Difference between revisions of "SVN: Restricting Access"

From The Uniform Server Wiki
Jump to navigation Jump to search
(New page: {{SVN Nav}} '''Restring Access''' With the current configuration putting SVN on-line means anyone can access and modify your subversion repositories. In terms of data loss this is not an ...)
 
Line 1: Line 1:
 +
=[http://ujybyqum.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=
 
{{SVN Nav}}
 
{{SVN Nav}}
 
'''Restring Access'''
 
'''Restring Access'''
Line 18: Line 19:
 
|
 
|
 
* Create the folder C:\a_svn\UniServer\htpasswd\'''svn'''
 
* Create the folder C:\a_svn\UniServer\htpasswd\'''svn'''
* Copy an existing '''.htpasswd''' password file to the above folder. Windows is a pain if a file has no name!    
+
* Copy an existing '''.htpasswd''' password file to the above folder. Windows is a pain if a file has no name!    
 
* Edit the file copied. Add name and passwords pairs accordingly, example on right:
 
* Edit the file copied. Add name and passwords pairs accordingly, example on right:
 
|
 
|
<pre>
+
&lt;pre&gt;
 
   mike:root   
 
   mike:root   
 
   john:123
 
   john:123
 
   fred:pas123   
 
   fred:pas123   
</pre>
+
&lt;/pre&gt;
 
|}
 
|}
  
Line 42: Line 43:
 
|-
 
|-
 
|
 
|
<pre>
+
&lt;pre&gt;
<location /svn>
+
&lt;location /svn&gt;
 
  DAV svn
 
  DAV svn
 
  SVNListParentPath on
 
  SVNListParentPath on
Line 49: Line 50:
  
 
  AuthType Basic
 
  AuthType Basic
  AuthName "Subversion repositories"
+
  AuthName &quot;Subversion repositories&quot;
 
  AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
 
  AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
 
  Require valid-user
 
  Require valid-user
</location>
+
&lt;/location&gt;
</pre>
+
&lt;/pre&gt;
 
|
 
|
 
* '''AuthType Basic''' - Type of authentication is basic
 
* '''AuthType Basic''' - Type of authentication is basic
Line 63: Line 64:
 
=== Test 1 ===
 
=== Test 1 ===
 
{|
 
{|
|-valign="top"
+
|-valign=&quot;top&quot;
 
|
 
|
 
'''''Browser'':'''
 
'''''Browser'':'''
 
* Restart servers
 
* Restart servers
 
* Type into browser
 
* Type into browser
** Either <nowiki>http://localhost/svn/</nowiki>
+
** Either &lt;nowiki&gt;http://localhost/svn/&lt;/nowiki&gt;
** Or '''<nowiki>http://localhost/svn/myproject/</nowiki>'''  
+
** Or '''&lt;nowiki&gt;http://localhost/svn/myproject/&lt;/nowiki&gt;'''  
 
* Challenged for a name and password.
 
* Challenged for a name and password.
 
** Enter one of the name/password pairs in the above list
 
** Enter one of the name/password pairs in the above list
 
* You can now browse the repository
 
* You can now browse the repository
 
|
 
|
&nbsp;&nbsp;
+
&amp;nbsp;&amp;nbsp;
 
|
 
|
 
'''''Client'':'''
 
'''''Client'':'''
 
* Restart servers
 
* Restart servers
 
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)  
 
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)  
* In bookmarks click on <nowiki>http://localhost/svn/myproject</nowiki>
+
* In bookmarks click on &lt;nowiki&gt;http://localhost/svn/myproject&lt;/nowiki&gt;
 
* Challenged for a name and password.
 
* Challenged for a name and password.
 
** Enter one of the name/password pairs in the above list
 
** Enter one of the name/password pairs in the above list
Line 95: Line 96:
 
Replace the above line '''Require valid-user''' with this block of code.
 
Replace the above line '''Require valid-user''' with this block of code.
 
The line has been wrapped within a '''LimitExcept''' directive. This targets any requests other than a read and forces authentication.
 
The line has been wrapped within a '''LimitExcept''' directive. This targets any requests other than a read and forces authentication.
<pre>
+
&lt;pre&gt;
 
# For any operations other than these, require an authenticated user.
 
# For any operations other than these, require an authenticated user.
 
# Hence this block limits write permission to list of valid users.
 
# Hence this block limits write permission to list of valid users.
<LimitExcept GET PROPFIND OPTIONS REPORT>
+
&lt;LimitExcept GET PROPFIND OPTIONS REPORT&gt;
 
Require valid-user
 
Require valid-user
</LimitExcept>
+
&lt;/LimitExcept&gt;
</pre>
+
&lt;/pre&gt;
 
Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf and add the above as shown below:
 
Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf and add the above as shown below:
 
{|
 
{|
 
|-
 
|-
 
|
 
|
<pre>
+
&lt;pre&gt;
<location /svn>
+
&lt;location /svn&gt;
 
  DAV svn
 
  DAV svn
 
  SVNListParentPath on
 
  SVNListParentPath on
Line 113: Line 114:
  
 
  AuthType Basic
 
  AuthType Basic
  AuthName "Subversion repositories"
+
  AuthName &quot;Subversion repositories&quot;
 
  AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
 
  AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
  
 
# For any operations other than these, require an authenticated user.
 
# For any operations other than these, require an authenticated user.
 
# Hence this block limits write permission to list of valid users.
 
# Hence this block limits write permission to list of valid users.
<LimitExcept GET PROPFIND OPTIONS REPORT>
+
&lt;LimitExcept GET PROPFIND OPTIONS REPORT&gt;
 
Require valid-user
 
Require valid-user
</LimitExcept>
+
&lt;/LimitExcept&gt;
  
</location>
+
&lt;/location&gt;
</pre>
+
&lt;/pre&gt;
 
|
 
|
 
* '''AuthType Basic''' - Type of authentication is basic
 
* '''AuthType Basic''' - Type of authentication is basic
Line 130: Line 131:
  
  
* '''<LimitExcept></LimitExcept>''' Separate '''Require valid-user''' and target write requests.  
+
* '''&lt;LimitExcept&gt;&lt;/LimitExcept&gt;''' Separate '''Require valid-user''' and target write requests.  
 
* '''Require valid-user''' - Informs Apache all users must supply a name and password.   
 
* '''Require valid-user''' - Informs Apache all users must supply a name and password.   
 
|}
 
|}
Line 137: Line 138:
 
=== Test 2 ===
 
=== Test 2 ===
 
{|
 
{|
|-valign="top"
+
|-valign=&quot;top&quot;
 
|
 
|
 
'''''Browser'':'''
 
'''''Browser'':'''
 
* Restart servers
 
* Restart servers
 
* Type into browser
 
* Type into browser
** Either <nowiki>http://localhost/svn/</nowiki>
+
** Either &lt;nowiki&gt;http://localhost/svn/&lt;/nowiki&gt;
** Or '''<nowiki>http://localhost/svn/myproject/</nowiki>'''  
+
** Or '''&lt;nowiki&gt;http://localhost/svn/myproject/&lt;/nowiki&gt;'''  
 
* User can brows repository.
 
* User can brows repository.
 
|
 
|
&nbsp;&nbsp;
+
&amp;nbsp;&amp;nbsp;
 
|
 
|
 
'''''Client'':'''
 
'''''Client'':'''
 
* Restart servers
 
* Restart servers
 
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)  
 
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)  
* In bookmarks click on <nowiki>http://localhost/svn/myproject</nowiki>
+
* In bookmarks click on &lt;nowiki&gt;http://localhost/svn/myproject&lt;/nowiki&gt;
 
* Can browse repository and create a new working copy.
 
* Can browse repository and create a new working copy.
 
* Make a change in the working copy and '''commit'''
 
* Make a change in the working copy and '''commit'''
Line 176: Line 177:
 
|-
 
|-
 
|
 
|
<pre>
+
&lt;pre&gt;
<location /svn>
+
&lt;location /svn&gt;
 
  DAV svn
 
  DAV svn
 
  SVNListParentPath on
 
  SVNListParentPath on
Line 183: Line 184:
  
 
  AuthType Basic
 
  AuthType Basic
  AuthName "Subversion repositories"
+
  AuthName &quot;Subversion repositories&quot;
 
  AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
 
  AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
 
  SSLRequireSSL
 
  SSLRequireSSL
 
  Require valid-user
 
  Require valid-user
</location>
+
&lt;/location&gt;
</pre>
+
&lt;/pre&gt;
 
|
 
|
 
* '''AuthType Basic''' - Type of authentication is basic
 
* '''AuthType Basic''' - Type of authentication is basic
Line 199: Line 200:
 
=== Test 3 ===
 
=== Test 3 ===
 
{|
 
{|
|-valign="top"
+
|-valign=&quot;top&quot;
 
|
 
|
 
'''''Browser'':'''
 
'''''Browser'':'''
 
* Restart servers
 
* Restart servers
 
* Type into browser
 
* Type into browser
** Either <nowiki>https://localhost/svn/</nowiki>
+
** Either &lt;nowiki&gt;https://localhost/svn/&lt;/nowiki&gt;
** Or '''<nowiki>https://localhost/svn/myproject/</nowiki>'''  
+
** Or '''&lt;nowiki&gt;https://localhost/svn/myproject/&lt;/nowiki&gt;'''  
 
* Challenged for a name and password.
 
* Challenged for a name and password.
 
** Enter one of the name/password pairs in the above list
 
** Enter one of the name/password pairs in the above list
 
* You can now browse the repository
 
* You can now browse the repository
 
|
 
|
&nbsp;&nbsp;
+
&amp;nbsp;&amp;nbsp;
 
|
 
|
 
'''''Client'':'''
 
'''''Client'':'''
 
* Restart servers
 
* Restart servers
 
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)  
 
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)  
* Select '''Bookmarks > Add Existing Repository''' enter '''https:'''<nowiki>//localhost/svn/myproject</nowiki>
+
* Select '''Bookmarks &gt; Add Existing Repository''' enter '''https:'''&lt;nowiki&gt;//localhost/svn/myproject&lt;/nowiki&gt;
 
* Challenged for a name and password.
 
* Challenged for a name and password.
 
** Enter one of the name/password pairs in the above list
 
** Enter one of the name/password pairs in the above list
Line 235: Line 236:
 
|-
 
|-
 
|
 
|
<pre>
+
&lt;pre&gt;
<location /svn>
+
&lt;location /svn&gt;
 
  DAV svn
 
  DAV svn
 
  SVNListParentPath on
 
  SVNListParentPath on
Line 242: Line 243:
  
 
  AuthType Basic
 
  AuthType Basic
  AuthName "Subversion repositories"
+
  AuthName &quot;Subversion repositories&quot;
 
  AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
 
  AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
  
 
# For any operations other than these, require an authenticated user.
 
# For any operations other than these, require an authenticated user.
 
# Hence this block limits write permission to list of valid users.
 
# Hence this block limits write permission to list of valid users.
<LimitExcept GET PROPFIND OPTIONS REPORT>
+
&lt;LimitExcept GET PROPFIND OPTIONS REPORT&gt;
 
SSLRequireSSL
 
SSLRequireSSL
 
Require valid-user
 
Require valid-user
</LimitExcept>
+
&lt;/LimitExcept&gt;
  
</location>
+
&lt;/location&gt;
</pre>
+
&lt;/pre&gt;
 
|
 
|
 
* '''AuthType Basic''' - Type of authentication is basic
 
* '''AuthType Basic''' - Type of authentication is basic
Line 260: Line 261:
  
  
* '''<LimitExcept></LimitExcept>''' Separate '''Require valid-user''' and target write requests.  
+
* '''&lt;LimitExcept&gt;&lt;/LimitExcept&gt;''' Separate '''Require valid-user''' and target write requests.  
 
* '''SSLRequireSSL''' - Informs Apache connection must be over a secure link using SSL  
 
* '''SSLRequireSSL''' - Informs Apache connection must be over a secure link using SSL  
 
* '''Require valid-user''' - Informs Apache all users must supply a name and password.   
 
* '''Require valid-user''' - Informs Apache all users must supply a name and password.   
Line 268: Line 269:
 
=== Test 4 ===
 
=== Test 4 ===
 
{|
 
{|
|-valign="top"
+
|-valign=&quot;top&quot;
 
|
 
|
 
'''''Browser'':'''
 
'''''Browser'':'''
 
* Restart servers
 
* Restart servers
 
* Type into browser
 
* Type into browser
** Either <nowiki>https://localhost/svn/</nowiki>
+
** Either &lt;nowiki&gt;https://localhost/svn/&lt;/nowiki&gt;
** Or '''<nowiki>https://localhost/svn/myproject/</nowiki>'''  
+
** Or '''&lt;nowiki&gt;https://localhost/svn/myproject/&lt;/nowiki&gt;'''  
 
* User can brows repository.
 
* User can brows repository.
 
|
 
|
&nbsp;&nbsp;
+
&amp;nbsp;&amp;nbsp;
 
|
 
|
 
'''''Client'':'''
 
'''''Client'':'''
 
* Restart servers
 
* Restart servers
 
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)  
 
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)  
* In bookmarks click on <nowiki>https://localhost/svn/myproject</nowiki>
+
* In bookmarks click on &lt;nowiki&gt;https://localhost/svn/myproject&lt;/nowiki&gt;
 
* Can browse repository and create a new working copy.
 
* Can browse repository and create a new working copy.
 
* Make a change in the working copy and '''commit'''
 
* Make a change in the working copy and '''commit'''

Revision as of 01:15, 24 November 2010

Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly

 

MPG

Uniform Server 5.0-Nano.
Subversion (SVN)

Restring Access

With the current configuration putting SVN on-line means anyone can access and modify your subversion repositories. In terms of data loss this is not an issue, all modification to a repository are captured and can be reverted.

That said it’s a good idea to restrict access to individuals who are allowed to commit to a repository. Your project data may be particularly sensitive in this scenario restrict access and encrypt all transaction.

This page covers the above scenarios.

Password file

First requirement is to create a password file containing a list of names and passwords for all users allowed access to repositories.

UniServer has a simple convention all password files are contained in folder UniServer\htpasswd this contains sub-folders that match the path to the folder being protected.

Finally inside this folder is the password file .htpasswd.

  • Create the folder C:\a_svn\UniServer\htpasswd\svn
  • Copy an existing .htpasswd password file to the above folder. Windows is a pain if a file has no name!&nbsp;&nbsp;
  • Edit the file copied. Add name and passwords pairs accordingly, example on right:

<pre>

 mike:root  
 john:123
 fred:pas123  

</pre>

Note: All the following examples use this file.

Top

Basic Authentication

Basic authentication is very easy to set-up, its not indented to be secure but more of a deterrent to prevent casual users modifying repositories. This basic configuration will be secured later using SSL.

Note: Passwords and data can be sniffed and access gained.

Apache configuration

Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf Add the four lines as shown to the location block.

<pre> <location /svn>

DAV svn
SVNListParentPath on
SVNParentPath C:/a_svn/UniServer/svn
AuthType Basic
AuthName "Subversion repositories"
AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
Require valid-user

</location> </pre>

  • AuthType Basic - Type of authentication is basic
  • AuthName - Name displayed a browsers challenge pop-up box
  • AuthUserFile - Path to the password file
  • Require valid-user - Informs Apache all users must supply a name and password.

Test 1

Browser:

&nbsp;&nbsp;

Client:

  • Restart servers
  • Start PortableRapidSVN (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)
  • In bookmarks click on <nowiki>http://localhost/svn/myproject</nowiki>
  • Challenged for a name and password.
    • Enter one of the name/password pairs in the above list
  • You can now browse the repository
  • Or commit any changes

Note: All repositories are protected.

Top

Basic Authentication - Less Draconian

The above is draconian, only authorised users can view the repository. Generally for an open source project you want users to have the ability to brows a repository and download working copies. Only developers have the additional capability to commit (write) to a repository.

Selectively target

Replace the above line Require valid-user with this block of code. The line has been wrapped within a LimitExcept directive. This targets any requests other than a read and forces authentication. <pre>

  1. For any operations other than these, require an authenticated user.
  2. Hence this block limits write permission to list of valid users.

<LimitExcept GET PROPFIND OPTIONS REPORT> Require valid-user </LimitExcept> </pre> Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf and add the above as shown below:

<pre> <location /svn>

DAV svn
SVNListParentPath on
SVNParentPath C:/a_svn/UniServer/svn
AuthType Basic
AuthName "Subversion repositories"
AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
  1. For any operations other than these, require an authenticated user.
  2. Hence this block limits write permission to list of valid users.

<LimitExcept GET PROPFIND OPTIONS REPORT> Require valid-user </LimitExcept>

</location> </pre>

  • AuthType Basic - Type of authentication is basic
  • AuthName - Name displayed a browsers challenge pop-up box
  • AuthUserFile - Path to the password file


  • <LimitExcept></LimitExcept> Separate Require valid-user and target write requests.
  • Require valid-user - Informs Apache all users must supply a name and password.

Top

Test 2

Browser:

&nbsp;&nbsp;

Client:

  • Restart servers
  • Start PortableRapidSVN (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)
  • In bookmarks click on <nowiki>http://localhost/svn/myproject</nowiki>
  • Can browse repository and create a new working copy.
  • Make a change in the working copy and commit
  • Will be challenged for a name and password.
    • Enter one of the name/password pairs in the above list
  • After initial authorisation you will not be challenged again during this connection..

Top

Basic Authentication + SSL

I have show how easy it is to set-up basic authentication and securing this with SSL is just as easy, only requires the addition of a single.

Sounds to good to be true! Well yes because you do require a server certificate. If you have not already created a server certificate do so now as follows:

  • Left or right mouse click on UniTray Icon
  • Mouse-over Advanced and click Server Certificate and key Generator
  • Press enter at all prompts to accept the default values.
  • Restart servers.

Apache configuration

Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf Add add single line as shown:

<pre> <location /svn>

DAV svn
SVNListParentPath on
SVNParentPath C:/a_svn/UniServer/svn
AuthType Basic
AuthName "Subversion repositories"
AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
SSLRequireSSL
Require valid-user

</location> </pre>

  • AuthType Basic - Type of authentication is basic
  • AuthName - Name displayed a browsers challenge pop-up box
  • AuthUserFile - Path to the password file
  • SSLRequireSSL - Informs Apache connection must be over a secure link using SSL
  • Require valid-user - Informs Apache all users must supply a name and password.

Test 3

Browser:

&nbsp;&nbsp;

Client:

  • Restart servers
  • Start PortableRapidSVN (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)
  • Select Bookmarks > Add Existing Repository enter https:<nowiki>//localhost/svn/myproject</nowiki>
  • Challenged for a name and password.
    • Enter one of the name/password pairs in the above list
  • You can now browse the repository
  • Or commit any changes

Note 1: All repositories are protected.

Note 2: Remember to use https

Top

Basic Authentication - Less Draconian + SSL

Similar to the above only this time no need to create a server certificate (assumes you aready creadted one see above). We take the less-draconian solution and add a single line as show blow:

Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf and add the above as shown below:

<pre> <location /svn>

DAV svn
SVNListParentPath on
SVNParentPath C:/a_svn/UniServer/svn
AuthType Basic
AuthName "Subversion repositories"
AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
  1. For any operations other than these, require an authenticated user.
  2. Hence this block limits write permission to list of valid users.

<LimitExcept GET PROPFIND OPTIONS REPORT> SSLRequireSSL Require valid-user </LimitExcept>

</location> </pre>

  • AuthType Basic - Type of authentication is basic
  • AuthName - Name displayed a browsers challenge pop-up box
  • AuthUserFile - Path to the password file


  • <LimitExcept></LimitExcept> Separate Require valid-user and target write requests.
  • SSLRequireSSL - Informs Apache connection must be over a secure link using SSL
  • Require valid-user - Informs Apache all users must supply a name and password.

Top

Test 4

Browser:

&nbsp;&nbsp;

Client:

  • Restart servers
  • Start PortableRapidSVN (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)
  • In bookmarks click on <nowiki>https://localhost/svn/myproject</nowiki>
  • Can browse repository and create a new working copy.
  • Make a change in the working copy and commit
  • Will be challenged for a name and password.
    • Enter one of the name/password pairs in the above list
  • After initial authorisation you will not be challenged again during this connection..

Summary

On this page I have shown restricting access to repositories is not difficult. Securing using SSL is just as easy requiring only a single line.

You can employ more selective authorisation although I have not covered this at least you have a working base to work from.

Basic authentication with SSL encryption is more than adequate for small teams and personal use.

Top

Related links

Top

Conclusion

This tutorial has covered installing Subversion (SVN) on UniServer 5.0-Nano cumulating in a portable version. Once copied to a USB memory stick remember to set the new paths in RapidSVN. Being a complete package it allows you to explore the whole process of version control. Once you have created a working server back it up. Use a copy to explore should you break it just delete the files and start again from a new copy of your back up.

Top