SVN Access Manager Documentation
|
SVN Access Manager Documentation |
|
1. SVN Access Manager overview
2. Getting started2.1 Download the Software
2.2 Installation procedure2.2.1 Install the software3. Using SVN Access Manager
2.2.2 Setup the Apache web server
2.2.2.1 General2.2.3 Setup a MySQL database and a database user
2.2.2.2 ViewVC
2.2.4 Setup a PostgreSQL or Oracle database
2.2.5 Using the installer
2.2.5.1 Instructions2.3 First steps after installation
2.2.5.2 Database settings
2.2.5.3 LDAP settings
2.2.5.4 Website settings
2.2.5.5 Administrator account
2.2.5.6 Web server settings
2.2.5.7 Miscellaneous settings
2.2.5.7 Installation errors3.1 My account menuMailinglists3.1.1 General3.2 Administration menu
3.1.2 Password
3.1.3 Password policy
3.1.4 Preferences
3.2.1 Users3.3 Reports menu
3.2.2 Groups
3.2.3 Repositories
3.2.4 Projects
3.2.5 Repository access rights
3.2.6 Create access files
3.2.7 Group administrators3.3.1 Repository access rights
3.3.2 Log
3.3.3 Locked users
3.3.4 Granted user rights
3.3.5 Show user report
Credits
License
Warranty1. SVN Access Manager overview
SVN Access Manager is a powerful tool for managing access to subversion repositories. The tool provides user and group management and access rights (read /write) to dedicated paths in a repository as well.
SVN Access Manager uses projects to give users the rights to manage their own modules in a repository. Project is used substitutionary for a toplevel directory.
Let's have a small example of a repository structure:
testproject1 trunk /dir1 /dir2 /dir3 /dir4 /dir5 branches version-1-0 /dir1 /dir2 /dir3 /dir4 /dir5 version-1-1 ... tags version-1-0-0-0 /dir1 /dir2 /dir3 /dir4 /dir5 version-1-0-0-1 ... testproject2 trunk ... branches ... tags ... testproject3 trunk ... branches ... tags ...As you can see the subversion repository is organized in modules containing their trunk, branches and tags each. Each of the modules is called project. One of SVN Access Manager's goals is to have the possibility to give one or more users the responsibility to organize the access rights in their project. In large repositories with a lot of projects it makes administration easier because the responsibility for giving or revoking access rights can be divided up upon more users.
Because of the fact that you can give access rights (read/write) to each directory within a repository the organization structure of a repository does not matter. SVN Access Manager can work with every subversion repository structure.
Authentication is done by the Apache web server. Only valid users may access the repositories. Authorization is done by the mod_authz module which takes the permissions from the generated svn access file.
2. Getting started
To use SVN Access Manager you need at least:
- a working subversion installation
- a MySQL Database, version 4 or higher, a PostgreSQL 8 or higher database or an Oracle 10g or higher database
- an Apache web server, version 2.0 or higher with DAV, mod_authz and SVN support
- PHP version 4 or higher with working oci8 support if using Oracle database
If you need support installing and configuring Oracle oci8 driver for PHP, please refer to the PHP documentation.
2.1 Download the software
First download the source archive from sourceforge.net. SVN Access Manager is available as bzip2 and gzip compressed archive and as zip archive as well.
2.2 Installation procedure
The installation is divided up in several parts. Just follow the instructions below.
For the installation description it is assumed that SVN Access Manager ist installed to /home/svnacessmanager, the web server is accessed as localhost and the Subversion Repository and the MySQL database are on the same host. The directory containing the repositories is assumed as /svn/repos. The files needed for authentication and authorization are assumed in /etc/svn.
The configuration file for SVN Access Manager will be placed in /etc/svn-access-manager directory. Please make sure that your webserver has enough rights to wirte the configuration into this directory.
Please make sure that in your php.ini file the varibale mysql.allow_persistent is set to on! Otherwiese you may have problems with login after the installation. Please set the variable mysql.allow_persistent to on before you proceed with the installation. Don't forget to restart your webserver after changing the value of mysql.allow_persistent!
2.2.1 Install the software
Go to a directory where the software can be accessed by your Apache web server. Unpack the archive. For our example do the following:
# cd /home/svnaccessmanager # tar -xvfz svnaccessmanager-0.5.0.0.tar.gzProceed with setting up the Apache web server described in the next step.
2.2.2 Setup the Apache web server
2.2.2.1 General web server setup
Your Apache web server must know about the SVN Access Manager if it is not installed in the DocumentRoot of your web server. In the latter case you can include a line similar to this in your web server configuration:
Alias /svnaccessmanager /home/svnaccessmanager/svn_access_managerTo get user authentication and authorization work you have to add DAV support to your web server and configure it accordingly. You can use a configuration similar to this:
<Location /svn/repos> DAV svn SVNParentPath /svn/repos AuthType Basic AuthName "Subversion Repository" AuthUserFile /etc/svn/svn-passwd AuthzSVNAccessFile /etc/svn/svn-access Require valid-user SVNIndexXSLT /svnstyle/svnindex.xsl </Location> CustomLog /var/log/apache2/svn.log "%t %u %{SVN-ACTION}e" env=SVN-ACTIONThe configuration above assumes that no anonymous access to the repository is allowed. If you need anonymous read access you have to limit the Require valid-user to write operations. See the Apache web server documentation for further information.
After adding this don't forget to reload your web server to make sure the configuration changes are active.
Btw. The settings above are printed out from the installer after a successful installation. The installer output is modified according to your settings.
If you plan to use LDAP authentication you can use a configuration similar tp this:
LDAPSharedCacheSize 200000 LDAPCacheEntries 1024 LDAPCacheTTL 600 LDAPOpCacheEntries 1024 LDAPOpCacheTTL 600 LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so Alias /svnstyle /usr/share/doc/subversion-1.4.2/tools/xslt/ <Location /svn/repos> DAV svn SVNParentPath /svn/repos SSLRequireSSL AllowOverride ALL Satisfy All AuthType Basic AuthBasicProvider ldap AuthName "SVN LDAP Auth Test" AuthLDAPURL "ldap://127.0.0.1:389/ou=people, \\ ou=example?uid?sub?(objectclass=*)" AuthLDAPBindDN ou=apache,ou=example AuthLDAPBindPassword password AuthLDAPGroupAttribute member AuthLDAPGroupAttributeIsDN on AuthzLDAPAuthoritative off AuthLDAPCompareDNOnServer On Require valid-user AuthzSVNAccessFile /etc/svn/svn-access SVNIndexXSLT /svnstyle/svnindex.xsl LogFormat "%t %u %{SVN-ACTION}e" svn_common CustomLog svn_common env=SVN-ACTION #CustomLog logs/svn.log "%t %u %{SVN-ACTION}e" env=SVN-ACTIONAfter adding this don't forget to reload your web server to make sure the configuration changes are active.
Btw. The settings above are printed out from the installer after a successful installation. The installer output is modified according to your settings.
2.2.2.2 ViewVC
If you plan to use ViewVC anyone who can access ViewVC can access all repositories storing data in the ViewVC database. SVN Access Manager is capable to create a ViewVC web server configuration to limit access. It will consist of a group file and a web server configuration file.
To use the ViewVC configuration files you have to configure
root_as_url_component = 1in the viewvc.conf file of your ViewVC installation. Without this configuration setting the generated files will not work properly.
SVN Access Manager will create the group file for allowing access to the repositories stored in ViewVC. It will also create a configuration file for the Apache web server to use this group file. To use the Apache configuration file you have to advice your Apache web server to load the configuration file. You have to define a command for reloading the Abache web server configuration which can be executed by the web server itself.
Here's a short description of a setup using Apache web server 2.2 with Debian Etch. For the example it is assumed, that SVN Access Manager creates the configuration files to /etc/svn and ViewVC version 1.0.5 is already installed to /usr/local/viewvc-1.0.5. It is also assumed that you have configured Python accordingly. The ViewVC web server configuration consists of two files:
- viewvc-apache.conf
- viewvc-groups
For user authentication the password file created from SVN Access Manager is used as well.
Example configuration:
First go to /etc/apache2/sites-available. Create a file "viewvc" containing the following:
ScriptAlias /viewvc /usr/local/viewvc-1.0.5/bin/cgi/viewvc.cgiGo to /etc/apache2/sites-enabled and create a link to the file created before:
ln -s /etc/apache2/sites-available/viewvc viewvcNow change to /etc/apache2/conf.d and create a link to the ViewVC configuration created bySVN Access Manager:
ln -s /etc/svn/viewvc-apache.conf viewvc-apache.confFor automatic configuration reload of the web server you can define a sudu command like this:
www-data ALL = NOPASSWD: /etc/init.d/apache2 gracefulNow restart your web server.
Detailed information about ViewVC can be found on the ViewVC Homepage and in the INSTALL file in the ViewVC archive.
2.2.3 Setup a MySQL database and a database user
You need a database for SVN Access Manager and an user with full access to this database. To create the database do the following as root user of your MySQL database:
CREATE DATABASE svnadmin;To create a user having access to this database do the following as root user of your MySQL database:
CREATE USER 'svnadmin'@ 'localhost' IDENTIFIED BY '*******'; GRANT USAGE ON * . * TO 'svnadmin'@ 'localhost' IDENTIFIED BY '*******' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; GRANT ALL PRIVILEGES ON `svnadmin` . * TO 'svnadmin'@ 'localhost';After finishing the database work continue with installing SVN Access Manager.
If you get an error "No database selected" during installation check if the database user has sufficient rights to access and to work with the database!
2.2.4 Setup a PostgreSQL or Oracle database
Please refer to the database documentation for information about to setup a PostgreSQL or Oracle database.
2.2.5 Using the installer
Important notice:
Please remove the installer script after finishing the installation. It is a security risk to have the installer on a global accessible site! You can achieve this by removing the install.php script or by making it unaccessible for the user running the web server.The installer is started by entering the following URL into your web browser presuming that you have the alias names as mentioned above. Otherwise please use the values fitting your installation:
http(s)://localhost/svnaccessmanager/install/install.phpIt is recommended to use https to access the installer over the internet because of the fact that passwords are sent to the web server!
After the installer is started, please fill in the values fitting your requirements. Below you find a short description of the several settings. The installer consists of six pages. After you finished filling the appropriate values click Start installation. If there are errors please correct them. Otherwise the installer starts and gives you a success information. Additional the web server configuration is printed out.
2.2.5.1 Instructions
The installation instructions inform you about the installation process and about of missing settings in the php.ini file.
2.2.5.2 Database settings
The installer can create the database tables during installation. You can select if you want to drop already existing tables or not. The database user you want to use must have sufficient rights to do this. Please make sure that the user has the rights to create and drop tables and create and drop indices.
SVN Access Manager supports MySQL, PostgeSQL and Oracle databases. Select the database you want to use.
2.2.5.3 LDAP settings
SVN Access Manager can use an external LDAP directory for authentication of users. Please fill in the values to connect to the LDAP server and specify the attribute mapping if necessray.
You have to fill in the values neeeded. Keep in mind that the attribute mappings are not checked during installation. You will get a lot of ugly warnings if the mappings will not match your LDAP.
Using LDAP will change the behaviour of SVN Access Manager. You will not be able to add users with your own uswernames. The users will be fetched from the LDAP directory and you can only add the users to SVN Access manager to give the users the chance to work with your subversion repository.
Impoartant notice:
The admin user you choose must exist in the LDAP directory you connect to. Otherwise you will not be able to login to SVN Access Manager!You will have to setup your Webserver to work with LDAP authorization. After installation on the result page a sample configuration for Apache webserver will be shown depending on your input.
2.2.5.4 Website settings
On this page you can set the website characterset. This characterset must be compatible with the database characterset. You can also enter the sender for lost password notification mails and the duration a link to reset the password is valid.
2.2.3.5 Administrator account
After a successful installation you need a user to administer SVN Access Manager. This user has all rights within SVN Access Manager. So be careful what password you use. By default the password must consist of lower case letters, upper case letters, digits and special characters. It must have 14 characters at least.
2.2.5.6 Web server settings
In the web server section you can decide whether you want to use SVN access control and Apache user authentication. If you want to use the different restrictions you must specify the filenames where to store the generated files. Please keep in mind that the web server user must be able to write the files!
To use the ViewVC restrictions you must select to create the configuration files, specify the directory where to write the configuration files, enter the alias you use for ViewVC in the web server and give a command which enables the web server to restart itself. You can find detailed explanations about the setup of the ViewVC restrictions here. You can find information about ViewVC on the ViewVC Homepage.
SVN Access Manager makes use of the svn and the grep commands. Please check the installer's suggestions and correct them if necessary.
2.2.5.7 Miscellaneous settings
In this section you can decide if you want to use JavaScript or not. JavaScript is needed to make the directory selections easier because you can select a directory the one click.
SVN Access Manager can do logging. Every action will be logged into a database table and a report will be available.
The Page size sets the default value of how many records will be displayed on a screen. This value can be overwritten by the preferences each user can set.
The password length fields set the minimal length for user and administrator passwords. It is strongly recommended to have strong and long enough passwords. Please keep in mind that a repository which has weak user and administrator passwords can easily be accessed by a malicious user.
You can use crypt or md5 to crypt the passwords. You can switch the configutation at every time by changing the setting in the config.inc.php file. The passwords are stored encrypted in the database. Once an user changes his password it will be encrypted with the new algorithm.
2.2.3.8 Installation errors
This page shows you all errors found during installation.
2.3 First steps after installation
After a successful installation of SVN Access manager you should configure the application to your needs. That means that you create the necessary users and groups, define the repositories usable in projects and define the projects and its responsible persons.
To do this it is recommended to do the following steps:
- create the users you need
- create the groups you need and assign the users to the groups
- create the repository entries
- create the projects and assign responsible users to the projects
3. Using SVN Access Manager
To start using SVN Access Manager type the following into your web browser:
https://localhost/svnaccessmanager/If you installed with a different alias or on a different domain please use the values accordingly.
After you logged in successfully you see the main menu of SVN Access Manager. The picture on the left shows the main menu an administrator with full access sees. Which items you can see and access depends on the rights granted to you.
3.1 My account menu
This section describes the menu items from the My account block.
3.1.1 General
The General menu item gives you access to the data stored about you. Please keep in mind that you have to have a correct and working email address. If not you do not get messages concerning your account. This can result in a blocked account. You can enter a security question and the answer to that questions also. Doing so allows you to recover your password yourself. Without a security question and an answer to it you need the help of an administrator to recover a lost password.
3.1.2 Password
To change your password type in your current password and the new password. To avoid typos you have to enter the new password twice. Your new password must fit the password policy to be accepted.
3.1.3 Password policy
Here you find the actual password policy.
3.1.4 Preferences
Set your personnel preferences. In the moment only the Page size can be set.
3.2 Administration menu
The menu items described below are only accessible if you have administrative rights. Depending on your rights you might see all or only particular menu items.
The following buttons are used:
is used for selecting an entry for changes.
is used to select an entry for delete.
is used to delete all selected entries
is used to submit
is used to cancel
3.2.1 Users
The image on the left shows the user administration overview dialog. You can select an user by clicking on the edit icon on the right of the user, delete an user by clicking on the delete icon on the right of the user or add a new user. If you edit an user or add a new user you will see the user administration dialog shown in the next picture.
A user needs a name and a given name, an unique username and a password. The password strength depends on the user's role. If the user is an administrator the password must be stronger!
Normally passwords expire after 90 days. If you do not want the user's password to expire you can disable this feature.
The Repository user right determines if a user has write access to repositories. If you specify read here you can not give the user write access to any repository in the defined projects!
The global user rights determine what the user is allowed to do. The right can be none, read, edit or delete. Higher rights also include the lower rights. E. g. the delete right includes edit and read.
3.2.2 Groups
Groups are useful to make access right administration easier. You have the possibility to assign rights to whole groups. So adding a member to a group gives the new member all the access rights the group has.
The image on the left shows the group administration overview dialog. You can select a group by clicking on the edit icon on the right of the group, delete a group by clicking on the delete icon on the right of the group or add a new group. If you edit a group or add a new group you will see the group administration dialogs shown in the next pictures.
This is the group administration dialog. Each group must have a unique group name and a description. If you want to add members to the group you can click on the little green plus sign below group members. In this case you see the following dialog.
Select the members you want to add to the group and click the green hook. This takes you back to the previous dialog.
After you're finished you can click the green hook to submit your changes.
3.2.3 Repositories
Here you define the repositories you want to administer. Please keep in mind that removing a repository removes it only from the database.
The picture on the left shows the repository administration overview dialog. You can select a repository by clicking on the edit icon on the right of the repository, delete a repository by clicking on the delete icon on the right of the repository or add a new repository. If you edit a repository or add a new repository you will see the repository administration dialog shown in the next picture.
Each repository needs an unique name, a repository path and if it is accessed by DAV an username and a password to access the remote repository.
The repository path must start with file:// if SVN Access Manager runs on the same machine as the repository is located.
If SVN Access Manager runs on the same host where the svn repositories are located you can let SVN Access Manager create an empty repository for you.
Depending on your configuration settings you will see the two input fileds for "Auth user file" and "SVN access file". These fields are for per repository access files. If you do not enter a path and a filename the path from the global configuration is taken and appended with an appropriate filename. Keep in mind that the user running the webserver must have permission to write the files. Otherwise you have trouble with access file generation.
3.2.4 Projects
The picture on the left shows the project administration overview dialog. You can select a project by clicking on the edit icon on the right of the project, delete a project by clicking on the delete icon on the right of the project or add a new project. If you edit a project or add a new project you will see the project administration dialogs shown in the next pictures.
Each subversion project needs an unique name. With the subversion module path you can limit the access to the repository. That means that access right can only be granted to the directory specified here or its subdirectories. The set the top level directory use /.
The project is only valid for one repository. You must choose the appropriate repository from the drop down menu.
To add responsible users for the project click on the green plus sign below Select project responsible users. Doing this you will see the dialog shown in the next picture.
A project needs at least one responsible user. If there's no responsible user no one can administer the project. Select the users you w3ant to be responsible for the project and click the green hook to return to the previous dialog. It should look similar to the next picture.
After you're finished you can click the green hook to submit your changes.
3.2.5 Repository access rights
Subversion grants access rights recursively. That means that creating access rights to repositories is not as complex as it seams. Let's have a small example.
Repository testrepo: trunk /dir1 /dir2 /dir3 /dir4 /dir5Let's assume that there are two user defined for this repository, user A and user B. User A should have read access to the whole repository but should only be allowed to write into "dir2" without the sub directories. User B should have write access to the whole repository except "dir5". For dir5 he should not have any access.
You can set the access rights with SVN Access Manager according to this created access file:
[testrepo:/trunk/] A = r B = rw [testrepo:/trunk/dir2] A = rw [testrepo:/trunk/dir2/dir3] A = [testrepo:/trunk/dir2/dir4] A = [testrepo:/trunk/dir5] B =
The picture on the left shows the access right administration overview dialog. You can select an access right by clicking on the edit icon on the right of the access right, delete an access right by clicking on the delete icon on the right of the access right or add a new access right. If you edit an access right or add a new access right you will see the access right administration dialogs shown in the next pictures.
First you have to select the project you want to work with.
Now you have to select the directory you want to add rights. If you selected to use JavaScript during installation you only need to click on the directory and it will be selected automatically. Otherwise you have to click on the blue right arrow to change the directory.
This picture shows a selected directory.
This step allowes you to set the access rights. You can choose of None, Read and Write. Write access includes read access.
An access right might have only a limited validity. You can specify the valid from and valid until date. In this case the access right is valid only between the both dates.
The access rights can be assigned to user and groups. You can select one or more users and one or more groups at a time. If multiple entries are selected one database entry is created for each selection.
After submitting your access rights you will see them in the access right administration overview dialog. If you selected more than one user or group you will see one line for each user/group you selected.
To delete multiple access rights you can mark them on the left side and click to the delete icon below.
3.2.6 Create access files
You can create the access files you selected during installation. If you decided not to use any access files this menu item does not show up.
Before the access files are created you must confirm to do so.
3.2.7 Group administrators
The image on the left shows the group administrators overview dialog. You can select a group administrator by clicking on the edit icon on the right of the group administrator, delete a group administrator by clicking on the delete icon on the right of the group administrator or add a new group administrator. If you edit a group administrator or add a new group administrator you will see the select group dialogshown in the next picture.
Select the group you want to add a new group administrator.
After klicking the ok button you will see the doalog shown in the next picture.
Select the user you want to grant privileges on the previous selected group. Select the right you want to give to the user.
After klicking the ok button you are finished.
The global user rights determine what the user is allowed to do. The right can be none, read, edit or delete. Higher rights also include the lower rights. E. g. the delete right includes edit and read.
3.3 Reports menu
Several reports are predefined. The idea behind the reports is to give an auditor access to the given access rights, the users and their rights and the log without having any permissions to administer SVN Access Manager.
3.3.1 Repository access rights
First specify the date you want to see the access rights. After submitting the date you will see a list of all access rights valid for this date.
3.3.2 Log
SVN Access Manager is able to write log messages into a database table. This must be selected during installation. If logging is deselected this menu item does not show up.
3.3.3 Locked users
Users are locked automatically if their password expires. This repost shows the currently locked users.
3.3.4 Granted user rights
Each user can be granted administrative rights. This report shows you the rights each user has within SVN Access Manager. Access rights to repositories are not included. There's an extra report for that.
3.3.5 Show user report
The show user report gives an overview to which groups an user belogs and which access rights the user has. Rights that are gained though group memership are included too.
Mailinglists
There's a mailinglist called svn-access-manager-announce for announcements of new releases of SVN Access Manager. The list requires a subscription which can be done here in the Mailman Web Interface.
New releases are announced on freshmeat.net and sourceforge.net as well.
Credits
SVN Access Manager uses JQuery, JQuery UI and the Aria Sort Tables.
Thanks to everyone for submitting feature requests, sending patches or submitting bugs.
License
SVN Access Manager is distributed under the GPL v2.
Warranty
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
