Goal
- Subversion for multiple repositories
- Authorized by Apache2 mod_auth_pgsql
Profile
OS | Debian Lenny |
Hostname | 192.168.1.100 |
Svn directory | /opt/svn |
Repositories | /opt/svn/repo1 /opt/svn/repo2 |
PostgreSQL database for authentication | svn |
PostgreSQL user | svn |
$ - General user
# - root
Install Debian packages
# apt-get install apache2 libapache2-mod-auth-pgsql libapache2-svn\
postgresql postgresql-contrib subversion cert-ssl
Setup PostgreSQL
1. Create database and user for authentication
$ sudo su postgres
postgres $ createdb svn
CREATE DATABASE
postgres $ createuser svn
Shall the new role be a superuser? (y/n) n
Shall the new user be allowed to create databases? (y/n) n
Shall the new user be allowed to create more new users? (y/n) n
CREATE USER
- Load pgcrypto to encrypt passwords
postgres $ psql -d svn < /usr/share/postgresql/8.3/contrib/pgcrypto.sql
SET
CREATE FUNCTION
CREATE FUNCTION
CREATE FUNCTION
...
postgres $ psql -d svn
svn =#
-- user table
CREATE TABLE users (
user_id SERIAL PRIMARY KEY,
username VARCAHR(32) NOT NULL,
passwd TEXT NOT NULL,
email VARCHAR(255)
);
CREATE INDEX idx_users ON users (username);
GRANT SELECT ON users TO svn;
-- group table
CREATE TABLE groups (
group_id SERIAL PRIMARY KEY,
username VARCHAR(32) NOT NULL,
memberof VARCHAR(64) NOT NULL -- group name
);
CREATE INDEX idx_groups ON groups (username, memberof);
GRANT SELECT ON groups TO svn;
-- log table
CREATE TABLE logs (
logs_id SERIAL PRIMARY KEY,
uname VARCHAR(32),
time TIMESTAMP(8),
uri VARCHAR(512),
ip INET
);
CREATE INDEX idx_logs ON logs (uname, time);
GRANT INSERT ON logs TO svn;
- Change database password for user 'svn'
ALTER USER svn WITH ENCRYPTED PASSWORD '123456';
Create subversion repositories
# mkdir /opt/svn/
# svnadmin create /opt/svn/repo1
# svnadmin create /opt/svn/repo2
Then change their ownership
# chown -R www-data:www-data /opt/svn
Setup Apache 2 and WebDAV
# a2enmod dav
# a2enmod dav_svn
# a2enmod 000_auth_pgsql
Setup SSL
# a2ensite default-ssl
# a2enmod ssl
- Create self-signed certificates
If you install
the ssl-cert package, a self-signed certificate will be automatically
created using the hostname currently configured on your computer. You
can recreate that certificate (e.g. after you have changed /etc/hosts
or DNS to give the correct hostname) as user root with:
# make-ssl-cert generate-default-snakeoil --force-overwrite
Settup authentication with mod_auth_pgsql
- Allow connections for user subversion to PostgreSQL database subversion. Add this line to /etc/postgresql/8.3/main/pg_hba.conf:
host svn svn 127.0.0.1 255.255.255.255 md5
Be sure, to put it before line
host all all 127.0.0.1 255.255.255.255 ident sameuser
- Modify /etc/apache2/mods-available/dav_svn.conf for authentication
<Location /svn>
DAV svn
SVNParentPath /opt/svn
AuthType Basic
AuthName "Subversion Repository"
Auth_PG_host localhost
Auth_PG_port 5432
Auth_PG_database svn
Auth_PG_user svn
Auth_PG_pwd 123456
Auth_PG_pwd_table users
Auth_PG_uid_field username
Auth_PG_pwd_field passwd
Auth_PG_grp_table groups
Auth_PG_grp_group_field memberof
Auth_PG_grp_user_field username
Auth_PG_cache_passwords on
Auth_PG_log_table logs
Auth_PG_log_uname_field uname
Auth_PG_log_date_field time
Auth_PG_log_uri_field uri
Auth_PG_log_addrs_field ip
AuthzSVNAccessFile /etc/apache2/dav_svn.authz
Require valid-user
SSLRequireSSL
</Location>
$ sudo su postgres
postgres $ psql -d svn
svn =#
-- User 'test1', for 'repo1'
INSERT INTO users (username, passwd, email)
VALUES ('test1', crypt('123456', gen_salt('md5'), 'test1@localhost');
INSERT INTO groups (username, memberof)
VALUES('test1', 'testgrp');
-- User 'test2', for 'repo2'
INSERT INTO users (username, passwd, email)
VALUES ('test2', crypt('abcdef', gen_salt('md5'), 'test2@localhost');
INSERT INTO groups (username, memberof)
VALUES('test2', 'testgrp');
- Create path-based access rule file /etc/apache2/dav_svn.authz
# vim /etc/apache2/dav_svn.authz
[groups]
testgrp=test1,test2
# User 'test1' has a full access to repository 'repo1',
# and it is not accessable for others
[repo1:/]
*=
test1=rw
# All members in group 'testgrp' could read repository 'repo2',
# user 'test2' has a full access previlege.
[repo2:/]
@testgrp=r
test2=rw
# /etc/init.d/apache2 restart
Complete
Now, these two repositories could be accessed via