##// END OF EJS Templates
u » pc » rhodecode-enterprise-ce-fork-pc
RSS

Fork of rhodecode-enterprise-ce

svn: show how to enable path based permissions.
marcink -
r2636:13329d5f default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -0,0 +1,80 b''
1 .. _svn-path-permissions:
2
3 |svn| Enabling Path Permissions
4 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
5
6 Because |RCEE| uses standard svn apache mod_svn we can take advantage of the
7 authz configuration to protect paths and branches.
8
9
10 Configuring RhodeCode
11 =====================
12
13
14 1. To configure path based permissions first we need to use a customized
15 mod_dav_svn.conf.
16
17 Open :file:`home/{user}/.rccontrol/{instance-id}/rhodecode.ini` file.
18 And find `svn.proxy.config_template` setting. Now set a new path to read
19 the template from. For example:
20
21 .. code-block:: ini
22
23 svn.proxy.config_template = /home/ubuntu/rhodecode/custom_mod_dav_svn.conf.mako
24
25
26 2. Create the file as in example: `/home/ubuntu/rhodecode/custom_mod_dav_svn.conf.mako`
27 You can download one from:
28
29 `<https://code.rhodecode.com/rhodecode-enterprise-ce/files/default/rhodecode/apps/svn_support/templates/mod-dav-svn.conf.mako/>`_
30
31 3. Add (if not yet exists) a section `AuthzSVNReposRelativeAccessFile` in order
32 to read the path auth file.
33
34 Example modified config section enabling reading the authz file relative
35 to repository path. Means located in `/storage_dir/repo_name/conf/authz`
36
37 .. code-block:: text
38
39
40 # snip ...
41
42 # use specific SVN conf/authz file for each repository
43 AuthzSVNReposRelativeAccessFile authz
44
45 Allow from all
46 # snip ...
47
48 .. note::
49
50 The `AuthzSVNReposRelativeAccessFile` should go above the `Allow from all`
51 directive.
52
53
54 4. Restart RhodeCode, Go to
55 the :menuselection:`Admin --> Settings --> VCS` page, and
56 click :guilabel:`Generate Apache Config`.
57 This will now generate a new configuration with enabled changes to read
58 the authz file. You can verify if changes were made by checking the generated
59 mod_dav_svn.conf file which is included in your apache configuration.
60
61 5. Specify new rules in the repository authz configuration.
62 edit a file in :file:`repo_name/conf/authz`. For example, we specify that
63 only admin is allowed to push to develop branch
64
65 .. code-block:: ini
66
67 [/branches/develop]
68 * = r
69 admin = rw
70
71
72 For more example see:
73 `<https://svn.apache.org/repos/asf/subversion/trunk/subversion/mod_authz_svn/INSTALL/>`_
74
75 Those rules also work for paths, so not only branches but all different
76 paths inside the repository can be specified.
77
78 6. Reload Apache. If all is configured correctly it should not be allowed to
79 commit according to specified rules.
80
Show file before | Show file after | Hide comments
@@ -1,31 +1,32 b''
1 1 .. _rhodecode-admin-ref:
2 2
3 3 System Administration
4 4 =====================
5 5
6 6 The following are the most common system administration tasks.
7 7
8 8 .. only:: latex
9 9
10 10 * :ref:`vcs-server`
11 11 * :ref:`apache-ws-ref`
12 12 * :ref:`nginx-ws-ref`
13 13 * :ref:`rhodecode-tuning-ref`
14 14 * :ref:`indexing-ref`
15 15 * :ref:`rhodecode-reset-ref`
16 16
17 17 .. toctree::
18 18
19 19 config-files-overview
20 20 vcs-server
21 21 svn-http
22 svn-path-permissions
22 23 gunicorn-ssl-support
23 24 apache-config
24 25 nginx-config
25 26 backup-restore
26 27 tuning-rhodecode
27 28 indexing
28 29 reset-information
29 30 enable-debug
30 31 admin-tricks
31 32 cleanup-cmds
Show file before | Show file after | Hide comments
@@ -1,88 +1,94 b''
1 1 # Auto generated configuration for use with the Apache mod_dav_svn module.
2 2 #
3 3 # WARNING: Make sure your Apache instance which runs the mod_dav_svn module is
4 4 # only accessible by RhodeCode. Otherwise everyone is able to browse
5 5 # the repositories or run subversion operations (checkout/commit/etc.).
6 6 #
7 7 # The mod_dav_svn module does not support subversion repositories which are
8 8 # organized in subfolders. To support the repository groups of RhodeCode it is
9 9 # required to provide a <Location> block for each group pointing to the
10 10 # repository group sub folder. To ease the configuration RhodeCode auto
11 11 # generates this file whenever a repository group is created/changed/deleted.
12 12 # Auto generation can be configured in the ini file. Settings are prefixed with
13 13 # ``svn.proxy``.
14 14 #
15 15 # To include this configuration into your apache config you can use the
16 16 # `Include` directive. See the following example snippet of a virtual host how
17 17 # to include this configuration file.
18 18 #
19 19 # <VirtualHost *:8090>
20 20 # ServerAdmin webmaster@localhost
21 21 # DocumentRoot /var/www/html
22 22 # ErrorLog ${'${APACHE_LOG_DIR}'}/error.log
23 23 # CustomLog ${'${APACHE_LOG_DIR}'}/access.log combined
24 24 # LogLevel info
25 25 # # allows custom host names, prevents 400 errors on checkout
26 26 # HttpProtocolOptions Unsafe
27 27 # Include /path/to/generated/mod_dav_svn.conf
28 28 # </VirtualHost>
29 29 #
30 30 # Depending on the apache configuration you may encounter the following error if
31 31 # you are using special characters in your repository or repository group
32 32 # names.
33 33 #
34 34 # ``Error converting entry in directory '/path/to/repo' to UTF-8``
35 35 #
36 36 # In this case you have to change the LANG environment variable in the apache
37 37 # configuration. This setting is typically located at ``/etc/apache2/envvars``.
38 38 # You have to change it to an UTF-8 value like ``export LANG="en_US.UTF-8"``.
39 39 # After changing this a stop and start of Apache is required (using restart
40 40 # doesn't work).
41 41
42 42 # fix https -> http downgrade with DAV. It requires an header downgrade for
43 43 # https -> http reverse proxy to work properly
44 44 % if use_https:
45 45 RequestHeader edit Destination ^https: http: early
46 46 % else:
47 47 #RequestHeader edit Destination ^https: http: early
48 48 % endif
49 49
50 50 <Location "${location_root|n}">
51 51 # The mod_dav_svn module takes the username from the apache request object.
52 52 # Without authorization this will be empty and no username is logged for the
53 53 # transactions. This will result in "(no author)" for each revision. The
54 54 # following directives implement a fake authentication that allows every
55 55 # username/password combination.
56 56 AuthType Basic
57 57 AuthName "${rhodecode_realm|n}"
58 58 AuthBasicProvider anon
59 59 Anonymous *
60 60 Anonymous_LogEmail off
61 61 Require valid-user
62 62
63 63 DAV svn
64 64 SVNParentPath "${parent_path_root|n}"
65 65 SVNListParentPath ${"On" if svn_list_parent_path else "Off"|n}
66 66
67 # use specific SVN conf/authz file for each repository
68 #AuthzSVNReposRelativeAccessFile authz
69
67 70 Allow from all
68 71 Order allow,deny
69 72 </Location>
70 73
71 74 % for location, parent_path in repo_group_paths:
72 75
73 76 <Location "${location|n}">
74 77 AuthType Basic
75 78 AuthName "${rhodecode_realm|n}"
76 79 AuthBasicProvider anon
77 80 Anonymous *
78 81 Anonymous_LogEmail off
79 82 Require valid-user
80 83
81 84 DAV svn
82 85 SVNParentPath "${parent_path|n}"
83 86 SVNListParentPath ${"On" if svn_list_parent_path else "Off"|n}
84 87
88 # use specific SVN conf/authz file for each repository
89 #AuthzSVNReposRelativeAccessFile authz
90
85 91 Allow from all
86 92 Order allow,deny
87 93 </Location>
88 94 % endfor
General Comments 0
You need to be logged in to leave comments. Login now