| Article Index |
|---|
| Subversion - How to restrict certain users to read only or read write permissions |
| Part 2 |
| All Pages |
At some point in the life of your Subversion repository you may decide to limit access to read only for certain users, not allowing them to commit changes to say the production code or release project. You might want to limit access to certain parts of a project , for example allowing only members of the group admins to see the branches/admintool directory.
This how was written and tested on an Apple Mini, running CentOS 5.3 , so when you see me using yum to install packages as is common on RedHat based distros, if you are using a different flavour of Linux or Unix you will need to adjust my instructions to use your package manager.
First things first, install the neccesary Subversion packages and dependancies on the server machine, littlemac
[root@littlemac ~]# yum install subversion
Loaded plugins: fastestmirror
Determining fastest mirrors
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package subversion.x86_64 0:1.4.2-4.el5_3.1 set to be updated
---> Package subversion.i386 0:1.4.2-4.el5_3.1 set to be updated
--> Processing Dependency: libaprutil-1.so.0 for package: subversion
--> Processing Dependency: libapr-1.so.0 for package: subversion
--> Processing Dependency: libneon.so.25 for package: subversion
--> Running transaction check
---> Package apr-util.x86_64 0:1.2.7-7.el5_3.2 set to be updated
---> Package neon.i386 0:0.25.5-10.el5 set to be updated
---> Package apr.i386 0:1.2.7-11.el5_3.1 set to be updated
---> Package apr.x86_64 0:1.2.7-11.el5_3.1 set to be updated
---> Package apr-util.i386 0:1.2.7-7.el5_3.2 set to be updated
--> Processing Dependency: libsqlite3.so.0 for package: apr-util
--> Processing Dependency: libpq.so.4 for package: apr-util
--> Running transaction check
---> Package postgresql-libs.i386 0:8.1.11-1.el5_1.1 set to be updated
---> Package sqlite.i386 0:3.3.6-2 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
==================================================================================================================================================================================================================
Package Arch Version Repository Size
==================================================================================================================================================================================================================
Installing:
subversion x86_64 1.4.2-4.el5_3.1 updates 2.4 M
subversion i386 1.4.2-4.el5_3.1 updates 2.3 M
Updating:
apr x86_64 1.2.7-11.el5_3.1 updates 118 k
apr-util x86_64 1.2.7-7.el5_3.2 updates 75 k
Installing for dependencies:
apr i386 1.2.7-11.el5_3.1 updates 123 k
apr-util i386 1.2.7-7.el5_3.2 updates 76 k
neon i386 0.25.5-10.el5 base 101 k
postgresql-libs i386 8.1.11-1.el5_1.1 base 196 k
sqlite i386 3.3.6-2 base 213 k
Transaction Summary
==================================================================================================================================================================================================================
Install 7 Package(s)
Update 2 Package(s)
Remove 0 Package(s)
Total download size: 5.5 M
Is this ok [y/N]: y
Downloading Packages:
(1/9): apr-util-1.2.7-7.el5_3.2.x86_64.rpm | 75 kB 00:00
(2/9): apr-util-1.2.7-7.el5_3.2.i386.rpm | 76 kB 00:00
(3/9): neon-0.25.5-10.el5.i386.rpm | 101 kB 00:00
(4/9): apr-1.2.7-11.el5_3.1.x86_64.rpm | 118 kB 00:00
(5/9): apr-1.2.7-11.el5_3.1.i386.rpm | 123 kB 00:00
(6/9): postgresql-libs-8.1.11-1.el5_1.1.i386.rpm | 196 kB 00:00
(7/9): sqlite-3.3.6-2.i386.rpm | 213 kB 00:01
(8/9): subversion-1.4.2-4.el5_3.1.i386.rpm | 2.3 MB 00:18
(9/9): subversion-1.4.2-4.el5_3.1.x86_64.rpm | 2.4 MB 00:15
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 141 kB/s | 5.5 MB 00:39
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : apr [ 1/11]
Updating : apr-util [ 2/11]
Installing : neon [ 3/11]
Installing : apr [ 4/11]
Installing : sqlite [ 5/11]
Installing : postgresql-libs [ 6/11]
Installing : subversion [ 7/11]
Installing : apr-util [ 8/11]
Installing : subversion [ 9/11]
Cleanup : apr [10/11]
Cleanup : apr-util [11/11]
Installed: subversion.x86_64 0:1.4.2-4.el5_3.1 subversion.i386 0:1.4.2-4.el5_3.1
Dependency Installed: apr.i386 0:1.2.7-11.el5_3.1 apr-util.i386 0:1.2.7-7.el5_3.2 neon.i386 0:0.25.5-10.el5 postgresql-libs.i386 0:8.1.11-1.el5_1.1 sqlite.i386 0:3.3.6-2
Updated: apr.x86_64 0:1.2.7-11.el5_3.1 apr-util.x86_64 0:1.2.7-7.el5_3.2
Complete!
Next , now that the software is installed, we are going to create a directory under /home for our Subversion repo, then use the svnadmin tool to create a new repository
[root@littlemac ~]# mkdir /home/SVN/
[root@littlemac ~]# cd /home/SVN/
[root@littlemac SVN]# svnadmin create project_x
Now the server is setup I will connect with my svn (short name for Subversion) client from my workstation, bigmac
First of all I will check out the blank project and create a file structure, then commit this into the project
bigmac:~ neil$ svn co svn+ssh://littlemac/home/SVN/project_x
Checked out revision 0.
bigmac:~ neil$ cd project_x/
bigmac:project_x neil$ mkdir release test admin
bigmac:project_x neil$ touch release/file test/file admin/file
bigmac:project_x neil$ svn add admin/ release/ test/
A admin
A admin/file
A release
A release/file
A test
A test/file
bigmac:project_x neil$ svn commit -m "Added example dirs + files"
Adding admin
Adding admin/file
Adding release
Adding release/file
Adding test
Adding test/file
Transmitting file data ...
Committed revision 1.
bigmac:project_x neil$
Ok , so now we have a few files and directories in our project repo to play with.
Here is the example task and configuration we will work through, and the permission scheme will end up like this:
- Only users in the group admins are allowed to access the admin directory
- Users in the group checkout can have read only access to the test and release directories and all files under them
- User in the group developers can have read write access to test and release directories and all files under them
- The user billy can only access the test directory, he is specifically denied from the other two directories release and admin
Ok, so in order to apply this scheme, we need to go back to the server and edit the file /home/SVN/project_x/svnserve.conf and set up the file as shown below.
### This file controls the configuration of the svnserve daemon
[general]
anon-access = none
auth-access = write
authz-db = authz
Now create the file authz in the same folder with the follow contents
[/]
billy=r
neil=rw
