svn学习之二（配置文件部署详解）svn认证模式详解

SVN实战笔记

                                                                                                           

#####################################################
Wangxingxing
qq：1218761836
qq群：150181442
E-mail:wangxing0122@hotmail.com
#####################################################

SVN实战  
目录
SVN实战    1
一、svn整合apache的条件    2
1.1 需要的组件安装：    2
二、WebDAV 介绍    3
三、配置apache+svn整合    3
3.1  SVN+apache 配置文件详解    3
3.2 SVN的认证的几种模式    5
3.2.1匿名访问模式    5
3.2.2认证配置    5
3.2.3 Apache摘要式身份认证Digest 模板    6
3.2.4 SSL证书    6
3.3 授权选项:    6
3.3.1 整体访问控制    6
3.3.2目录访问控制    7
3.3.3匿名访问配置例子：    8
3.3.4混合认证/匿名访问的配置例子    8
3.3.5禁用基于路径的检查    9
3.4 SVN定制外观    9
3.5列出版本库    9
3.6 Apache下SVN日志配置    10



svn ×××地址: http://subversion.apache.org
一、svn整合apache的条件
 Once you have all the necessary components installed on your system, all that remains is the configuration of Apache via its httpd.conf file. Instruct Apache to load the mod_dav_svn module using the LoadModule directive. This directive must precede
any other Subversion-related configuration items. If your Apache was installed using the default layout, your mod_dav_svn module should have been installed in the modules subdirectory of the Apache install location (often /usr/local/apache2). The
LoadModule directive has a simple syntax, mapping a named module to the location of a shared library on disk:
LoadModule dav_svn_module modules/mod_dav_svn.s
1.1 需要的组件安装：
安装scons
python setup.py install

安装serf
scons PREFIX=/application/serf APR=/application/apr APU=/application/apr-util OPENSSL=/usr/bin  
scons install
svn+httpd 安装脚本如下:

测试svn安装是否ok
[root@wx-a ~]# svnserve --version
svnserve, version 1.6.11 (r934486)
   compiled Aug 17 2015, 08:37:43

Copyright (C) 2000-2009 CollabNet.
Subversion is open source software, see http://subversion.tigris.org/
This product includes software developed by CollabNet (http://www.Collab.Net/).

The following repository back-end (FS) modules are available:

* fs_base : Module for working with a Berkeley DB repository.
* fs_fs : Module for working with a plain file (FSFS) repository.

Cyrus SASL authentication is available.
查看得知是以前的老版本，而不是我最新的1.9.1最新版本，需要添加环境变量解决
#set svnpath
export PATH=/application/svn/bin:$PATH
export PATH
[root@wx-a tool]# . /etc/profile
[root@wx-a tool]# svnserve --version
svnserve, version 1.9.1 (r1698128)
   compiled Sep 20 2015, 21:45:38 on x86_64-unknown-linux-gnu

Copyright (C) 2015 The Apache Software Foundation.
This software consists of contributions made by many people;
see the NOTICE file for more information.
Subversion is open source software, see http://subversion.apache.org/

The following repository back-end (FS) modules are available:

* fs_fs : Module for working with a plain file (FSFS) repository.
* fs_x : Module for working with an experimental (FSX) repository.

二、WebDAV 介绍
WebDAV是基于web分布式创作和版本控制。它是基于一套的HTTP协议，允许用户写作编辑和管理远程web服务器上的文件扩展协议
Subversion是使用 Apache 2.0，其内置的 mod_dav 和 DeltaV WebDAV 扩展生成的版本控制系统
WebDAV官网 http://www.webdav.org/  
因为标准的HTTP协议不能满足需求，要让Apache与Subversion协同工作，就要使用WebDAV（Web-based Distributed Authoring and Versiong）Web分布式创作和版本控制协议。WebDAV是HTTP 1.1的扩展。
mod_dav_san模块就是作为Subversion与Apache之间的接口，通过它，Apache就可以访问版本库，并且可以让客户端也使用HTTP的扩展协议WebDAV/DeltaV进行访问。
所以就需要修改httpd.conf文件来支持svn和apache之间的通信
vim /application/apache2/conf/httpd.conf 中LoadModule dav_module modules/mod_dav.so 下面添加以下内容
LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so

三、配置apache+svn整合  
httpd是加载svn模块，所以在apache+svn配置上，svn无需启动
3.1  SVN+apache 配置文件详解
[root@wx ~]# vim /application/apache2/conf/extra/httpd-svn.conf
<Location /svn>
DAV svn
DavMinTimeout 600
SVNParentPath /svn/svndata
# our access control policy
AuthzSVNAccessFile /application/svn/conf/authz
# only authenticated users may access the repository
Require valid-user
# how to authenticate a user
AuthType Basic
AuthName “Subversion repository”
AuthUserFile /application/svn/conf/passwd
</Location>
详解配置文件:
<Location /svn> :访问控制文件，匹配URL路径，可以匹配正则表达式，如果写成/ 那么后面就要和SVNParentPath /svn/svndata 进行匹配，因为的版本库为/svn/svndata/sadoc 所以当<Location />为/ 时可直接在浏览器中写http://ip/sadoc 这样就可以访问版本库了，这个就是Location

DAV svn : 可以理解为启用WebDAV中的svn

DavMinTimeout 600： 指定客户端超时时间为600s

SVNParentPath /svn/svndata : 版本库的存放路径,其中使用SVNParentPath支持多版本库的访问,也就是说你的版本库在/svn/svndata 下有很多有版本库的可使用SVNParentPath，如果只有一个版本库可用SVNPath

AuthzSVNAccessFile /application/svn/conf/authz：启用了目录访问权限限制,他指定一个文件包含了存储库的路径

Require valid-user :拒绝所有的用户访问存储库，指定有效的用户

AuthType Basic：认证类型为Bssci，apache的类型有很多,另外还可以选择摘要式身份认证Digest，svn 1.7版本之后主要是Digest摘要式身份认证，取消了一般认证，采用摘要式认证的话用户 密码创建需要使用htdigest，而不是一般认证的htpasswd。

AuthName “Subversion repository”  认证登陆的提示信息,提示输入svn 版本库的用户名或者密码
            
              

AuthUserFile : 用户名和密码文件存放

使用htpasswd命令需要安装yum install httpd-tools  -y
Apache 认证文件创建参考
http://httpd.apache.org/docs/current/programs/htpasswd.html
http://httpd.apache.org/docs/current/programs/htdigest.html
linux命令行测试故障
svn cat  http://20.0.0.89/svn/sadoc   --username=xing –password=passwd
svn: error while loading shared libraries: libserf-1.so.1: cannot open shared object file: No such file or directory
故障解决
find / -name libserf-1.so.1
ln –s /application/serf/lib/libserf-1.so.1 /usr/lib64/

测试！
[root@wx tool]# svn co http://20.0.0.89/svn/sadoc  --username=xing --password=passwd

-----------------------------------------------------------------------
ATTENTION!  Your password for authentication realm:

   <http://20.0.0.89:80> Subversion repository

can only be stored to disk unencrypted!  You are advised to configure
your system so that Subversion can store passwords encrypted, if
possible.  See the documentation for details.

You can avoid future appearances of this warning by setting the value
of the 'store-plaintext-passwords' option to either 'yes' or 'no' in
'/root/.subversion/servers'.
-----------------------------------------------------------------------
Store password unencrypted (yes/no)? yes
Checked out revision 0.  版本库为0  到这里配置是成功的！

3.2 SVN的认证的几种模式
3.2.1匿名访问模式
vim /application/apache2/conf/httpd.conf  
<Location /svn>          
DAV svn                
SVNPath /svn/svndata     #版本库的根目录
</Location>
匿名访问模式缺点：
任何人可以使用Subversion客户端来从版本库URL取出一个工作副本(或者是它的子目录)。
任何人可以在浏览器输入版本库URL交互浏览的方式来查看版本库的最新修订版本。
任何人可以提交到版本库
http://httpd.apache.org/docs/current/programs/htpasswd.html
http://httpd.apache.org/docs/current/programs/htdigest.html
htdigest
htpasswd
3.2.2认证配置
On the opposite end of the paranoia scale, you can configure your block to demand authentication
from everyone. All clients must supply credentials to identify themselves. Your block unconditionally
requires authentication via the Require valid-user directive, and it defines a means to
authenticate.

<Location /repos>
DAV svn
SVNParentPath /var/svn
# our access control policy
AuthzSVNAccessFile /path/to/access/file
# only authenticated users may access the repository
Require valid-user
# how to authenticate a user
AuthType Basic
AuthName “Subversion repository”
AuthUserFile /path/to/users/file
</Location>

3.2.3 Apache摘要式身份认证Digest 模板
<Location /svn>
DAV svn
SVNParentPath /svn/svndata
AuthType Digest
AuthName “Subversion repository”
AuthDigestDomain /svn/
AuthUserFile /etc/svn-auth-file
Require valid-user
</Location>
3.2.4 SSL证书
SSL证书管理需要apache+opensll结合暂略
3.3 授权选项:
3.3.1 整体访问控制
最简单的访问控制形式是授权特定用户为只读版本库访问或者是读/写访问版本库。
<Location /svn>
DAV svn
SVNParentPath /
# how to authenticate a user
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /svndata/passwd/svn-auth-file
# only authenticated users may access the repository
Require valid-user
</Location>
还可以写成这种形式
a) For a read/write restricted repository:
    Require valid-user

b) For a write restricted repository:
<LimitExcept GET PROPFIND OPTIONS REPORT>
     Require valid-user
    </LimitExcept>

c) For separate restricted read and write access:
AuthGroupFile /my/svn/group/file
<LimitExcept GET PROPFIND OPTIONS REPORT>
     Require group svn_committers
    </LimitExcept>

   <Limit GET PROPFIND OPTIONS REPORT>
    Require group svn_committers
    Require group svn_readers
   </Limit>

即：
<Location /svn>
DAV svn
SVNParentPath /
# how to authenticate a user
AuthType Basic
AuthName "Subversion repository"
AuthGroupFile /my/svn/group/file
<LimitExcept GET PROPFIND OPTIONS REPORT>
     Require group svn_committers
  </LimitExcept>
</Location>

3.3.2目录访问控制
It’s possible to set up finer-grained permissions using a second Apache httpd module, mod_authz_svn.
This module grabs the various opaque URLs passing from client to server, asks mod_dav_svn to decode
them, and then possibly vetoes requests based on access policies defined in a configuration file.
If you’ve built Subversion from source code, mod_authz_svn is automatically built and installed
alongside mod_dav_svn. Many binary distributions install it automatically as well. To verify that it’s
installed correctly, make sure it comes right after mod_dav_svn’s LoadModule directive in
httpd.conf:
LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

To activate this module, you need to configure your Location block to use the
AuthzSVNAccessFile directive, which specifies a file containing the permissions policy for paths
within your repositories. (In a moment, we’ll discuss the format of that file.)
Apache is flexible, so you have the option to configure your block in one of three general patterns. To
begin, choose one of these basic configuration patterns. (The following examples are very simple; look
at Apache’s own documentation for much more detail on Apache authentication and authorization
options.)

3.3.3匿名访问配置例子：
The simplest block is to allow open access to everyone. In this scenario, Apache never sends
authentication challenges, so all users are treated as “anonymous.”

<Location /repos>
DAV svn
SVNParentPath /var/svn
# our access control policy
AuthzSVNAccessFile /path/to/access/file
</Location>

3.3.4混合认证/匿名访问的配置例子
A third very popular pattern is to allow a combination of authenticated and anonymous access. For
example, many administrators want to allow anonymous users to read certain repository directories,
but want only authenticated users to read (or write) more sensitive areas. In this setup, all users start
out accessing the repository anonymously. If your access control policy demands a real username at
any point, Apache will demand authentication from the client. To do this, use both the Satisfy Any
and Require valid-user directives together.

<Location /repos>
DAV svn
SVNParentPath /var/svn
# our access control policy
AuthzSVNAccessFile /path/to/access/file
# try anonymous access first, resort to real
# authentication if necessary.
Satisfy Any
Require valid-user
# how to authenticate a user
AuthType Basic
AuthName “Subversion repository”
AuthUserFile /path/to/users/file
</Location>

3.3.5禁用基于路径的检查
On the other hand, there’s also an escape hatch of sorts, which allows you to trade security features
for speed. If you’re not enforcing any sort of per-directory authorization (i.e., not using mod_authz_svn
or similar module), you can disable all of this path checking. In your httpd.conf file, use the
SVNPathAuthz directive as shown in

<Location /repos>
DAV svn
SVNParentPath /var/svn
SVNPathAuthz off
</Location>

3.4 SVN定制外观

You generally will get more use out of URLs to versioned files—after all, that's where the interesting
content tends to lie. But you might have occasion to browse a Subversion directory listing, where
you'll quickly note that the generated HTML used to display that listing is very basic, and certainly
not intended to be aesthetically pleasing (or even interesting). To enable customization of these
directory displays, Subversion provides an XML index feature. A single SVNIndexXSLT directive in
your repository's Location block of httpd.conf will instruct mod_dav_svn to generate XML
output when displaying a directory listing, and to reference the XSLT stylesheet of your choice:

<Location /svn>
DAV svn
SVNParentPath /var/svn
SVNIndexXSLT "/svnindex.xsl"
…
</Location>

Using the SVNIndexXSLT directive and a creative XSLT stylesheet, you can make your directory
listings match the color schemes and p_w_picpathry used in other parts of your web site. Or, if you'd prefer,
you can use the sample stylesheets provided in the Subversion source distribution's tools/xslt/
directory. Keep in mind that the path provided to the SVNIndexXSLT directory is actually a URL
path—browsers need to be able to read your stylesheets to make use of them!

3.5列出版本库
If you're serving a collection of repositories from a single URL via the SVNParentPath directive,
then it's also possible to have Apache display all available repositories to a web browser. Just activate
the SVNListParentPath directive:
<Location /svn>
DAV svn
SVNParentPath /var/svn
SVNListParentPath on
…
</Location>

If a user now points her web browser to the URL http://host.example.com/svn/, she'll see a
list of all Subversion repositories sitting in /var/svn. Obviously, this can be a security problem, so
this feature is turned off by default.
3.6 Apache下SVN日志配置
CustomLog logs/svn_logfile "%t %u %{SVN-ACTION}e" env=SVN-ACTION
或
svnserve -d -r /path/to/repositories --log-file /var/log/svn.log  启动的时候指定日志文件

转载于:https://blog.51cto.com/xiaocainiaox/1697867