Authentication & Authorization with Subversion
Ben Reser, Subversion Committer, WANdisco Who Am I Ben Reser Subversion Committer, WANdisco § Involved with Subversion project since 2003.
§ Employed by WANdisco since 2012 to work on Apache Subversion project full time.
§ Wrote mod_auth_ora7/8.
Overview Authentication vs Authorization Overview
Authentication (authn)
• Who Client Is
Authorization (authz)
• What Access Client Has Access Methods Overview Apache HTTP Server svnserve
Local Apache HTTP Server Authn Overview Built In
Modular
Expandable HTTP Auth Architecture Overview
auth authn authz Apache HTTP Server Authn Overview
mod_auth_*
• mod_auth_digest • mod_auth_simple • mod_auth_kerb • mod_auth_sspi/mod_authnz_sspi • mod_ssl • … Apache HTTP Server Authn Overview
mod_authn_*
• mod_authn_file • mod_authn_dbm • mod_authnz_ldap • mod_auth_mysql • mod_auth_pgsql • … Apache HTTP Server Authz Overview
mod_authz_*
• mod_authz_user • mod_authz_groupfile • mod_authz_dbm • mod_authz_host • mod_authz_svn • … svnserve Authentication Overview Plaintext
Cyrus SASL
Tunnels Local Authentication Overview
From OS Environment
User provided Types of Authorization Overview
Blanket
Path Based Path Based Authorization Overview
Apache HTTP Server
• mod_authz_svn
svnserve
• built in SVN Authz Config Format Overview [/] * = r
[repo:/project1] bob = rw $anonymous = SVN Authz Repo Name Overview
Apache HTTP Server
• Name of directory containing repository
svnserve
• Path rela�ve to server root SVN Authz Groups Format Overview [groups] exploration = bob, carrie production = doug, lisa devs = @exploration, @production
[mines:/alpha-site] @exploration = rw * = SVN Authz Aliases Format Overview [aliases] bob = bobby
[groups] devs = &bob
[mines:/alpha-site] &bob = rw
Permissions: Required to… Overview
Create or Delete Node • Write on Parent Directory Modify File Content • Write on File List Children of Directory • Read on Directory Get File Contents • Read on File Permissions: List, Log & Copy Overview List § Omits nodes you don’t have access to Log § Omits all revision properties but svn:author and svn:date and only lists the changed paths you do have access to if you only have partial or no access. Copy § Can only copy nodes you have read permissions to all the children.
Authz Config File Caching Overview
§ Read when first needed
§ Parsed file cached for duration of connection Path based authz performance Overview
Picture by Michael W Murphy, Flickr - CC BY 2.0 Hands On VM Details Hands On § Ubuntu 12.04 Server (Minimal VM Installation) § Subversion 1.8.8 (WANdisco) § LDAP § Apache HTTP § User: student § Passwords: secret Hands On Summary mod_dav_svn Hands On Summary § SVNPathAuthz § ‘off’ if not using path based authz. § ‘short_circuit’ otherwise. § ‘on’ if you know you need it. mod_authz_svn Hands On Summary § AuthzSVNAccessFile § Relative to server root. § Can take URLs or repository relative URLs. mod_authz_svn Hands On Summary § AuthzSVNReposRelativeAccessFile § Relative to repository conf directory. § Can also take URLs or repository relative URLs. mod_authz_svn Hands On Summary § AuthzSVNGroupsFile § Separate groups file support § Relative to the server root § No groups in the AccessFile if you use this. § Can also be in the repo mod_authnz_ldap Hands On Summary § Subversion can’t use groups from LDAP easily. § mod_ldap handles caching and connection pooling for mod_authnz_ldap. Extras HTTPD 2.4 Extras § New authn/authz provider system built on top of old system. § Subversion doesn’t support new system, but still works with 2.4. LimitExcept Extras