Код отслеживания Google Analytics.

Sep 17, 2008

Subversion, user groups and permissions

Task description: we have computer with ssh and subversion(version 1.4 or more) on it. Need to organize access to it for three user's groups: first one can read/write, second can only read and all others (third groups) have no access to code into repository. Access to repository will be realize through ssh.



Before we start I want settle with you about names:
server - the computer with ssh and subversion repository
client - a client's computer
developerN - (where N is integer :) ) user which will have full access to repository
readerN - user which will have read access to repository
testRepository - name of test repository
well, at first, let us choose the user for access to repository. In my case(Debian Linux) I just create and start working under him:

server:~# adduser repos
.... some info and questions ....
server:~# su repos
repos@server:/root$ cd

Create repository:

repos@server:~$ svnadmin create ~/testRepository

check the ~/testRepository/conf/svnserve.conf if it has uncommented authz-db. This parameter define the file which describes permissions. In my case it is

......
authz-db = authz
......

edit the defined file (~/testRepository/conf/authz) and add the following strings in section groups:

......
[groups]
developers = developer1,developer2,developer3
readers = reader1,reader2
......

they are declare two new groups - developers and readers (you can use other names :) ) Three users developer1,developer2 and developer3 form the first one and reader1, reader2 the second. Please note all of them are only subversion users and have no concern to linux users of this computer..
We have provide permissions for two new groups - continue editing ~/testRepository/conf/authz and somewhere add the following section:

[testRepository:/]
@developers = rw
@readers = r

it grants to "developers" group read/write access and to "readers" - only read access for all directories and files in repository with name testRepository.
The next step on server side require some preparing on client. Ask to send to you or retrieve by any other ways content of public key which will be used for connection with repository. In common case it is ~/.ssh/id_dsa.pub If you(other user) have no this file you can produce it (on client computer): client:$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_dsa. Your public key has been saved in /home/user/.ssh/id_dsa.pub. The key fingerprint is:
3a:7x:1c:52:e6:2f:39:48:a6:28:f5:54:7c:71:48:f6

I recommend to use the empty passphrase if you don't want enter the password every time. So you need take text from ~/.ssh/id_dsa.pub - it will have format <key-type> <key> <comment> and add it to ~/.ssh/authorized_keys for the repos user at server. For example you can do it from client computer (in condition the directory ~/.ssh exists for repos@server):

client:$ cat ~/.ssh/id_dsa.pub | ssh repos@server "cat - >> ~/.ssh/authorized_keys"

And the last step is edit ~/.ssh/authorized_keys at server. We have to add command which will use when user with the key will be authorized - for it lets edit ~/.ssh/authorized_keys and add "command="svnserve -t --tunnel-user=<user name> --root=/home/repos",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty" before our <key type>. Example:
was

........
ssh-dss AA....== someMail@as.comment
........

after adding (all in one string)

........
command="svnserve -t --tunnel-user=<user name> --root=/home/repos",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-dss AA....== someMail@as.comment
........

What does it mean? The "command" directive define, as it was said before, the command which will be started when user logins - so it will be svnserve -t --tunnel-user=<user name> --root=/home/repos. This command start svnserve for this session and organize tunnel with client program. The tunnel will be organised for user <user name> - this is exactly the place where you will use the names from ~/testRepository/conf/authz (see above). The root parameter is describe the prefix for your repository. All others comma separated strings are deny any ssh additional abilities for more securities reasons.
Summarize:
  • The public key should be sent to you and adding to authorized_keys
  • After it users can connect to server without password. They will be identified by key and you can associate some names with them.
  • The access permissions for these names can be managed in authz file.


Usefull links:
the documentation for subversion

No comments: