Crowd's Subversion connector allows you to password-protect a Subversion repository and provide fine grained access by group or user.
The following features are supported:
- Authentication: Use Crowd to password-protect your Subversion repository.
- Authorisation: Provide fine-grained access by group or user.
Step 1. Integrating Crowd with Apache
To use the Subversion connector, you will need to have the Crowd Apache connector already installed. Please follow the instructions on integrating Crowd with Apache.
Note that you do not need to define Subversion as an application in Crowd. Subversion and Apache will both use the same Crowd application.
Step 2. Configuring Crowd Authentication for Subversion
If you are using Apache to manage access to a Subversion repository (instructions) and are using Crowd to manage the Apache authentication (instructions) then you can use the same configuration method to delegate Subversion's user authentication to Crowd.
If your Subversion clients do not store cookies, you will achieve much better performance by disabling single sign-on with the "CrowdCreateSSO off" directive. This will avoid a request being made to Crowd for every single request to Subversion.
Note that you will need to restart Apache before any changes to its configuration files will take effect.
Step 3. Configuring Crowd Authorisation for Subversion
To restrict Subversion repository access to certain groups and/or users, you can add the
Require group and
Require user directives, described in the page on integrating Crowd with Apache.
For more fine-grained access, Crowd provides the
AuthzSVNCrowdAccessFile directive which allows you to define path-based access rules.
AuthzSVNCrowdAccessFile setting lets you define a file where you can configure group and user access at directory level.
The format of the file is the same as that used by Subversion's own authorisation module,
mod_authz_svn. Here is a short example:
- The format is a series of one or more repository paths (minus the leading URL) followed by one or more group or user directives for each path.
- You don't have to include every single path. If an exact path match is not found, the settings for the nearest parent directory are used.
- Access for the user or group can be set to one of:
rw: read and write access.
r: read-only access.
<blank>: no access.
- Group names are indicated by a leading '
- Lines starting with a '
#' are comments.
- Note that group memberships specified in the
[groups]section of the file described in the Subversion documentation are ignored by the Crowd Apache connector, because group memberships come from Crowd. However, any groups referred to in other sections must be named here.
- Subversion will convert all group names specified in this file to lower case before comparing them to group names supplied by Crowd. For this reason, you must enable the "Lower Case Output" option for your Subversion application.
- If you make use of the SVNParentPath directive to configure multiple repositories, repository paths should be specified in the form
repository:path, for example:
Mixing Authenticated and Anonymous Access
A common requirement for Subversion access is to have a combination of anonymous access (where a username and password is not required) and authenticated access. For example, many administrators want to allow anonymous users to read certain repository directories, but want only authenticated users to read (or write) more sensitive areas. To enable anonymous access, add the following line to the Apache configuration file:
When anonymous access is enabled as shown above, Apache will not require a password for any part of the repository that matches the '*' user in the
AuthzSVNCrowdAccessFile file. For example, if you wanted to allow anonymous read access to most of a repository but require authentication for a private section, the
AuthzSVNCrowdAccessFile file would look like this:
See also this example in the Subversion documentation.
For a detailed description of the
AuthzSVNCrowdAccessFile file format, see the Subversion documentation.
Additional Configuration Options
You may customise your configuration further with the following optional commands:
When set to 'On', authorisation decisions made by the Crowd Subversion connector are final. When set to 'Off', they may be overruled by other Apache authorisation providers.
Set to 'Off' to disable two special-case behaviours of the Crowd Subversion connector: interaction with the
Set to 'Upper' or 'Lower' to convert the username before checking for authorisation.
- Using the Application Browser
- Adding an Application
- Configuring the Google Apps Connector
- Mapping a Directory to an Application
- Specifying an Application's Address or Hostname
- Testing a User's Login to an Application
- Enforcing Lower-Case Usernames and Groups for an Application
- Managing an Application's Session
- Deleting or Deactivating an Application
- Configuring Caching for an Application
- Overview of SSO
- Configuring Options for an Application