If you are running an Apache based Subversion server there are several options available for Subversion Authz:

What is Subversion Authz?

“Authz” is simply jargon that is short for “Authorisation” (similar to “Authn” which is short for “Authentication”). “Subversion Authz” is the method by which Subversion hands out access rights. There are a number of options and if you are deciding to implement a Subversion system.

How does SVN apply Authorization?

When a Subversion client sends information to the server, the user account running the client is identified and the URLs involved in the transaction are made known. As this moment the server can make a decision – should the user be allowed to access this code. If the decision is “yes’ the server calls the Subversion repository management software which can then (optionally) use hooks to check the transaction

Most Companies Use the Fastest Subversion Authorization Solution

Most companies avoid this second authentication step of analysing the transaction itself because it slows the server down. What this means in practice is that read, write, or no access can be allocated based on the URLS used and the user account involved. This is good enough for most purposes but surprisingly the implementation is a bit clunky.

Firstly: many companies wish to tie down both their authentication and authorization to their LDAP systems (or equivalent) so they can use a single sign on mechanism, but there is no seamless way to do this. The two main authorization methods are below.

1. Use Subversion’s mod_authz_svn Apache module to provide authorization. This is good in that the configuration file is clear, easy to manage and quite separate from the Apache configuration files and the server does not need a restart for changes to take affect. However users are defined in groups that are totally unrelated to LDAP –every time a user is moved in or out of an LDAP group you need to synchronize with Subversion. You can of course synchronize the groups in mod_authz_svn’s configuration file using software such as http://python-ldap.sourceforge.net, but this should be native to Subversion.
2. Control the authorization using LDAP groups with native Apache modules to look up LDAP groups and apply protections based solely on URLs. For simple implementations this is fine – but its just too confusing for anything complex. Also you are changing Apaches configuration files so you need to do a graceful server restart each time you alter them, hardly suited to busy corporate environments.

Secondly: It’s hard to grant authenticated write access to a directory, which has a parent with anonymous read access. The solution is to use two different URL locations for Subversion e.g. Send authenticated users through https://dnsname/svn/reposname/, and anonymous users through https://dnsname/svn-anon/reposname/.

Some Companies Need More

We said earlier that most companies avoid the authentication step of analyzing the transaction itself because it slows the server down. However Subversion has a pre-commit hook that allows the transactions to be analyzed prior to a commit. This allows somewhat richer protection e.g.

• read/write/modify permissions for files and/or directories,
• allowing some properties to be change and not others

The script http://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/svnperms.py is a freely available hook that helps many companies in this area.

Summary

Subversion provides a number of authentication options but it’s not always simple to apply the best model for your organization.

In addition to Subversion Consulting Clearvision also provide Subversion Training (including Subversion eLearning), Subversion Support and Subversion Products which can help organizations implement an effective, integrated SCCM environment e.g. the Clearvision JIRA Subversion integration and the Agile Application Lifecycle Management (ALM) solution UCM4SVN. Please contact us for more information.