Show More
| @@ -0,0 +1,80 b'' | |||||
|
|
1 | .. _svn-path-permissions: | |||
|
|
2 | ||||
|
|
3 | |svn| Enabling Path Permissions | |||
|
|
4 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |||
|
|
5 | ||||
|
|
6 | Because |RCEE| uses standard svn apache mod_svn we can take advantage of the | |||
|
|
7 | authz configuration to protect paths and branches. | |||
|
|
8 | ||||
|
|
9 | ||||
|
|
10 | Configuring RhodeCode | |||
|
|
11 | ===================== | |||
|
|
12 | ||||
|
|
13 | ||||
|
|
14 | 1. To configure path based permissions first we need to use a customized | |||
|
|
15 | mod_dav_svn.conf. | |||
|
|
16 | ||||
|
|
17 | Open :file:`home/{user}/.rccontrol/{instance-id}/rhodecode.ini` file. | |||
|
|
18 | And find `svn.proxy.config_template` setting. Now set a new path to read | |||
|
|
19 | the template from. For example: | |||
|
|
20 | ||||
|
|
21 | .. code-block:: ini | |||
|
|
22 | ||||
|
|
23 | svn.proxy.config_template = /home/ubuntu/rhodecode/custom_mod_dav_svn.conf.mako | |||
|
|
24 | ||||
|
|
25 | ||||
|
|
26 | 2. Create the file as in example: `/home/ubuntu/rhodecode/custom_mod_dav_svn.conf.mako` | |||
|
|
27 | You can download one from: | |||
|
|
28 | ||||
|
|
29 | `<https://code.rhodecode.com/rhodecode-enterprise-ce/files/default/rhodecode/apps/svn_support/templates/mod-dav-svn.conf.mako/>`_ | |||
|
|
30 | ||||
|
|
31 | 3. Add (if not yet exists) a section `AuthzSVNReposRelativeAccessFile` in order | |||
|
|
32 | to read the path auth file. | |||
|
|
33 | ||||
|
|
34 | Example modified config section enabling reading the authz file relative | |||
|
|
35 | to repository path. Means located in `/storage_dir/repo_name/conf/authz` | |||
|
|
36 | ||||
|
|
37 | .. code-block:: text | |||
|
|
38 | ||||
|
|
39 | ||||
|
|
40 | # snip ... | |||
|
|
41 | ||||
|
|
42 | # use specific SVN conf/authz file for each repository | |||
|
|
43 | AuthzSVNReposRelativeAccessFile authz | |||
|
|
44 | ||||
|
|
45 | Allow from all | |||
|
|
46 | # snip ... | |||
|
|
47 | ||||
|
|
48 | .. note:: | |||
|
|
49 | ||||
|
|
50 | The `AuthzSVNReposRelativeAccessFile` should go above the `Allow from all` | |||
|
|
51 | directive. | |||
|
|
52 | ||||
|
|
53 | ||||
|
|
54 | 4. Restart RhodeCode, Go to | |||
|
|
55 | the :menuselection:`Admin --> Settings --> VCS` page, and | |||
|
|
56 | click :guilabel:`Generate Apache Config`. | |||
|
|
57 | This will now generate a new configuration with enabled changes to read | |||
|
|
58 | the authz file. You can verify if changes were made by checking the generated | |||
|
|
59 | mod_dav_svn.conf file which is included in your apache configuration. | |||
|
|
60 | ||||
|
|
61 | 5. Specify new rules in the repository authz configuration. | |||
|
|
62 | edit a file in :file:`repo_name/conf/authz`. For example, we specify that | |||
|
|
63 | only admin is allowed to push to develop branch | |||
|
|
64 | ||||
|
|
65 | .. code-block:: ini | |||
|
|
66 | ||||
|
|
67 | [/branches/develop] | |||
|
|
68 | * = r | |||
|
|
69 | admin = rw | |||
|
|
70 | ||||
|
|
71 | ||||
|
|
72 | For more example see: | |||
|
|
73 | `<https://svn.apache.org/repos/asf/subversion/trunk/subversion/mod_authz_svn/INSTALL/>`_ | |||
|
|
74 | ||||
|
|
75 | Those rules also work for paths, so not only branches but all different | |||
|
|
76 | paths inside the repository can be specified. | |||
|
|
77 | ||||
|
|
78 | 6. Reload Apache. If all is configured correctly it should not be allowed to | |||
|
|
79 | commit according to specified rules. | |||
|
|
80 | ||||
| @@ -19,6 +19,7 b' The following are the most common system' | |||||
| 19 | config-files-overview |
|
19 | config-files-overview | |
| 20 | vcs-server |
|
20 | vcs-server | |
| 21 | svn-http |
|
21 | svn-http | |
|
|
22 | svn-path-permissions | |||
| 22 | gunicorn-ssl-support |
|
23 | gunicorn-ssl-support | |
| 23 | apache-config |
|
24 | apache-config | |
| 24 | nginx-config |
|
25 | nginx-config | |
| @@ -64,6 +64,9 b' RequestHeader edit Destination ^https: h' | |||||
| 64 | SVNParentPath "${parent_path_root|n}" |
|
64 | SVNParentPath "${parent_path_root|n}" | |
| 65 | SVNListParentPath ${"On" if svn_list_parent_path else "Off"|n} |
|
65 | SVNListParentPath ${"On" if svn_list_parent_path else "Off"|n} | |
| 66 |
|
66 | |||
|
|
67 | # use specific SVN conf/authz file for each repository | |||
|
|
68 | #AuthzSVNReposRelativeAccessFile authz | |||
|
|
69 | ||||
| 67 | Allow from all |
|
70 | Allow from all | |
| 68 | Order allow,deny |
|
71 | Order allow,deny | |
| 69 | </Location> |
|
72 | </Location> | |
| @@ -82,6 +85,9 b' RequestHeader edit Destination ^https: h' | |||||
| 82 | SVNParentPath "${parent_path|n}" |
|
85 | SVNParentPath "${parent_path|n}" | |
| 83 | SVNListParentPath ${"On" if svn_list_parent_path else "Off"|n} |
|
86 | SVNListParentPath ${"On" if svn_list_parent_path else "Off"|n} | |
| 84 |
|
87 | |||
|
|
88 | # use specific SVN conf/authz file for each repository | |||
|
|
89 | #AuthzSVNReposRelativeAccessFile authz | |||
|
|
90 | ||||
| 85 | Allow from all |
|
91 | Allow from all | |
| 86 | Order allow,deny |
|
92 | Order allow,deny | |
| 87 | </Location> |
|
93 | </Location> | |
General Comments 0
You need to be logged in to leave comments.
Login now