Crowd's Subversion connector allows you to password-protect a Subversion repository and provide fine grained access by group or user.

The following features are supported:

  • Authentication: Use Crowd to password-protect your Subversion repository.
  • Authorisation: Provide fine-grained access by group or user.

Step 1. Integrating Crowd with Apache

To use the Subversion connector, you will need to have the Crowd Apache connector already installed. Please follow the instructions on integrating Crowd with Apache.

Note that you do not need to define Subversion as an application in Crowd. Subversion and Apache will both use the same Crowd application.

Step 2. Configuring Crowd Authentication for Subversion

If you are using Apache to manage access to a Subversion repository (instructions) and are using Crowd to manage the Apache authentication (instructions) then you can use the same configuration method to delegate Subversion's user authentication to Crowd.

Example:

<Location /svn>

  AuthName "Atlassian Crowd" 
  AuthType Basic 
  AuthBasicProvider crowd 

  CrowdAppName myappname 
  CrowdAppPassword mypassword 
  CrowdURL http://localhost:8095/crowd/

  CrowdCreateSSO off  # Improves performance when using Subversion clients that don't store cookies

  DAV svn

  # Set this to the path to your repository
  SVNPath /var/lib/svn

  # The following three lines allow anonymous read, but make
  # committers authenticate themselves.
  <LimitExcept GET PROPFIND OPTIONS REPORT>
    Require valid-user
  </LimitExcept>

</Location>

If your Subversion clients do not store cookies, you will achieve much better performance by disabling single sign-on with the "CrowdCreateSSO off" directive. This will avoid a request being made to Crowd for every single request to Subversion.

Note that you will need to restart Apache before any changes to its configuration files will take effect.

Step 3. Configuring Crowd Authorisation for Subversion

To restrict Subversion repository access to certain groups and/or users, you can add the Require group and Require user directives, described in the page on integrating Crowd with Apache.

For more fine-grained access, Crowd provides the AuthzSVNCrowdAccessFile directive which allows you to define path-based access rules.

Example:

<Location /svn>

  AuthName "Atlassian Crowd" 
  AuthType Basic 
  AuthBasicProvider crowd 

  CrowdAppName myappname 
  CrowdAppPassword mypassword 
  CrowdURL http://localhost:8095/crowd/

  CrowdCreateSSO off  # Improves performance when using Subversion clients that don't store cookies

  DAV svn

  # Set this to the path to your repository
  SVNPath /var/lib/svn

  AuthzSVNCrowdAccessFile /etc/apache2/dav_svn.authz
  Require valid-user

</Location>

The AuthzSVNCrowdAccessFile setting lets you define a file where you can configure group and user access at directory level.

The format of the file is the same as that used by Subversion's own authorisation module, mod_authz_svn. Here is a short example:

[groups]
# Groups referred to in other sections must be listed here, but group membership is obtained from Crowd.
bazdevelopers =
foodevelopers =

# Everyone has read access to the repository
# (unless modified below).
[/]
* = r

# Members of the bazdevelopers group can
# read and write to the BazWord project
[/BazWord]
@bazdevelopers = rw

# Members of the foodevelopers group can read and write
# to the FooCalc project
[/FooCalc]
@foodevelopers = rw

# Members of foodevelopers can read the branches
# directory but only user juliag (the release manager)
# can write to this path
[/FooCalc/branches]
juliag = rw
@foodevelopers = r

# peterc is a contractor, so he's denied all access to the statistics
# module (which is full of trade secrets).
[/FooCalc/trunk/statistics]
peterc =

Notes:

  • The format is a series of one or more repository paths (minus the leading URL) followed by one or more group or user directives for each path.
  • You don't have to include every single path. If an exact path match is not found, the settings for the nearest parent directory are used.
  • Access for the user or group can be set to one of:
    • rw: read and write access.
    • r: read-only access.
    • <blank>: no access.
  • Group names are indicated by a leading '@' character.
  • Lines starting with a '#' are comments.
  • Note that group memberships specified in the [groups] section of the file described in the Subversion documentation are ignored by the Crowd Apache connector, because group memberships come from Crowd. However, any groups referred to in other sections must be named here.
  • Subversion will convert all group names specified in this file to lower case before comparing them to group names supplied by Crowd. For this reason, you must enable the "Lower Case Output" option for your Subversion application.
  • If you make use of the SVNParentPath directive to configure multiple repositories, repository paths should be specified in the form repository:path, for example:
[groups]
developers =

[public:/]
* = r
@developers = rw

[public:/community]
* = rw

[private:/]
@developers = rw

Mixing Authenticated and Anonymous Access

A common requirement for Subversion access is to have a combination of anonymous access (where a username and password is not required) and authenticated access. For example, many administrators want to allow anonymous users to read certain repository directories, but want only authenticated users to read (or write) more sensitive areas. To enable anonymous access, add the following line to the Apache configuration file:

AuthzSVNCrowdAccessFile /etc/apache2/dav_svn.authz
AuthzSVNCrowdNoAuthWhenAnonymousAllowed On
Satisfy Any
Require valid-user

When anonymous access is enabled as shown above, Apache will not require a password for any part of the repository that matches the '*' user in the AuthzSVNCrowdAccessFile file. For example, if you wanted to allow anonymous read access to most of a repository but require authentication for a private section, the AuthzSVNCrowdAccessFile file would look like this:

[groups]
developers=

# login not required to read, only members of the 'developers' group can check in changes
[/]
* = r
@developers = rw

# anonymous access denied to /private directory 
[/private]
* =
@developers = rw

See also this example in the Subversion documentation.

For a detailed description of the AuthzSVNCrowdAccessFile file format, see the Subversion documentation.

Additional Configuration Options

You may customise your configuration further with the following optional commands:

Command

Explanation

Default

AuthzSVNCrowdAuthoritative

When set to 'On', authorisation decisions made by the Crowd Subversion connector are final. When set to 'Off', they may be overruled by other Apache authorisation providers.

On

AuthzSVNCrowdAnonymous

Set to 'Off' to disable two special-case behaviours of the Crowd Subversion connector: interaction with the Satisfy Any directive and enforcement of the authorisation policy even when no Require directives are present.

On

AuthzSVNCrowdForceUsernameCase

Set to 'Upper' or 'Lower' to convert the username before checking for authorisation.

none

RELATED TOPICS

Crowd documentation