Show More
@@ -0,0 +1,80 b'' | |||
|
1 | .. _svn-path-permissions: | |
|
2 | ||
|
3 | |svn| Enabling Path Permissions | |
|
4 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
|
5 | ||
|
6 | Because |RCEE| uses standard svn apache mod_svn we can take advantage of the | |
|
7 | authz configuration to protect paths and branches. | |
|
8 | ||
|
9 | ||
|
10 | Configuring RhodeCode | |
|
11 | ===================== | |
|
12 | ||
|
13 | ||
|
14 | 1. To configure path based permissions first we need to use a customized | |
|
15 | mod_dav_svn.conf. | |
|
16 | ||
|
17 | Open :file:`home/{user}/.rccontrol/{instance-id}/rhodecode.ini` file. | |
|
18 | And find `svn.proxy.config_template` setting. Now set a new path to read | |
|
19 | the template from. For example: | |
|
20 | ||
|
21 | .. code-block:: ini | |
|
22 | ||
|
23 | svn.proxy.config_template = /home/ubuntu/rhodecode/custom_mod_dav_svn.conf.mako | |
|
24 | ||
|
25 | ||
|
26 | 2. Create the file as in example: `/home/ubuntu/rhodecode/custom_mod_dav_svn.conf.mako` | |
|
27 | You can download one from: | |
|
28 | ||
|
29 | `<https://code.rhodecode.com/rhodecode-enterprise-ce/files/default/rhodecode/apps/svn_support/templates/mod-dav-svn.conf.mako/>`_ | |
|
30 | ||
|
31 | 3. Add (if not yet exists) a section `AuthzSVNReposRelativeAccessFile` in order | |
|
32 | to read the path auth file. | |
|
33 | ||
|
34 | Example modified config section enabling reading the authz file relative | |
|
35 | to repository path. Means located in `/storage_dir/repo_name/conf/authz` | |
|
36 | ||
|
37 | .. code-block:: text | |
|
38 | ||
|
39 | ||
|
40 | # snip ... | |
|
41 | ||
|
42 | # use specific SVN conf/authz file for each repository | |
|
43 | AuthzSVNReposRelativeAccessFile authz | |
|
44 | ||
|
45 | Allow from all | |
|
46 | # snip ... | |
|
47 | ||
|
48 | .. note:: | |
|
49 | ||
|
50 | The `AuthzSVNReposRelativeAccessFile` should go above the `Allow from all` | |
|
51 | directive. | |
|
52 | ||
|
53 | ||
|
54 | 4. Restart RhodeCode, Go to | |
|
55 | the :menuselection:`Admin --> Settings --> VCS` page, and | |
|
56 | click :guilabel:`Generate Apache Config`. | |
|
57 | This will now generate a new configuration with enabled changes to read | |
|
58 | the authz file. You can verify if changes were made by checking the generated | |
|
59 | mod_dav_svn.conf file which is included in your apache configuration. | |
|
60 | ||
|
61 | 5. Specify new rules in the repository authz configuration. | |
|
62 | edit a file in :file:`repo_name/conf/authz`. For example, we specify that | |
|
63 | only admin is allowed to push to develop branch | |
|
64 | ||
|
65 | .. code-block:: ini | |
|
66 | ||
|
67 | [/branches/develop] | |
|
68 | * = r | |
|
69 | admin = rw | |
|
70 | ||
|
71 | ||
|
72 | For more example see: | |
|
73 | `<https://svn.apache.org/repos/asf/subversion/trunk/subversion/mod_authz_svn/INSTALL/>`_ | |
|
74 | ||
|
75 | Those rules also work for paths, so not only branches but all different | |
|
76 | paths inside the repository can be specified. | |
|
77 | ||
|
78 | 6. Reload Apache. If all is configured correctly it should not be allowed to | |
|
79 | commit according to specified rules. | |
|
80 |
@@ -19,6 +19,7 b' The following are the most common system' | |||
|
19 | 19 | config-files-overview |
|
20 | 20 | vcs-server |
|
21 | 21 | svn-http |
|
22 | svn-path-permissions | |
|
22 | 23 | gunicorn-ssl-support |
|
23 | 24 | apache-config |
|
24 | 25 | nginx-config |
@@ -64,6 +64,9 b' RequestHeader edit Destination ^https: h' | |||
|
64 | 64 | SVNParentPath "${parent_path_root|n}" |
|
65 | 65 | SVNListParentPath ${"On" if svn_list_parent_path else "Off"|n} |
|
66 | 66 | |
|
67 | # use specific SVN conf/authz file for each repository | |
|
68 | #AuthzSVNReposRelativeAccessFile authz | |
|
69 | ||
|
67 | 70 | Allow from all |
|
68 | 71 | Order allow,deny |
|
69 | 72 | </Location> |
@@ -82,6 +85,9 b' RequestHeader edit Destination ^https: h' | |||
|
82 | 85 | SVNParentPath "${parent_path|n}" |
|
83 | 86 | SVNListParentPath ${"On" if svn_list_parent_path else "Off"|n} |
|
84 | 87 | |
|
88 | # use specific SVN conf/authz file for each repository | |
|
89 | #AuthzSVNReposRelativeAccessFile authz | |
|
90 | ||
|
85 | 91 | Allow from all |
|
86 | 92 | Order allow,deny |
|
87 | 93 | </Location> |
General Comments 0
You need to be logged in to leave comments.
Login now