Subversion Per Repository Access Control

Author: Steven Neiland

Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.

Up until now I have been the only person using my personal subversion server so my security policy consisted of a single user account for all repositories. Recently though I wanted to make one particular repository available to a third party.

Now I trust this third party implicitly so I had no problem just adding their name to the users list and letting them have the same level of access as I do, however I reasoned that down the line I may need to give another third party access to some repository on my server who I might not want to have full access. For this reason I figured it was a good time to get a little bit more sophisticated with my security configuration.

Per Directory Access

The basic goal of my new configuration is to allow me to take my users list and set permissions on each user so that some users can see all repositories, while others can only see a select few. In addition I wanted to be able to control the level of access each user had so that I could set what repositories they could read or write to individually.

After a little research on the SVN Access Control page of the subversion book site I found that what I needed was to setup a SVN Access File (AuthzSVNAccessFile). Here are the steps required to accomplish this.

Note: This article assume you already have setup a users auth file. If not you need to do that first. You can find instructions here.

Step 1: Load Security Modules

The first step to setting up the new configuration is to load the following three modules. Make sure that they exist in your modules directory and in your "httpd.conf" ensure that these three lines are un-commented in the load modules section.

LoadModule dav_module modules/
LoadModule dav_svn_module modules/
LoadModule authz_svn_module modules/

Step 2: Add Reference To Access File In Location

Open up your site definitions file where you have your subversion location (either vHosts or sslHosts). Go to the virtual host entry for the site where you host your repository and add the following line to the location section substituting in the location where you will be creating this file on your system.

<Location /svn/>
      AuthzSVNAccessFile /{path}/{to}/.svn-access-file

Attention: Note that the "/svn/" location has a trailing slash. This is needed if you are using SVNParentPath in combination with the access file.

Step 3: Create The Access File

The access file is a simple text file where we can define groups and rules for each repository directory. The users listed in it come from the auth file we created here.

For reference to add users to the auth file use this command.

// create a user named David who will have access to the repositories
htpasswd -s /{path}/{to}/.svn-auth-file David

So lets create the access file using vi (or your preferred text editor).

//edit the access file
vi /{path}/{to}/.svn-access-file

I have put explanations of what each line does in the comments so I don't think I need to go into more detail than that.

# Create two groups and assign some users from the users auth file
developers = Kevin, Steven
designers = David, Mark

# Give the admin user full read/write access to all repositories
# and give read access to all repositories to everyone
admin = rw
* = r

# Give the developers group read/write access to repo1
@developers = rw

# Give the designers group read/write access to repo2
@designers = rw

# Give David Read/Write Access To repo3
David = rw

# Give Mark Read/Write on a Sub-Directory Named "demo" of repo4
# Note the trailing slash after demo
Mark = rw

Step 4: Restart and Test

Now restart the apache webserver to apply all the changes and then try access the repositories as the different limited access users.

Related Blog Postings

Reader Comments

  • Please keep comments on-topic.
  • Please do not post unrelated questions or large chunks of code.
  • Please do not engage in flaming/abusive behaviour.
  • Comments that contain advertisments or appear to be created for the purpose of link building, will not be published.

Archives Blog Listing