Edgewall Software

How to control access to multiple projects using mod_authz_svn.so

Introduction

This information applies to multiple project installs of Trac served through Apache. In principle the same information should apply to single project Tracs, but this hasn't been tested. The examples come from a Windows environment but I can't see why a similar setup would not work elsewhere.

It is convenient to keep all the access restrictions to a project in one place. Trac already supports this for browsing of source code (see FineGrainedPermissions?). This page describes how to use the mod_authz_svn.so module to do this for the whole project.

Matching repo and Trac names

A prerequisite for this being really convenient is that your repositories have the same names as your Trac projects. Something like:

C:/repos/project1 - for the repository
C:/trac/project1 - for the Trac project

mod_authz_svn.so will still work if you do not have this setup but you will have to add additional access restrictions in the SVN access file.

mod_authz_svn

The mod_authz_svn.so module simply takes a path, strips off the parent path and checks for a users access based on that stripped path, the users name and their access rights in the SVN access file. It works more or less stand alone from Subversion as a module in Apache so it may have other cunning uses, who knows…

One point is that mod_dav_svn module must be loaded before the mod_authz_svn module can be used. You must load mod_dav_svn even if you are not using it. (Thanks to Robbert Gravsjo for that)

To get mod_authz_svn.so running it must be loaded in the Apache httpd.conf file.

Example from httpd.conf:

LoadModule authz_svn_module modules/mod_authz_svn.so

To activate it for the location that serves your Trac projects, the following must be inside that location.

Example from httpd.conf:

  #Restrict access to Trac projects based on SVN access rights
  SVNParentPath D:/mytracprojects
  AuthzSVNAccessFile "C:/Program Files/Apache Group/Apache2/conf/svnaccessfile.txt"

Setting Access

To get access to a Trac project the user must first pass any authentication you have in place. They must then have access rights defined in the SVN access file. If they have read only rights they will be able to view things in Trac but make no modifications. If they have read and write they have the normal access.

The permissions system built into Trac comes into play once a user has authenticated, and had their access checked by mod_authz_svn.so. This means that any other permissions restrictions must still be defined in trac.

For more information on the SVN Access file see the Subversion Book

Access to Trac for managers and testers

One other tip is for the situation where a user is read only on the repo but needs to create tickets in trac. Simply create a section in the SVN access file for the newticket url. Of course you must be careful that there is not actually a path in your repository that is called /newticket.

Example from svn access file:

[project1:/newticket]
user1 = rw

A Problem

Using the setup as descibed above has one drawback. You lose access to the default listing of Trac projects that was returned if you accessed the base Trac url with no project name. There may be a work around for this but I haven't yet found it.

Ok, here's the workaround (really around…):

  • Add this to your authz file
    [/]
    * = r
    
  • Add a redirect in your httpd.conf (if tracs is your trac root directory):
    RedirectMatch ^/tracs/$ /tracs/none
    RedirectMatch ^/tracs$ /tracs/none 
    

Note! Doing this will add default read access to everybody!! You should take care to add * = to all repositories/tracs where you don't want regular read access.

This works because the authz mechanism will try to match anything after the defined SVNPath. / matches this and read access is allowed. 'none' is sent to trac.cgi and it cannot find a trac with that name and will show the list of tracs.

There is one more workaround, based on RewriteRule:

  • Add a RewriteRule in your httpd.conf (if tracs is your trac root directory):
    RewriteEngine on
    RewriteRule ^/tracs$ /tracs/TracIndex [PT]
    RewriteRule ^/tracs/$ /tracs/TracIndex [PT]
    
  • Add this to your authz file
    [TracIndex:/]
    * = r
    

You still need valid login & password to access listing but there is no need to worry about "default read access" described above.

Note: The versions of the software used is not given in your note. So consider this an FYI and YMMV…

Subversion 1.4.4 (built by Kubuntu) Trac .11 Apache 2.2.4

The following error is displayed instead of the Trac first page…

[Wed Oct 31 16:31:46 2007] [error] [client 127.0.0.1] (20014)Internal error: Can't open file '/var/trac/Sample/format': No such file or directory

If I create a format file (a file that does exists in a svn repo) with a value in it then I get the following errors…

[Wed Oct 31 16:34:57 2007] [error] [client 127.0.0.1] (20014)Internal error: Error opening db lockfile
[Wed Oct 31 16:34:57 2007] [error] [client 127.0.0.1] Could not fetch resource information.  [500, #0]
[Wed Oct 31 16:34:57 2007] [error] [client 127.0.0.1] Could not open the requested SVN filesystem  [500, #2]
[Wed Oct 31 16:34:57 2007] [error] [client 127.0.0.1] Could not open the requested SVN filesystem  [500, #2]

It appears to me that SVN has made mod_authz_svn smarter and it breaks this hack.

Hack variant

The described hack did not work for me. The apparent reason is that trac (11beta2) does not return the environment list when asking for an unknown environment (TracIndex). My solution to this was to modify dispatch_request in trac/web/main.py L345 to add

if env_name == 'TracIndex':
  send_project_index(environ, strat_response, env_parent_dir, env_paths)
  return []
Last modified 19 months ago Last modified on Mar 7, 2015, 2:48:13 AM