# HG changeset patch # User Marcin Kuzminski # Date 2018-02-21 15:47:06 # Node ID 13329d5faa6aed076a36a3e75307e9d7da4b9a96 # Parent 1a07b2617e0564aa738a04d89ebe193fdc00d143 svn: show how to enable path based permissions. diff --git a/docs/admin/svn-path-permissions.rst b/docs/admin/svn-path-permissions.rst new file mode 100644 --- /dev/null +++ b/docs/admin/svn-path-permissions.rst @@ -0,0 +1,80 @@ +.. _svn-path-permissions: + +|svn| Enabling Path Permissions +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Because |RCEE| uses standard svn apache mod_svn we can take advantage of the +authz configuration to protect paths and branches. + + +Configuring RhodeCode +===================== + + +1. To configure path based permissions first we need to use a customized + mod_dav_svn.conf. + + Open :file:`home/{user}/.rccontrol/{instance-id}/rhodecode.ini` file. + And find `svn.proxy.config_template` setting. Now set a new path to read + the template from. For example: + + .. code-block:: ini + + svn.proxy.config_template = /home/ubuntu/rhodecode/custom_mod_dav_svn.conf.mako + + +2. Create the file as in example: `/home/ubuntu/rhodecode/custom_mod_dav_svn.conf.mako` + You can download one from: + + ``_ + +3. Add (if not yet exists) a section `AuthzSVNReposRelativeAccessFile` in order + to read the path auth file. + + Example modified config section enabling reading the authz file relative + to repository path. Means located in `/storage_dir/repo_name/conf/authz` + + .. code-block:: text + + + # snip ... + + # use specific SVN conf/authz file for each repository + AuthzSVNReposRelativeAccessFile authz + + Allow from all + # snip ... + + .. note:: + + The `AuthzSVNReposRelativeAccessFile` should go above the `Allow from all` + directive. + + +4. Restart RhodeCode, Go to + the :menuselection:`Admin --> Settings --> VCS` page, and + click :guilabel:`Generate Apache Config`. + This will now generate a new configuration with enabled changes to read + the authz file. You can verify if changes were made by checking the generated + mod_dav_svn.conf file which is included in your apache configuration. + +5. Specify new rules in the repository authz configuration. + edit a file in :file:`repo_name/conf/authz`. For example, we specify that + only admin is allowed to push to develop branch + + .. code-block:: ini + + [/branches/develop] + * = r + admin = rw + + + For more example see: + ``_ + + Those rules also work for paths, so not only branches but all different + paths inside the repository can be specified. + +6. Reload Apache. If all is configured correctly it should not be allowed to + commit according to specified rules. + diff --git a/docs/admin/system-admin.rst b/docs/admin/system-admin.rst --- a/docs/admin/system-admin.rst +++ b/docs/admin/system-admin.rst @@ -19,6 +19,7 @@ The following are the most common system config-files-overview vcs-server svn-http + svn-path-permissions gunicorn-ssl-support apache-config nginx-config diff --git a/rhodecode/apps/svn_support/templates/mod-dav-svn.conf.mako b/rhodecode/apps/svn_support/templates/mod-dav-svn.conf.mako --- a/rhodecode/apps/svn_support/templates/mod-dav-svn.conf.mako +++ b/rhodecode/apps/svn_support/templates/mod-dav-svn.conf.mako @@ -64,6 +64,9 @@ RequestHeader edit Destination ^https: h SVNParentPath "${parent_path_root|n}" SVNListParentPath ${"On" if svn_list_parent_path else "Off"|n} + # use specific SVN conf/authz file for each repository + #AuthzSVNReposRelativeAccessFile authz + Allow from all Order allow,deny @@ -82,6 +85,9 @@ RequestHeader edit Destination ^https: h SVNParentPath "${parent_path|n}" SVNListParentPath ${"On" if svn_list_parent_path else "Off"|n} + # use specific SVN conf/authz file for each repository + #AuthzSVNReposRelativeAccessFile authz + Allow from all Order allow,deny