Show More
@@ -0,0 +1,80 b'' | |||
|
1 | .. _svn-path-permissions: | |
|
2 | ||
|
3 | |svn| Enabling Path Permissions | |
|
4 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
|
5 | ||
|
6 | Because |RCEE| uses standard svn apache mod_svn we can take advantage of the | |
|
7 | authz configuration to protect paths and branches. | |
|
8 | ||
|
9 | ||
|
10 | Configuring RhodeCode | |
|
11 | ===================== | |
|
12 | ||
|
13 | ||
|
14 | 1. To configure path based permissions first we need to use a customized | |
|
15 | mod_dav_svn.conf. | |
|
16 | ||
|
17 | Open :file:`home/{user}/.rccontrol/{instance-id}/rhodecode.ini` file. | |
|
18 | And find `svn.proxy.config_template` setting. Now set a new path to read | |
|
19 | the template from. For example: | |
|
20 | ||
|
21 | .. code-block:: ini | |
|
22 | ||
|
23 | svn.proxy.config_template = /home/ubuntu/rhodecode/custom_mod_dav_svn.conf.mako | |
|
24 | ||
|
25 | ||
|
26 | 2. Create the file as in example: `/home/ubuntu/rhodecode/custom_mod_dav_svn.conf.mako` | |
|
27 | You can download one from: | |
|
28 | ||
|
29 | `<https://code.rhodecode.com/rhodecode-enterprise-ce/files/default/rhodecode/apps/svn_support/templates/mod-dav-svn.conf.mako/>`_ | |
|
30 | ||
|
31 | 3. Add (if not yet exists) a section `AuthzSVNReposRelativeAccessFile` in order | |
|
32 | to read the path auth file. | |
|
33 | ||
|
34 | Example modified config section enabling reading the authz file relative | |
|
35 | to repository path. Means located in `/storage_dir/repo_name/conf/authz` | |
|
36 | ||
|
37 | .. code-block:: text | |
|
38 | ||
|
39 | ||
|
40 | # snip ... | |
|
41 | ||
|
42 | # use specific SVN conf/authz file for each repository | |
|
43 | AuthzSVNReposRelativeAccessFile authz | |
|
44 | ||
|
45 | Allow from all | |
|
46 | # snip ... | |
|
47 | ||
|
48 | .. note:: | |
|
49 | ||
|
50 | The `AuthzSVNReposRelativeAccessFile` should go above the `Allow from all` | |
|
51 | directive. | |
|
52 | ||
|
53 | ||
|
54 | 4. Restart RhodeCode, Go to | |
|
55 | the :menuselection:`Admin --> Settings --> VCS` page, and | |
|
56 | click :guilabel:`Generate Apache Config`. | |
|
57 | This will now generate a new configuration with enabled changes to read | |
|
58 | the authz file. You can verify if changes were made by checking the generated | |
|
59 | mod_dav_svn.conf file which is included in your apache configuration. | |
|
60 | ||
|
61 | 5. Specify new rules in the repository authz configuration. | |
|
62 | edit a file in :file:`repo_name/conf/authz`. For example, we specify that | |
|
63 | only admin is allowed to push to develop branch | |
|
64 | ||
|
65 | .. code-block:: ini | |
|
66 | ||
|
67 | [/branches/develop] | |
|
68 | * = r | |
|
69 | admin = rw | |
|
70 | ||
|
71 | ||
|
72 | For more example see: | |
|
73 | `<https://svn.apache.org/repos/asf/subversion/trunk/subversion/mod_authz_svn/INSTALL/>`_ | |
|
74 | ||
|
75 | Those rules also work for paths, so not only branches but all different | |
|
76 | paths inside the repository can be specified. | |
|
77 | ||
|
78 | 6. Reload Apache. If all is configured correctly it should not be allowed to | |
|
79 | commit according to specified rules. | |
|
80 |
@@ -1,31 +1,32 b'' | |||
|
1 | 1 | .. _rhodecode-admin-ref: |
|
2 | 2 | |
|
3 | 3 | System Administration |
|
4 | 4 | ===================== |
|
5 | 5 | |
|
6 | 6 | The following are the most common system administration tasks. |
|
7 | 7 | |
|
8 | 8 | .. only:: latex |
|
9 | 9 | |
|
10 | 10 | * :ref:`vcs-server` |
|
11 | 11 | * :ref:`apache-ws-ref` |
|
12 | 12 | * :ref:`nginx-ws-ref` |
|
13 | 13 | * :ref:`rhodecode-tuning-ref` |
|
14 | 14 | * :ref:`indexing-ref` |
|
15 | 15 | * :ref:`rhodecode-reset-ref` |
|
16 | 16 | |
|
17 | 17 | .. toctree:: |
|
18 | 18 | |
|
19 | 19 | config-files-overview |
|
20 | 20 | vcs-server |
|
21 | 21 | svn-http |
|
22 | svn-path-permissions | |
|
22 | 23 | gunicorn-ssl-support |
|
23 | 24 | apache-config |
|
24 | 25 | nginx-config |
|
25 | 26 | backup-restore |
|
26 | 27 | tuning-rhodecode |
|
27 | 28 | indexing |
|
28 | 29 | reset-information |
|
29 | 30 | enable-debug |
|
30 | 31 | admin-tricks |
|
31 | 32 | cleanup-cmds |
@@ -1,88 +1,94 b'' | |||
|
1 | 1 | # Auto generated configuration for use with the Apache mod_dav_svn module. |
|
2 | 2 | # |
|
3 | 3 | # WARNING: Make sure your Apache instance which runs the mod_dav_svn module is |
|
4 | 4 | # only accessible by RhodeCode. Otherwise everyone is able to browse |
|
5 | 5 | # the repositories or run subversion operations (checkout/commit/etc.). |
|
6 | 6 | # |
|
7 | 7 | # The mod_dav_svn module does not support subversion repositories which are |
|
8 | 8 | # organized in subfolders. To support the repository groups of RhodeCode it is |
|
9 | 9 | # required to provide a <Location> block for each group pointing to the |
|
10 | 10 | # repository group sub folder. To ease the configuration RhodeCode auto |
|
11 | 11 | # generates this file whenever a repository group is created/changed/deleted. |
|
12 | 12 | # Auto generation can be configured in the ini file. Settings are prefixed with |
|
13 | 13 | # ``svn.proxy``. |
|
14 | 14 | # |
|
15 | 15 | # To include this configuration into your apache config you can use the |
|
16 | 16 | # `Include` directive. See the following example snippet of a virtual host how |
|
17 | 17 | # to include this configuration file. |
|
18 | 18 | # |
|
19 | 19 | # <VirtualHost *:8090> |
|
20 | 20 | # ServerAdmin webmaster@localhost |
|
21 | 21 | # DocumentRoot /var/www/html |
|
22 | 22 | # ErrorLog ${'${APACHE_LOG_DIR}'}/error.log |
|
23 | 23 | # CustomLog ${'${APACHE_LOG_DIR}'}/access.log combined |
|
24 | 24 | # LogLevel info |
|
25 | 25 | # # allows custom host names, prevents 400 errors on checkout |
|
26 | 26 | # HttpProtocolOptions Unsafe |
|
27 | 27 | # Include /path/to/generated/mod_dav_svn.conf |
|
28 | 28 | # </VirtualHost> |
|
29 | 29 | # |
|
30 | 30 | # Depending on the apache configuration you may encounter the following error if |
|
31 | 31 | # you are using special characters in your repository or repository group |
|
32 | 32 | # names. |
|
33 | 33 | # |
|
34 | 34 | # ``Error converting entry in directory '/path/to/repo' to UTF-8`` |
|
35 | 35 | # |
|
36 | 36 | # In this case you have to change the LANG environment variable in the apache |
|
37 | 37 | # configuration. This setting is typically located at ``/etc/apache2/envvars``. |
|
38 | 38 | # You have to change it to an UTF-8 value like ``export LANG="en_US.UTF-8"``. |
|
39 | 39 | # After changing this a stop and start of Apache is required (using restart |
|
40 | 40 | # doesn't work). |
|
41 | 41 | |
|
42 | 42 | # fix https -> http downgrade with DAV. It requires an header downgrade for |
|
43 | 43 | # https -> http reverse proxy to work properly |
|
44 | 44 | % if use_https: |
|
45 | 45 | RequestHeader edit Destination ^https: http: early |
|
46 | 46 | % else: |
|
47 | 47 | #RequestHeader edit Destination ^https: http: early |
|
48 | 48 | % endif |
|
49 | 49 | |
|
50 | 50 | <Location "${location_root|n}"> |
|
51 | 51 | # The mod_dav_svn module takes the username from the apache request object. |
|
52 | 52 | # Without authorization this will be empty and no username is logged for the |
|
53 | 53 | # transactions. This will result in "(no author)" for each revision. The |
|
54 | 54 | # following directives implement a fake authentication that allows every |
|
55 | 55 | # username/password combination. |
|
56 | 56 | AuthType Basic |
|
57 | 57 | AuthName "${rhodecode_realm|n}" |
|
58 | 58 | AuthBasicProvider anon |
|
59 | 59 | Anonymous * |
|
60 | 60 | Anonymous_LogEmail off |
|
61 | 61 | Require valid-user |
|
62 | 62 | |
|
63 | 63 | DAV svn |
|
64 | 64 | SVNParentPath "${parent_path_root|n}" |
|
65 | 65 | SVNListParentPath ${"On" if svn_list_parent_path else "Off"|n} |
|
66 | 66 | |
|
67 | # use specific SVN conf/authz file for each repository | |
|
68 | #AuthzSVNReposRelativeAccessFile authz | |
|
69 | ||
|
67 | 70 | Allow from all |
|
68 | 71 | Order allow,deny |
|
69 | 72 | </Location> |
|
70 | 73 | |
|
71 | 74 | % for location, parent_path in repo_group_paths: |
|
72 | 75 | |
|
73 | 76 | <Location "${location|n}"> |
|
74 | 77 | AuthType Basic |
|
75 | 78 | AuthName "${rhodecode_realm|n}" |
|
76 | 79 | AuthBasicProvider anon |
|
77 | 80 | Anonymous * |
|
78 | 81 | Anonymous_LogEmail off |
|
79 | 82 | Require valid-user |
|
80 | 83 | |
|
81 | 84 | DAV svn |
|
82 | 85 | SVNParentPath "${parent_path|n}" |
|
83 | 86 | SVNListParentPath ${"On" if svn_list_parent_path else "Off"|n} |
|
84 | 87 | |
|
88 | # use specific SVN conf/authz file for each repository | |
|
89 | #AuthzSVNReposRelativeAccessFile authz | |
|
90 | ||
|
85 | 91 | Allow from all |
|
86 | 92 | Order allow,deny |
|
87 | 93 | </Location> |
|
88 | 94 | % endfor |
General Comments 0
You need to be logged in to leave comments.
Login now