Tuesday, February 14, 2006

Setting up SVN on Apache

SVN + Apache Configuration

* I am following the nice, 300 page downloadable SVN book. Gotta love this.

* You must use Apache 2.0. Luckily, I am.

* First, if you have not done so, create an SVN repository. For example, you use
[shell> svnadmin create /home/subversion/test
[shell> svn import /some/other/directory file:///home/subversion/test

* If necessary, grab and install the mod_dav_svn stuff with yum. First, log in as root. Then
[shell> yum install mod_dav_svn

* But check the version of svn that you get this way. The SVN specific authorization stuff described below
only works with SVN 1.x, but yum (on my old Fedora 1) gave me 0.32.

* If necessary, copy the downloaded .so modules and conf files into your apache directory. However,
I noted that stuff was already in my Apache 2.0 installation.

* Edit httpd.conf to add any modules.

#SVN modules
#LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

* Add some locations. For multiple repos, do something like this:
<Location /svn>
DAV svn
SVNParentPath /home/subversion
</Location>

This will map everything under http://your.host/svn to /home/subversion. For example,
the repository test under /home/subversion/test (as we created above) can be accessed
via http://your.host/svn/test.

* Point your browser at http://localhost/svn/test and you should see your files.

* For even more fun, open http://localhost/svn/test as a web folder (ie using
builtin MS WebDAV clients) or any other DAV client. You may notice it does not
require authentication, but (at least for me) write access is not working.

* HTTP AuthN and AuthZ can be set up to solve this in a coarse way. Start by
making a password.

[shell> htdigest -c /etc/httpd/password/digest "Subversion repository" ogce

See for example the bottom of http://httpd.apache.org/docs/1.3/howto/auth.html (note this still works
for Apache 2.0).

* Next add the following stuff to the <Location/>:
<Location /svn>
DAV svn
SVNParentPath /home/subversion/

AuthType Digest
AuthName "Subversion repository"
AuthDigestFile /etc/httpd/password/digest

<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>

* Note that the AuthName must match the realm name used with htdigest.

* The <LimitExcept> business means that if you try to do anything other than a few
read-like operations, you will be prompted for a password.

* I found this to be a bit flaky and unpredictable, but luckily after some false
starts I got Subversion access control to work correctly (ie I upgraded to
version 1.1 of svn and the apache svn mods). My modified httpd.conf file entry
now looks like this:

<Location /svn/>
DAV svn
SVNParentPath /home/subversion/

AuthzSVNAccessFile /etc/httpd/conf/svnserver.conf

AuthType Digest
AuthName "Subversion repository"
AuthDigestFile /etc/httpd/password/digest
Satisfy any
Require valid-user
</Location>

The "Satisfy any" and "Require valid-user" are a little at odds, but this is resolved
with the AuthzSVNAccessFile entries described below. "Satisfy any" simply means
"accept any authentication requirements that we will impose."


* The AuthzSVNAccessFile that you specify to be svnserver.conf has entries such as the following:

[test:/]
* = r
ogce = rw

This means "On the test repository and all of its children, give everyone read access and
give the ogce user both read and write access." Thus when you try to import or commit, you will be
prompted for a username and password.


* The SVN authz file can also provide more fine-grained access. For example, I may want to make
all of the projects EXCEPT one called tomcat-plugin2 world readable and make tomcat-plugin2
accessible only by an authenticated user. I do this with the following contents of svnserver.conf:

[test:/]
* = r
ogce = rw

[test:/tomcat-plugin2]
*=
ogce = rw

Navigating to this tomcat-plugin2 directory will cause a password prompt window to appear. If I
login as the indicated user, I can access the rest of this project.


* Check at this point to make sure all of your svn commands work over http:
svn import http://your.host/svn/test/your_project_dir/
svn list http://your.host/svn/test/your_project_dir
svn checkout http://your.host/svn/test/your_project_dir
svn commit

You should be prompted for a password on the write operations (import, commit) although
svn seems to remember you after the first login. Looks like this is stored in ~/.subversion/auth

* The svn commit command assumes you have made some modifications to your checkout. If so,
you should be prompted for a password before this gets accepted (if you have configured
everything correctly).

2 comments:

chandu said...

Hi,

What version of Apache Http Server are you using 2.0.? I tried to follow the same steps on 2.0.58 with subversion 1.3.2 but it doesn't read dav_svn_module.

Thanks in Advance.

Chandu

Unknown said...

the line #LoadModule dav_module modules/mod_dav.so must not be commented. i need this module.