I’ve been using the mod_dav_svn module for Apache, part of the subversion distribution package, in order to make several SVN repositories available over the HTTP protocol for quite some time now. More specifically, I use a multi-repository setup under the same virtualhost by using the
SVNParentPath directive of mod_dav_svn. Also, the authorization policy is enforced by mod_authz_svn by using one general authz file (
AuthzSVNAccessFile) containing the policy rules. In case the user is not authorized to access the resource, basic HTTP authentication is used to finally grant or deny access to the user. Everything works as expected, but let’s see if this is practical too…
It is obvious that using such a setup, all subversion repositories share the same authz file. This is fine in most circumstances, but it presumes that one person or a small team of administrators will practically be able to manage the authorization policy inside the authz file, unless you grant read/write access to everyone, which is not very likely. And this is where problems begin to arise. What happens if there are 1000 development teams and thousands of requests to the admin team asking for modifications on the authz file? This is almost chaos. On the other hand, suppose that each SVN repository belongs to a development team which wishes to manage its repo’s authorization policy itself. What can be done in such a case? Unfortunately, nothing that will not require some coding. mod_authz_svn cannot handle multiple authorization files when a multi-repository configuration (
SVNParentPath) is used.
One way to resolve the issue mentioned above is to inject our own authorization code into the relevant phase of the HTTP request processing. What this authorization code is going to do is to dynamically construct the path to the requested repository’s authz file, parse the authz file, determine the level of access the user may get in accordance to the HTTP request type and, finally, return an OK or an error code back to Apache.
Tonight I’ve spent several hours on this. Although, the appropriate approach would be to patch mod_authz_svn, I am not that excited about such an approach as I would need several days of hard work to modify an existing apache module. Instead, I have almost finished an authorization handler and an authz file parser (only basic syntax is supported), both written in python, which can be used by apache with the help of mod_python.
This is not finished yet. As you might have assumed I need this piece of code for Project CodeTRAX. Although, I had decided not to release anything related to that project until it is finished, I might make an exception and release this piece of python code in order to get some valuable feedback about if and how secure it is.
Using the mod_dav_svn SVNParentPath directive with multiple authz files by George Notaras is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright © 2008 - Some Rights Reserved