I. Installation mod_authz_svn will be installed alongside mod_dav_svn when the regular installation instructions are followed. NOTE: the module is functional, but you should consider it experimental. Some configurations may or may not have the desired effect. Be sure to test if your configuration works as intended. II. Configuration 1. Configuring Apache Modify your httpd.conf. Add the following line _after_ the one that loads mod_dav_svn: LoadModule authz_svn_module modules/mod_authz_svn.so There are several ways to setup access checking for your subversion location. These are simple examples, for more complex configuration of authentication/authorization with Apache, please refer to the documentation: http://httpd.apache.org/docs-2.0/. A. Example 1: Anonymous access only This configuration will allow access only to the directories everyone has permissions to do the operation performed. All other access is denied. See section II.2 on how to set up permissions. DAV svn SVNPath /path/to/repos AuthzSVNAccessFile /path/to/access/file B. Example 2: Mixed anonymous and authenticated access This configuration checks to see if anonymous access is allowed first, if not, it falls back to checking if the authenticated user has permissions to do the operation performed. DAV svn SVNPath /path/to/repos AuthType Basic AuthName "Subversion repository" AuthUserFile /path/to/htpasswd/file AuthzSVNAccessFile /path/to/access/file # The following line will allow to fall back to authenticated # access when anonymous fails. Satisfy Any Require valid-user NOTE: The access control is designed to never display entries that the user does not have access to. Combining anonymous access on the top levels while restricting read access lower in the directory structure makes it difficult to browse because the server will not request authentication. C. Example 3: Authenticated access only This configuration requires everyone accessing the repository to be authenticated. DAV svn SVNPath /path/to/repos AuthType Basic AuthName "Subversion repository" AuthUserFile /path/to/htpasswd/file AuthzSVNAccessFile /path/to/access/file Require valid-user NOTE: Because there is no 'Satisfy Any' line, the module acts as if though AuthzSVNAnonymous was set to 'No'. The AuthzSVNAnonymous directive prevents the anonymous access check from being run. D. Example 4: Per-repository access file This configuration allows to use SVNParentPath but have different authz files per repository. DAV svn SVNParentPath /path/to/reposparent AuthType Basic AuthName "Subversion repository" AuthUserFile /path/to/htpasswd/file AuthzSVNReposRelativeAccessFile filename Require valid-user NOTE: AuthzSVNReposRelativeAccessFile filename causes the authz file to be read from /conf/ E. Example 5: Authz file stored in a Subversion repository This configuration allows storing of the authz file in a repository. DAV svn SVNParentPath /path/to/reposparent AuthType Basic AuthName "Subversion repository" AuthUserFile /path/to/htpasswd/file AuthzSVNAccessFile file:///path/to/repos/authz Require valid-user NOTE: http:// and svn:// URLs are not supported, only local file:// absolute URLs may be used. The URL does not have to point to the same repository as the repository being accessed. If you wish to restrict access to this authz file and it is in the same repository you should include a rule for it. F. Example 6: Authz file stored inside the repository being accessed. This configuration allows providing a relative path within the repository being accessed. DAV svn SVNParentPath /path/to/reposparent AuthType Basic AuthName "Subversion repository" AuthUserFile /path/to/htpasswd/file AuthzSVNAccessFile ^/authz Require valid-user NOTE: You should include rules in your authz file to restirct access to the authz file as desired. G. Example 7: Authenticated access to "Collection of Repositories" The "Collection of Repositories" is filtered based on read access to the root of each repository, i.e. consistent with the directory lists within repositories. If read access is restricted in repository roots, it is typically desirable to require authentication for "Collection of Repositories" in order to ensure that repositories where the user has access are displayed. This is accomplished by specifying "Satisfy All" (which is the default setting): DAV svn SVNParentPath /path/to/reposparent AuthType Basic AuthName "Subversion repository" AuthUserFile /path/to/htpasswd/file AuthzSVNAccessFile /path/to/access/file # implicit Satisfy All Require valid-user If the same server must be able to serve paths with anonymous access, it can be defined using an additional location. Satisfy Any Require valid-user The "Require" statement in the previous example is not strictly needed, but has been included for clarity. H. Example 8: Separating groups and authorization rules It may be convenient to maintain group definitions separately from the authorization rules. This configuration allows splitting them into two separate files. The file specified by the AuthzSVNGroupsFile directive uses the same format as the ordinary authz file and should contain a single section with the group definitions. See section II.2.B for more details. DAV svn SVNParentPath /path/to/reposparent AuthType Basic AuthName "Subversion repository" AuthUserFile /path/to/htpasswd/file AuthzSVNAccessFile /path/to/access/file AuthzSVNGroupsFile /path/to/groups/file Require valid-user Configurations with per-repository access files may also use a single file containing the group definitions. This configuration avoids the need to duplicate the group definitions across multiple per-repository access files. AuthzSVNReposRelativeAccessFile filename AuthzSVNGroupsFile /path/to/groups/file NOTE: When the AuthzSVNGroupsFile directive is enabled, the file specified with the AuthzSVNReposRelativeAccessFile or AuthzSVNAccessFile directive cannot contain any group definitions. 2. Specifying permissions A. File format of the access file The file format of the access file looks like this: [groups] = [,...] ... [] @ = [rw|r] = [rw|r] * = [rw|r] [:] @ = [rw|r] = [rw|r] * = [rw|r] An example (line continued lines are supposed to be on one line): [groups] subversion = jimb,sussman,kfogel,gstein,brane,joe,ghudson,fitz, \ daniel,cmpilato,kevin,philip,jerenkrantz,rooneg, \ bcollins,blair,striker,naked,dwhedon,dlr,kraai,mbk, \ epg,bdenny,jaa subversion-doc = nsd,zbrown,fmatias,dimentiy,patrick subversion-bindings = xela,yoshiki,morten,jespersm,knacke subversion-rm = mprice ...and so on and so on... [/] # Allow everyone read on the entire repository * = r # Allow devs with blanket commit to write to the entire repository @subversion = rw [/trunk/doc] @subversion-doc = rw [/trunk/subversion/bindings] @subversion-bindings = rw [/branches] @subversion-rm = rw [/tags] @subversion-rm = rw [/branches/issue-650-ssl-certs] mass = rw [/branches/pluggable-db] gthompson = rw ... [/secrets] # Just for demonstration * = @subversion = rw # In case of SVNParentPath we can specify which repository we are # referring to. If no matching repository qualified section is # found, the general unqualified section is tried. # # NOTE: This will work in the case of using SVNPath as well, only # the repository name (the last element of the url) will always be # the same. [dark:/] * = @dark = rw [light:/] @light = rw B. File format of the groups file The file format of the groups file looks like this: [groups] = [,...] ... An example: [groups] developers = harry,sally,john managers = jim,joe