid-user''' and target write requests.  
* '''Require valid-user''' - Informs Apache all users must supply a name and password.   
* '''Require valid-user''' - Informs Apache all users must supply a name and password.   
|}
|}
Line 138: Line 137:
=== Test 2 ===
=== Test 2 ===
{|
{|
|-valign=&quot;top&quot;
|-valign="top"
|
|
'''''Browser'':'''
'''''Browser'':'''
* Restart servers
* Restart servers
* Type into browser
* Type into browser
** Either &lt;nowiki&gt;http://localhost/svn/&lt;/nowiki&gt;
** Either <nowiki>http://localhost/svn/</nowiki>
** Or '''&lt;nowiki&gt;http://localhost/svn/myproject/&lt;/nowiki&gt;'''  
** Or '''<nowiki>http://localhost/svn/myproject/</nowiki>'''  
* User can brows repository.
* User can brows repository.
|
|
&amp;nbsp;&amp;nbsp;
&nbsp;&nbsp;
|
|
'''''Client'':'''
'''''Client'':'''
* Restart servers
* Restart servers
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)  
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)  
* In bookmarks click on &lt;nowiki&gt;http://localhost/svn/myproject&lt;/nowiki&gt;
* In bookmarks click on <nowiki>http://localhost/svn/myproject</nowiki>
* Can browse repository and create a new working copy.
* Can browse repository and create a new working copy.
* Make a change in the working copy and '''commit'''
* Make a change in the working copy and '''commit'''
Line 177: Line 176:
|-
|-
|
|
&lt;pre&gt;
<pre>
&lt;location /svn&gt;
<location /svn>
  DAV svn
  DAV svn
  SVNListParentPath on
  SVNListParentPath on
Line 184: Line 183:


  AuthType Basic
  AuthType Basic
  AuthName &quot;Subversion repositories&quot;
  AuthName "Subversion repositories"
  AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
  AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
  SSLRequireSSL
  SSLRequireSSL
  Require valid-user
  Require valid-user
&lt;/location&gt;
</location>
&lt;/pre&gt;
</pre>
|
|
* '''AuthType Basic''' - Type of authentication is basic
* '''AuthType Basic''' - Type of authentication is basic
Line 200: Line 199:
=== Test 3 ===
=== Test 3 ===
{|
{|
|-valign=&quot;top&quot;
|-valign="top"
|
|
'''''Browser'':'''
'''''Browser'':'''
* Restart servers
* Restart servers
* Type into browser
* Type into browser
** Either &lt;nowiki&gt;https://localhost/svn/&lt;/nowiki&gt;
** Either <nowiki>https://localhost/svn/</nowiki>
** Or '''&lt;nowiki&gt;https://localhost/svn/myproject/&lt;/nowiki&gt;'''  
** Or '''<nowiki>https://localhost/svn/myproject/</nowiki>'''  
* Challenged for a name and password.
* Challenged for a name and password.
** Enter one of the name/password pairs in the above list
** Enter one of the name/password pairs in the above list
* You can now browse the repository
* You can now browse the repository
|
|
&amp;nbsp;&amp;nbsp;
&nbsp;&nbsp;
|
|
'''''Client'':'''
'''''Client'':'''
* Restart servers
* Restart servers
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)  
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)  
* Select '''Bookmarks &gt; Add Existing Repository''' enter '''https:'''&lt;nowiki&gt;//localhost/svn/myproject&lt;/nowiki&gt;
* Select '''Bookmarks > Add Existing Repository''' enter '''https:'''<nowiki>//localhost/svn/myproject</nowiki>
* Challenged for a name and password.
* Challenged for a name and password.
** Enter one of the name/password pairs in the above list
** Enter one of the name/password pairs in the above list
Line 236: Line 235:
|-
|-
|
|
&lt;pre&gt;
<pre>
&lt;location /svn&gt;
<location /svn>
  DAV svn
  DAV svn
  SVNListParentPath on
  SVNListParentPath on
Line 243: Line 242:


  AuthType Basic
  AuthType Basic
  AuthName &quot;Subversion repositories&quot;
  AuthName "Subversion repositories"
  AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
  AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd


# For any operations other than these, require an authenticated user.
# For any operations other than these, require an authenticated user.
# Hence this block limits write permission to list of valid users.
# Hence this block limits write permission to list of valid users.
&lt;LimitExcept GET PROPFIND OPTIONS REPORT&gt;
<LimitExcept GET PROPFIND OPTIONS REPORT>
SSLRequireSSL
SSLRequireSSL
Require valid-user
Require valid-user
&lt;/LimitExcept&gt;
</LimitExcept>


&lt;/location&gt;
</location>
&lt;/pre&gt;
</pre>
|
|
* '''AuthType Basic''' - Type of authentication is basic
* '''AuthType Basic''' - Type of authentication is basic
Line 261: Line 260:




* '''&lt;LimitExcept&gt;&lt;/LimitExcept&gt;''' Separate '''Require valid-user''' and target write requests.  
* '''<LimitExcept></LimitExcept>''' Separate '''Require valid-user''' and target write requests.  
* '''SSLRequireSSL''' - Informs Apache connection must be over a secure link using SSL  
* '''SSLRequireSSL''' - Informs Apache connection must be over a secure link using SSL  
* '''Require valid-user''' - Informs Apache all users must supply a name and password.   
* '''Require valid-user''' - Informs Apache all users must supply a name and password.   
Line 269: Line 268:
=== Test 4 ===
=== Test 4 ===
{|
{|
|-valign=&quot;top&quot;
|-valign="top"
|
|
'''''Browser'':'''
'''''Browser'':'''
* Restart servers
* Restart servers
* Type into browser
* Type into browser
** Either &lt;nowiki&gt;https://localhost/svn/&lt;/nowiki&gt;
** Either <nowiki>https://localhost/svn/</nowiki>
** Or '''&lt;nowiki&gt;https://localhost/svn/myproject/&lt;/nowiki&gt;'''  
** Or '''<nowiki>https://localhost/svn/myproject/</nowiki>'''  
* User can brows repository.
* User can brows repository.
|
|
&amp;nbsp;&amp;nbsp;
&nbsp;&nbsp;
|
|
'''''Client'':'''
'''''Client'':'''
* Restart servers
* Restart servers
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)  
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)  
* In bookmarks click on &lt;nowiki&gt;https://localhost/svn/myproject&lt;/nowiki&gt;
* In bookmarks click on <nowiki>https://localhost/svn/myproject</nowiki>
* Can browse repository and create a new working copy.
* Can browse repository and create a new working copy.
* Make a change in the working copy and '''commit'''
* Make a change in the working copy and '''commit'''

Latest revision as of 08:22, 24 November 2010

 

MPG

Uniform Server 5.0-Nano.
Subversion (SVN)

Restring Access

With the current configuration putting SVN on-line means anyone can access and modify your subversion repositories. In terms of data loss this is not an issue, all modification to a repository are captured and can be reverted.

That said it’s a good idea to restrict access to individuals who are allowed to commit to a repository. Your project data may be particularly sensitive in this scenario restrict access and encrypt all transaction.

This page covers the above scenarios.

Password file

First requirement is to create a password file containing a list of names and passwords for all users allowed access to repositories.

UniServer has a simple convention all password files are contained in folder UniServer\htpasswd this contains sub-folders that match the path to the folder being protected.

Finally inside this folder is the password file .htpasswd.

  • Create the folder C:\a_svn\UniServer\htpasswd\svn
  • Copy an existing .htpasswd password file to the above folder. Windows is a pain if a file has no name!  
  • Edit the file copied. Add name and passwords pairs accordingly, example on right:
  mike:root  
  john:123
  fred:pas123  

Note: All the following examples use this file.

Top

Basic Authentication

Basic authentication is very easy to set-up, its not indented to be secure but more of a deterrent to prevent casual users modifying repositories. This basic configuration will be secured later using SSL.

Note: Passwords and data can be sniffed and access gained.

Apache configuration

Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf Add the four lines as shown to the location block.

<location /svn>
 DAV svn
 SVNListParentPath on
 SVNParentPath C:/a_svn/UniServer/svn

 AuthType Basic
 AuthName "Subversion repositories"
 AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
 Require valid-user
</location>
  • AuthType Basic - Type of authentication is basic
  • AuthName - Name displayed a browsers challenge pop-up box
  • AuthUserFile - Path to the password file
  • Require valid-user - Informs Apache all users must supply a name and password.

Test 1

Browser:

  • Restart servers
  • Type into browser
    • Either http://localhost/svn/
    • Or http://localhost/svn/myproject/
  • Challenged for a name and password.
    • Enter one of the name/password pairs in the above list
  • You can now browse the repository

  

Client:

  • Restart servers
  • Start PortableRapidSVN (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)
  • In bookmarks click on http://localhost/svn/myproject
  • Challenged for a name and password.
    • Enter one of the name/password pairs in the above list
  • You can now browse the repository
  • Or commit any changes

Note: All repositories are protected.

Top

Basic Authentication - Less Draconian

The above is draconian, only authorised users can view the repository. Generally for an open source project you want users to have the ability to brows a repository and download working copies. Only developers have the additional capability to commit (write) to a repository.

Selectively target

Replace the above line Require valid-user with this block of code. The line has been wrapped within a LimitExcept directive. This targets any requests other than a read and forces authentication.

# For any operations other than these, require an authenticated user.
# Hence this block limits write permission to list of valid users.
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>

Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf and add the above as shown below:

<location /svn>
 DAV svn
 SVNListParentPath on
 SVNParentPath C:/a_svn/UniServer/svn

 AuthType Basic
 AuthName "Subversion repositories"
 AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd

# For any operations other than these, require an authenticated user.
# Hence this block limits write permission to list of valid users.
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>

</location>
  • AuthType Basic - Type of authentication is basic
  • AuthName - Name displayed a browsers challenge pop-up box
  • AuthUserFile - Path to the password file


  • <LimitExcept></LimitExcept> Separate Require valid-user and target write requests.
  • Require valid-user - Informs Apache all users must supply a name and password.

Top

Test 2

Browser:

  • Restart servers
  • Type into browser
    • Either http://localhost/svn/
    • Or http://localhost/svn/myproject/
  • User can brows repository.

  

Client:

  • Restart servers
  • Start PortableRapidSVN (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)
  • In bookmarks click on http://localhost/svn/myproject
  • Can browse repository and create a new working copy.
  • Make a change in the working copy and commit
  • Will be challenged for a name and password.
    • Enter one of the name/password pairs in the above list
  • After initial authorisation you will not be challenged again during this connection..

Top

Basic Authentication + SSL

I have show how easy it is to set-up basic authentication and securing this with SSL is just as easy, only requires the addition of a single.

Sounds to good to be true! Well yes because you do require a server certificate. If you have not already created a server certificate do so now as follows:

  • Left or right mouse click on UniTray Icon
  • Mouse-over Advanced and click Server Certificate and key Generator
  • Press enter at all prompts to accept the default values.
  • Restart servers.

Apache configuration

Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf Add add single line as shown:

<location /svn>
 DAV svn
 SVNListParentPath on
 SVNParentPath C:/a_svn/UniServer/svn

 AuthType Basic
 AuthName "Subversion repositories"
 AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
 SSLRequireSSL
 Require valid-user
</location>
  • AuthType Basic - Type of authentication is basic
  • AuthName - Name displayed a browsers challenge pop-up box
  • AuthUserFile - Path to the password file
  • SSLRequireSSL - Informs Apache connection must be over a secure link using SSL
  • Require valid-user - Informs Apache all users must supply a name and password.

Test 3

Browser:

  • Restart servers
  • Type into browser
    • Either https://localhost/svn/
    • Or https://localhost/svn/myproject/
  • Challenged for a name and password.
    • Enter one of the name/password pairs in the above list
  • You can now browse the repository

  

Client:

  • Restart servers
  • Start PortableRapidSVN (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)
  • Select Bookmarks > Add Existing Repository enter https://localhost/svn/myproject
  • Challenged for a name and password.
    • Enter one of the name/password pairs in the above list
  • You can now browse the repository
  • Or commit any changes

Note 1: All repositories are protected.

Note 2: Remember to use https

Top

Basic Authentication - Less Draconian + SSL

Similar to the above only this time no need to create a server certificate (assumes you aready creadted one see above). We take the less-draconian solution and add a single line as show blow:

Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf and add the above as shown below:

<location /svn>
 DAV svn
 SVNListParentPath on
 SVNParentPath C:/a_svn/UniServer/svn

 AuthType Basic
 AuthName "Subversion repositories"
 AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd

# For any operations other than these, require an authenticated user.
# Hence this block limits write permission to list of valid users.
<LimitExcept GET PROPFIND OPTIONS REPORT>
SSLRequireSSL
Require valid-user
</LimitExcept>

</location>
  • AuthType Basic - Type of authentication is basic
  • AuthName - Name displayed a browsers challenge pop-up box
  • AuthUserFile - Path to the password file


  • <LimitExcept></LimitExcept> Separate Require valid-user and target write requests.
  • SSLRequireSSL - Informs Apache connection must be over a secure link using SSL
  • Require valid-user - Informs Apache all users must supply a name and password.

Top

Test 4

Browser:

  • Restart servers
  • Type into browser
    • Either https://localhost/svn/
    • Or https://localhost/svn/myproject/
  • User can brows repository.

  

Client:

  • Restart servers
  • Start PortableRapidSVN (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)
  • In bookmarks click on https://localhost/svn/myproject
  • Can browse repository and create a new working copy.
  • Make a change in the working copy and commit
  • Will be challenged for a name and password.
    • Enter one of the name/password pairs in the above list
  • After initial authorisation you will not be challenged again during this connection..

Summary

On this page I have shown restricting access to repositories is not difficult. Securing using SSL is just as easy requiring only a single line.

You can employ more selective authorisation although I have not covered this at least you have a working base to work from.

Basic authentication with SSL encryption is more than adequate for small teams and personal use.

Top

Related links

Top

Conclusion

This tutorial has covered installing Subversion (SVN) on UniServer 5.0-Nano cumulating in a portable version. Once copied to a USB memory stick remember to set the new paths in RapidSVN. Being a complete package it allows you to explore the whole process of version control. Once you have created a working server back it up. Use a copy to explore should you break it just delete the files and start again from a new copy of your back up.

Top