Show More
@@ -0,0 +1,80 b'' | |||||
|
1 | .. _svn-path-permissions: | |||
|
2 | ||||
|
3 | |svn| Enabling Path Permissions | |||
|
4 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |||
|
5 | ||||
|
6 | Because |RCEE| uses standard svn apache mod_svn we can take advantage of the | |||
|
7 | authz configuration to protect paths and branches. | |||
|
8 | ||||
|
9 | ||||
|
10 | Configuring RhodeCode | |||
|
11 | ===================== | |||
|
12 | ||||
|
13 | ||||
|
14 | 1. To configure path based permissions first we need to use a customized | |||
|
15 | mod_dav_svn.conf. | |||
|
16 | ||||
|
17 | Open :file:`home/{user}/.rccontrol/{instance-id}/rhodecode.ini` file. | |||
|
18 | And find `svn.proxy.config_template` setting. Now set a new path to read | |||
|
19 | the template from. For example: | |||
|
20 | ||||
|
21 | .. code-block:: ini | |||
|
22 | ||||
|
23 | svn.proxy.config_template = /home/ubuntu/rhodecode/custom_mod_dav_svn.conf.mako | |||
|
24 | ||||
|
25 | ||||
|
26 | 2. Create the file as in example: `/home/ubuntu/rhodecode/custom_mod_dav_svn.conf.mako` | |||
|
27 | You can download one from: | |||
|
28 | ||||
|
29 | `<https://code.rhodecode.com/rhodecode-enterprise-ce/files/default/rhodecode/apps/svn_support/templates/mod-dav-svn.conf.mako/>`_ | |||
|
30 | ||||
|
31 | 3. Add (if not yet exists) a section `AuthzSVNReposRelativeAccessFile` in order | |||
|
32 | to read the path auth file. | |||
|
33 | ||||
|
34 | Example modified config section enabling reading the authz file relative | |||
|
35 | to repository path. Means located in `/storage_dir/repo_name/conf/authz` | |||
|
36 | ||||
|
37 | .. code-block:: text | |||
|
38 | ||||
|
39 | ||||
|
40 | # snip ... | |||
|
41 | ||||
|
42 | # use specific SVN conf/authz file for each repository | |||
|
43 | AuthzSVNReposRelativeAccessFile authz | |||
|
44 | ||||
|
45 | Allow from all | |||
|
46 | # snip ... | |||
|
47 | ||||
|
48 | .. note:: | |||
|
49 | ||||
|
50 | The `AuthzSVNReposRelativeAccessFile` should go above the `Allow from all` | |||
|
51 | directive. | |||
|
52 | ||||
|
53 | ||||
|
54 | 4. Restart RhodeCode, Go to | |||
|
55 | the :menuselection:`Admin --> Settings --> VCS` page, and | |||
|
56 | click :guilabel:`Generate Apache Config`. | |||
|
57 | This will now generate a new configuration with enabled changes to read | |||
|
58 | the authz file. You can verify if changes were made by checking the generated | |||
|
59 | mod_dav_svn.conf file which is included in your apache configuration. | |||
|
60 | ||||
|
61 | 5. Specify new rules in the repository authz configuration. | |||
|
62 | edit a file in :file:`repo_name/conf/authz`. For example, we specify that | |||
|
63 | only admin is allowed to push to develop branch | |||
|
64 | ||||
|
65 | .. code-block:: ini | |||
|
66 | ||||
|
67 | [/branches/develop] | |||
|
68 | * = r | |||
|
69 | admin = rw | |||
|
70 | ||||
|
71 | ||||
|
72 | For more example see: | |||
|
73 | `<https://svn.apache.org/repos/asf/subversion/trunk/subversion/mod_authz_svn/INSTALL/>`_ | |||
|
74 | ||||
|
75 | Those rules also work for paths, so not only branches but all different | |||
|
76 | paths inside the repository can be specified. | |||
|
77 | ||||
|
78 | 6. Reload Apache. If all is configured correctly it should not be allowed to | |||
|
79 | commit according to specified rules. | |||
|
80 |
@@ -1,31 +1,32 b'' | |||||
1 | .. _rhodecode-admin-ref: |
|
1 | .. _rhodecode-admin-ref: | |
2 |
|
2 | |||
3 | System Administration |
|
3 | System Administration | |
4 | ===================== |
|
4 | ===================== | |
5 |
|
5 | |||
6 | The following are the most common system administration tasks. |
|
6 | The following are the most common system administration tasks. | |
7 |
|
7 | |||
8 | .. only:: latex |
|
8 | .. only:: latex | |
9 |
|
9 | |||
10 | * :ref:`vcs-server` |
|
10 | * :ref:`vcs-server` | |
11 | * :ref:`apache-ws-ref` |
|
11 | * :ref:`apache-ws-ref` | |
12 | * :ref:`nginx-ws-ref` |
|
12 | * :ref:`nginx-ws-ref` | |
13 | * :ref:`rhodecode-tuning-ref` |
|
13 | * :ref:`rhodecode-tuning-ref` | |
14 | * :ref:`indexing-ref` |
|
14 | * :ref:`indexing-ref` | |
15 | * :ref:`rhodecode-reset-ref` |
|
15 | * :ref:`rhodecode-reset-ref` | |
16 |
|
16 | |||
17 | .. toctree:: |
|
17 | .. toctree:: | |
18 |
|
18 | |||
19 | config-files-overview |
|
19 | config-files-overview | |
20 | vcs-server |
|
20 | vcs-server | |
21 | svn-http |
|
21 | svn-http | |
|
22 | svn-path-permissions | |||
22 | gunicorn-ssl-support |
|
23 | gunicorn-ssl-support | |
23 | apache-config |
|
24 | apache-config | |
24 | nginx-config |
|
25 | nginx-config | |
25 | backup-restore |
|
26 | backup-restore | |
26 | tuning-rhodecode |
|
27 | tuning-rhodecode | |
27 | indexing |
|
28 | indexing | |
28 | reset-information |
|
29 | reset-information | |
29 | enable-debug |
|
30 | enable-debug | |
30 | admin-tricks |
|
31 | admin-tricks | |
31 | cleanup-cmds |
|
32 | cleanup-cmds |
@@ -1,88 +1,94 b'' | |||||
1 | # Auto generated configuration for use with the Apache mod_dav_svn module. |
|
1 | # Auto generated configuration for use with the Apache mod_dav_svn module. | |
2 | # |
|
2 | # | |
3 | # WARNING: Make sure your Apache instance which runs the mod_dav_svn module is |
|
3 | # WARNING: Make sure your Apache instance which runs the mod_dav_svn module is | |
4 | # only accessible by RhodeCode. Otherwise everyone is able to browse |
|
4 | # only accessible by RhodeCode. Otherwise everyone is able to browse | |
5 | # the repositories or run subversion operations (checkout/commit/etc.). |
|
5 | # the repositories or run subversion operations (checkout/commit/etc.). | |
6 | # |
|
6 | # | |
7 | # The mod_dav_svn module does not support subversion repositories which are |
|
7 | # The mod_dav_svn module does not support subversion repositories which are | |
8 | # organized in subfolders. To support the repository groups of RhodeCode it is |
|
8 | # organized in subfolders. To support the repository groups of RhodeCode it is | |
9 | # required to provide a <Location> block for each group pointing to the |
|
9 | # required to provide a <Location> block for each group pointing to the | |
10 | # repository group sub folder. To ease the configuration RhodeCode auto |
|
10 | # repository group sub folder. To ease the configuration RhodeCode auto | |
11 | # generates this file whenever a repository group is created/changed/deleted. |
|
11 | # generates this file whenever a repository group is created/changed/deleted. | |
12 | # Auto generation can be configured in the ini file. Settings are prefixed with |
|
12 | # Auto generation can be configured in the ini file. Settings are prefixed with | |
13 | # ``svn.proxy``. |
|
13 | # ``svn.proxy``. | |
14 | # |
|
14 | # | |
15 | # To include this configuration into your apache config you can use the |
|
15 | # To include this configuration into your apache config you can use the | |
16 | # `Include` directive. See the following example snippet of a virtual host how |
|
16 | # `Include` directive. See the following example snippet of a virtual host how | |
17 | # to include this configuration file. |
|
17 | # to include this configuration file. | |
18 | # |
|
18 | # | |
19 | # <VirtualHost *:8090> |
|
19 | # <VirtualHost *:8090> | |
20 | # ServerAdmin webmaster@localhost |
|
20 | # ServerAdmin webmaster@localhost | |
21 | # DocumentRoot /var/www/html |
|
21 | # DocumentRoot /var/www/html | |
22 | # ErrorLog ${'${APACHE_LOG_DIR}'}/error.log |
|
22 | # ErrorLog ${'${APACHE_LOG_DIR}'}/error.log | |
23 | # CustomLog ${'${APACHE_LOG_DIR}'}/access.log combined |
|
23 | # CustomLog ${'${APACHE_LOG_DIR}'}/access.log combined | |
24 | # LogLevel info |
|
24 | # LogLevel info | |
25 | # # allows custom host names, prevents 400 errors on checkout |
|
25 | # # allows custom host names, prevents 400 errors on checkout | |
26 | # HttpProtocolOptions Unsafe |
|
26 | # HttpProtocolOptions Unsafe | |
27 | # Include /path/to/generated/mod_dav_svn.conf |
|
27 | # Include /path/to/generated/mod_dav_svn.conf | |
28 | # </VirtualHost> |
|
28 | # </VirtualHost> | |
29 | # |
|
29 | # | |
30 | # Depending on the apache configuration you may encounter the following error if |
|
30 | # Depending on the apache configuration you may encounter the following error if | |
31 | # you are using special characters in your repository or repository group |
|
31 | # you are using special characters in your repository or repository group | |
32 | # names. |
|
32 | # names. | |
33 | # |
|
33 | # | |
34 | # ``Error converting entry in directory '/path/to/repo' to UTF-8`` |
|
34 | # ``Error converting entry in directory '/path/to/repo' to UTF-8`` | |
35 | # |
|
35 | # | |
36 | # In this case you have to change the LANG environment variable in the apache |
|
36 | # In this case you have to change the LANG environment variable in the apache | |
37 | # configuration. This setting is typically located at ``/etc/apache2/envvars``. |
|
37 | # configuration. This setting is typically located at ``/etc/apache2/envvars``. | |
38 | # You have to change it to an UTF-8 value like ``export LANG="en_US.UTF-8"``. |
|
38 | # You have to change it to an UTF-8 value like ``export LANG="en_US.UTF-8"``. | |
39 | # After changing this a stop and start of Apache is required (using restart |
|
39 | # After changing this a stop and start of Apache is required (using restart | |
40 | # doesn't work). |
|
40 | # doesn't work). | |
41 |
|
41 | |||
42 | # fix https -> http downgrade with DAV. It requires an header downgrade for |
|
42 | # fix https -> http downgrade with DAV. It requires an header downgrade for | |
43 | # https -> http reverse proxy to work properly |
|
43 | # https -> http reverse proxy to work properly | |
44 | % if use_https: |
|
44 | % if use_https: | |
45 | RequestHeader edit Destination ^https: http: early |
|
45 | RequestHeader edit Destination ^https: http: early | |
46 | % else: |
|
46 | % else: | |
47 | #RequestHeader edit Destination ^https: http: early |
|
47 | #RequestHeader edit Destination ^https: http: early | |
48 | % endif |
|
48 | % endif | |
49 |
|
49 | |||
50 | <Location "${location_root|n}"> |
|
50 | <Location "${location_root|n}"> | |
51 | # The mod_dav_svn module takes the username from the apache request object. |
|
51 | # The mod_dav_svn module takes the username from the apache request object. | |
52 | # Without authorization this will be empty and no username is logged for the |
|
52 | # Without authorization this will be empty and no username is logged for the | |
53 | # transactions. This will result in "(no author)" for each revision. The |
|
53 | # transactions. This will result in "(no author)" for each revision. The | |
54 | # following directives implement a fake authentication that allows every |
|
54 | # following directives implement a fake authentication that allows every | |
55 | # username/password combination. |
|
55 | # username/password combination. | |
56 | AuthType Basic |
|
56 | AuthType Basic | |
57 | AuthName "${rhodecode_realm|n}" |
|
57 | AuthName "${rhodecode_realm|n}" | |
58 | AuthBasicProvider anon |
|
58 | AuthBasicProvider anon | |
59 | Anonymous * |
|
59 | Anonymous * | |
60 | Anonymous_LogEmail off |
|
60 | Anonymous_LogEmail off | |
61 | Require valid-user |
|
61 | Require valid-user | |
62 |
|
62 | |||
63 | DAV svn |
|
63 | DAV svn | |
64 | SVNParentPath "${parent_path_root|n}" |
|
64 | SVNParentPath "${parent_path_root|n}" | |
65 | SVNListParentPath ${"On" if svn_list_parent_path else "Off"|n} |
|
65 | SVNListParentPath ${"On" if svn_list_parent_path else "Off"|n} | |
66 |
|
66 | |||
|
67 | # use specific SVN conf/authz file for each repository | |||
|
68 | #AuthzSVNReposRelativeAccessFile authz | |||
|
69 | ||||
67 | Allow from all |
|
70 | Allow from all | |
68 | Order allow,deny |
|
71 | Order allow,deny | |
69 | </Location> |
|
72 | </Location> | |
70 |
|
73 | |||
71 | % for location, parent_path in repo_group_paths: |
|
74 | % for location, parent_path in repo_group_paths: | |
72 |
|
75 | |||
73 | <Location "${location|n}"> |
|
76 | <Location "${location|n}"> | |
74 | AuthType Basic |
|
77 | AuthType Basic | |
75 | AuthName "${rhodecode_realm|n}" |
|
78 | AuthName "${rhodecode_realm|n}" | |
76 | AuthBasicProvider anon |
|
79 | AuthBasicProvider anon | |
77 | Anonymous * |
|
80 | Anonymous * | |
78 | Anonymous_LogEmail off |
|
81 | Anonymous_LogEmail off | |
79 | Require valid-user |
|
82 | Require valid-user | |
80 |
|
83 | |||
81 | DAV svn |
|
84 | DAV svn | |
82 | SVNParentPath "${parent_path|n}" |
|
85 | SVNParentPath "${parent_path|n}" | |
83 | SVNListParentPath ${"On" if svn_list_parent_path else "Off"|n} |
|
86 | SVNListParentPath ${"On" if svn_list_parent_path else "Off"|n} | |
84 |
|
87 | |||
|
88 | # use specific SVN conf/authz file for each repository | |||
|
89 | #AuthzSVNReposRelativeAccessFile authz | |||
|
90 | ||||
85 | Allow from all |
|
91 | Allow from all | |
86 | Order allow,deny |
|
92 | Order allow,deny | |
87 | </Location> |
|
93 | </Location> | |
88 | % endfor |
|
94 | % endfor |
General Comments 0
You need to be logged in to leave comments.
Login now