Subversion Access Control using Mysql and Apache (mod-dav-svn, mod-auth-sql, apache, mysql)

Question

I am trying to configure a site on my Apache server to use mod_dav_svn with mysql authentication.

I am using a database with three tables like this

auth_users
----------
uid    username  passwd
1      UserA     pass
2      UserB     pass

.

auth_groups
-----------
gid    group
1      repo_rw
2      repo_ro

.

users_groups
uid    gid
1      1
2      2

Therefore:-

UserA is a member of the group repo_rw UserB is a member of the group repo_ro

I then use the following in my httpd.conf file:-

<VirtualHost *:80>
  DocumentRoot /var/www
  ServerName repo.srv.domain.com
  ServerPath /var/www

  <Location /svn>
    DAV svn

    SVNPath /var/svn/repo

    AuthType Basic
    AuthName "Subversion Repository"
    AuthUserFile /dev/null
    AuthBasicAuthoritative Off

    AuthMySQL_Authoritative on
    AuthMySQL_Empty_Password off
    AuthMySQL_Encryption_Types Plaintext

    AuthMySQL_Password_Table "auth_users u"
    AuthMySQL_Username_Field "u.username"
    AuthMySQL_Password_Field "u.passwd"

    AuthMySQL_Group_Table "auth_groups g RIGHT JOIN users_groups ug ON (ug.gid=g.gid) RIGHT JOIN auth_users u ON (ug.uid=u.uid)"
    AuthMySQL_Group_Field "g.group"

    <Limit GET PROPFIND OPTIONS REPORT>
      Require group repo_rw
    </Limit>
  </Location>
</VirtualHost>

In this configuration i am able to give users rw access to the repository /var/svn/repo, authenticated as valid users of this repository.

I am also able to add multiple VirtualHost entries, replacing "repo" in the various locations to a new reposiotry name and provide controlled rw access to individual repositories.

My Problem is that i am unable to add READ ONLY access to repositories, and also anonymous read only access.

I have read it should be possible to add

<LimitExcept GET PROPFIND OPTIONS REPORT>
  Require group repo_ro
</Limit>

to the section and this should provide read only access to the repository, however i have not been able to make this work. tail-ing the mysql log shows only the repo_rw gets queried.

If anyone can give any advice i would be extremely grateful!

Answer 1

It seems this method just won't work. There are mahy resources onb the net suggesting it will, but none seem to work with current versions of apache/mysql/modules.

There are two options for granular access control 1) auth files only, skip mysql authentication and keep with standard apache auth methods, or 2) madify hook scripts to define what access users have.