Mar
14

At the end of Part 2 we briefly looked at Apache's logging of Subversion's "traffic." We'll revisit this topic in this section discovering a better way to configure logging. We'll also address repository security adding a couple DAV directives that create authenticated repository access. Let's get right to it.

Default Apache Logging


Figure 58: Default Apache Logging

In Part 2 we discussed the ErrorLog and CustomLog directives and I walked you through creating the svn folder that holds the Subversion logs. I did not however, discuss the log format. In Figure 58 the CustomLog directive has a final piece to it that instructs Apache the format to use for the access log. The common format is the base format Apache uses in most cases. Log output for this format looks like the following:


Figure 59: Apache's Common Log Format

Other than listing the WebDAV actions (MKACTIVITY, PROPFIND, CHECKOUT) there's not a lot of useful stuff in here. Sure you can view the date and time actions were taken by various Subversion clients, but the target of those actions is harder to determine. Through a couple minor edits to our Virtual Host we can really clean up the svn-access.log file.

Custom Apache Logging


Figure 60: Better Apache Logging

Stop Apache using the Apache Monitor and open the httpd.conf file. Find the appropriate Virtual Host section and delete the common format. In it's place, type (or copy/paste) the following: "%t %u %{SVN-ACTION}e" env=SVN-ACTION. This format includes several key variables that get replaced by runtime values. First, %t gets replaced by the current server date and time. %u gets replaced by the username of the person accessing the Subversion repository. The really important parts are the SVN-ACTION environment variables. These are set by the mod_dav_svn module whenever an action is taken by a Subversion client. Apache replaces this variable with the value set by mod_dav_svn. The result, is more readable and easily understandable access logs. To prove this, start Apache on the server and return to the client machine. Right-click your working copy of the SQL files and select the SVN Update TortoiseSVN option. Now, return to your server and open the svn-access.log file once again. The last line should look something like this:

[21/Feb/2007:17:19:00 -0600] - update '/trunk'

Obviously, this is a bit more meaningful. We know the action taken by the client was a Subversion update, and the target of the update was the clients entire trunk folder. What we don't know yet is who requested the update. In order to get the %u variable replaced by usernames we need to set up some basic Apache authentication and authorization.

Basic Apache Authentication

Right now, your repository is anonymously available to anyone with Web access to it. If your Apache Web server is available to the general public this means anyone in the world can access the repository. Users can checkout working copies of the repository using their Subversion client of choice, they can browse the latest repository version via a Web browser, and they can commit changes. All anonymously. There are several ways to set up Apache authentication depending on the needs of you and your team. I'm going to describe how to set up basic HTTP authentication but I want to make something clear, this is not a super-secure, hard to hack security set up. If you need a really robust, encrypted authentication scheme, you need to read more about what is possible with Apache, HTTPS, and SSL. Basic HTTP authentication provides over-the-wire username/password challenges with the information sent in near clear text. This type of authentication is fine if you're an individual or a team member setting up Subversion within a protected company network. The basic steps are to generate an Apache password file that stores usernames and passwords of individuals who will access the repository. Then, direct the Virtual Host to require authentication for certain actions. To get started, I recommend creating a special directory for holding the authorization file.


Figure 61: Creating the user-access folder

Create the user-access folder in Apache's root directory. To generate an authorization file we'll call on Apache's built-in htpasswd utility. Open a command prompt (Start->Run->cmd) and navigate to Apache's bin folder. Inside the bin folder is the htpasswd utility. To create the password file and add the user awest at the same time issue the following command:

C:\Program Files\Apache Group\Apache2\bin>htpasswd -cm ../user-access/svn-auth-file awest

The first part of the line above is the directory the command is being run from. The command itself starts with nominating the htpasswd utility followed by the -cm switches. The -c switch informs the utility we are creating the authorization file for the first time. The -m switch tells htpasswd to use the MD5 encryption algorithm when storing the password in the file. Next, we tell htpasswd where the file will be stored (in the user-access directory - which is one directory above the bin directory) and what it will be called (svn-auth-file). Finally, we nominate the first username to store in the file. When you type this command and press enter you'll be prompted for a password and password confirmation. htpasswd will then generate the svn-auth-file for you. If you only need to add one username and password combination you are done. However, if you are working on a team you will want to add the members of your team to the password file. You do this by issuing a similar command.

C:\Program Files\Apache Group\Apache2\bin>htpasswd -m ../user-access/svn-auth-file jdoe

The only difference here is the absence of the -c switch. It's not needed since we've already created the password file. Now that we have a basic authorization file we need to make changes in the Virtual Host that requires authorization. If Apache is running, stop it with the Apache Monitor.


Figure 62: Adding Authentication Directives to httpd.conf

There are four basic parts to the authorization directives in Figure 62. First, we tell Apache what type of authorization (AuthType) we are setting up. Next, we set an authorization realm name (AuthName). This name will show up in various places when users are asked to authenticate. Then, we let Apache know where our authorization credentials are stored (AuthUserFile). This is the password file we created a few moments ago. Finally, we create a Limit directive that instructs Apache when to require authorization. In the example in Figure 62 we are allowing anonymous access to basic read-only repository actions. These include checking out working copies and browsing the repository via a Web browser. Actions like committing changes require a user to validate who they are against the password file. If you wanted to require authorization 100% of the time you could set this up by deleting the Limit start and end tag and leaving the Require valid-user statement. To test these new changes start Apache on the server. Then, from the client machine, right-click your working copy directory and select SVN Update. The update process occurs without incident and you aren't prompted to enter your username and password. This is because updates are considered read-only actions. Now, make a change to one of the SQL files and commit the change using the SVN Commit option. You should be prompted to enter your username and password. The challenge window will look something like this:


Figure 63: Authorization is required for commits

Enter the username and password you set up and press Ok. You can click the Save authentication check box if you want TortoiseSVN to remember your credentials. If you enter a valid username and password combination your changes should be committed and the version of the repository should increase by 1. You can verify this using a browser and visiting your repository (http://svn.yourcompany.com:81/sql/) or, using the Repository Browser. Right-click your working copy directory and select TortoiseSVN's Show Log option.


Figure 64: Usernames are listed in the Author column

Notice the username listed in the Author column in Figure 64. To bring things full circle, open the svn-access.log file on your Apache server. The last two lines should look very similar to the lines below. Any Subversion action that requires authentication will show in the log file with the action that was taken and who performed it.

[21/Feb/2007:18:02:36 -0600] awest commit r6
[21/Feb/2007:18:04:14 -0600] - log-all '/trunk

Summary

In this part I walked through the steps necessary for creating more meaningful Apache/Subversion logging and setting up basic authenticated repository access for the actions you probably care about most (i.e. the most destructive ones). There are tons more you can do in terms of authentication and authorization, including locking things down more tightly and employing a more complicated authorization system than basic HTTP authorization. For instance, you can integrate Apache with your LDAP server (such as Active Directory) enabling clients to authenticate using their Windows username and password. You can also take the password file to another level setting up path-based authorization. For instance, Jane should have read access to certain parts of the sql repository while having write access to others. There are a lot of resources available that can help setting up either of these scenarios. For the latter, check out the mod_authz_svn module documentation. One word of warning: while it's not overly complicated to set up this type of environment, it may not be needed and does have a maintenance cost associated with it. Remember, Subversion is a source control server, if someone commits something they shouldn't the change can always be undone!

Aaron West's Gravatar
About this post:

This entry was posted by Aaron West on March 14, 2007 at 1:24 PM. It was filed in the following categories: ColdFusion, Apache, Subversion. It has been viewed 30646 times and has 13 comments.

5 related blog entries

13 Responses to Part 4: Subversion and Apache - Better Logging and Authenticated Access

  1. rob

    Hey, very timely set of blog posts.. I just embarked on a journey of setting up SVN+Apache on windows.. and after reading a ton of articles, your posts made the most sense and everything works. Great stuff.

    PS - do you plan on getting active directory (LDAP) working in a future article?

    :)

  2. Rob, I've spent several hours attempting to get LDAP authentication working with Subversion and Active Directory. I hit a lot of road blocks getting various parts of the authentication set up. So, I took a break from it and plan on hitting it again in the future.

  3. Ken Whitesell

    Aaron,

    We're also moving in the direction of trying to get the Apache/SVN/LDAP combination working from a
    Windows/Eclipse client. I'm just getting started, so any tips you have would be greatly appreciated.
    Likewise, I'll be glad to share whatever I find.

    Ken

  4. Hi Aaron,

    This is the best article written that I found that works!
    Good Job! and Well done. You are the best bar none!

    Brian

  5. Everyone is facing the problem of integration of apache/Subversion with Active directory. I found the document with complete package and it takes only 5-10 mins to install. You can also use the same and if any problem, Logon to http://forum.opensourcedevelopment.net, It is really very good.
    Path is:- http://opensourcedevelopment.net/text-tutorials/ap...

  6. Mike, I haven't had a chance to check out the article you recommended on Active Directory and Subversion integration but thanks so much for sharing it. I've been able to integrate other server process - like ColdFusion - to hook into Active Directory but not Subversion. Hopefully the article will help!

  7. Pradeep Tanguturi

    I do u have a document how to setup svn with Active directory LDAP. i am facing lot of problem.

  8. @Pradeep - Sorry, I don't have any documentation on configuring Subversion with LDAP. I worked briefly on getting LDAP integrated with SVN while writing the whitepaper but I was not successful. I have not tried since then either. You may have luck performing a Google search on this topic though. Have you tried that?

  9. pradeep

    Aaron West,
    No, thanks for your reply. if your successful in setuping up SVN+LDAp let me know.

  10. David

    I need some help. I have LDAP set up with SVN and restrict access at a subfolder level but users are not able to commit back to the repository because Apache tries to check for access at the parent folder level which the user obviously doesn't have and that causes them to not even be able to commit back. They are able to check out fine. Any help?

  11. pradeep

    i am trying to setup apche+svn in dmz. i tried in drifferent way still i am getting lot of trouble, i am not able to make it. can anyone help me on this...

  12. Pradeep

    do any one know how to setup svn as web based.

  13. @Pradeep This blog series and the companion whitepaper address configuring Subversion with Apache for Web-based repository access. Are you having a specific problem that these blog posts don't address?