CollabNet Subversion - Restricting user access to repositories
I have been using Subversion for version control for a good time now. And I use CollabNet's Subversion server for all in-house SVN repos. It has been only recently that a need arose to restrict access to repositories for my colleagues.
Basically I needed to enable access for a particular repository to a person outside my organization. And I did not want that person to be able to access all other repos (internal to my organization) on the same svn server. Please note that under default settings, all authenticated users have read/write access for all repositories on a CollabNet svn server.
My imagination was I should be able to control the same via svnserve.conf/authz/passwd configuration files specific to each repository. But comments on top of those files (specifically svnserve.conf) made it very clear that these files are only used when accessing via svnserve. If the repo is accessed via http/https, the settings in these configuration files would be ignored.
The next place I looked out was the "Access Rules" section under "Repositories" tab when logged in as admin to CollabNet Subversion Edge GUI. I was decently sure this was the right place for configuring repository based access, but did not quite had a clear idea of the syntax to be used for specifying access rules.
Basic googling and this page in CollabNet's Subversion Community book helped and I was able to quickly muster-up the following access rules that worked exactly how I wanted them to:
[/] admin = rw rahul.singla = rw [Repo1:/] neha.aggarwal = rw [Repo2:/] [Repo3:/] aruna.raheja = rw neha.aggarwal = rw [Repo4:/] [Repo5:/] [Repo6:/] yash.kapoor = rw [Repo7:/]
A detailed explanation of the syntax is available here:
Basically the section starting with [/] controls access to all repositories. Here I have given the admin user and myself read/write access to all repos.
All sections below control access to a particular repo whose name is inside the brackets. ':/' means the rule is for the root of that repo, you can also control access to particular paths inside a directory. You can also create groups for users and assign access rules for groups that would apply to all users in that group, the exact syntax for the same is available on the above referenced url together with some other handy options for specifying access rules.
You would find this page useful too if you are allowing access via svnserve.
Needless to say, I am loving the way CollabNet's Subversion server works. And the icing on the cake is the above access rules are automatically applied to viewvc also and a user is able to view repo only is s/he has access to the same.
- Jan 23, 2012 - A very important point to note is that the casing of repository/paths in your access rules and in your checkout commands should match.
e.g. if your access rule is like:
User1 = rw
And User1 tries to check-out:
CollabNet Subversion would give you a unauthorized error. Did you notice the problem: the casing of repository name in your check-out command and in access rule does not match. You will get this error even on Windows where directory/file names are case insensitive.
A very important gotcha you would want to look out for.