Relatively complex authorization strategies are somewhat challenging to setup. I have a functional configuration but I do question whether there may be some gotchas (which should be documented).
What I was able to get working is:
Apache Virtual Host 1
* SSL terminated by HW accelerator
* read/write access to each repository
* Location 1 [SVNParentPath /the-path/svn-parent-loc]
* All projects covered
* Location 2 [SVNPath /the-path/svn-parent-loc/project-X]
* this project is covered by parent path as well
* Project access/Authorization specific to a special limited user group
Apache Virtual Host 2
* SSL passed directly through to Apache
* client certificate authentication/authorization
* Read-only access for all repositories
* Location 3 [SVNParentPath /the-path/svn-parent-loc]
This does work; I can access all required resources with the appropriate credentials. Conversely, without appropriate credentials, access is denied to the protected resources. This was somewhat painful to setup. I would recommend that a test case of a file move to a different directory be used as sanity check of proper operational behavior. The SSL accelerator causes the biggest headache of which a file move typically will trigger a failure if the server is misconfigured. Usually the problem is in the server name (had to specify http://server.x.y instead of https://server.x.y). This last statement assumes you are using a rewrite type rule as the various docs mention to handle the self-referential URL issues produced in this case. I think various Subversion/Apache documentation gets you close but this last part could use more/improved examples (and maybe corrections).
I do have some concern about access to the same SVN DAV resources being available through multiple virtual hosts and location elements. It seems possible that caching of various items (meta-data, etc) could cause stale results to get returned in some use cases. This fear is somewhat driven by the fact that each location element specifies SVN DAV related items. I have not looked into the mod_dav_svn ,etc to see if there is any intelligent aggregation of duplicated SVNPath info (for example) or whether everything is completely distinct. My slight uncomfortableness is mitigated by the fact that most resources are not accessed by more than one or 2 users and usually via the same host/location. In the few use cases where I expect differences in access, if I run into issues I think that various tweaks to cache/timeout type values can further mitigate the chance of stale data impacting things. Time will tell on this. If time ever permits, I will try and review the SVN code myself or try to form some intelligent question for the various related forums/lists.
I don't think posting extra detail is wise in this area but hopefully what I did post may help someone solve a setup issue.
Friday, May 30, 2014
Thursday, May 29, 2014
Linux/Unix - the little things
If you are writing software which cares about the fully qualified domain name of the server; remember the correct order of /etc/hosts host/alias info.
i.e.
<ip address> <fqdn> <alias1> <alias n>
If you swap the <fqdn> and an alias - the server will not report itself as <fqdn> and if you have software which expects/utilizes the domain info; it won't work.
I have run into this with scripts/batch jobs which broke mysteriously when trying to key off of what should be <fqdn> when looking up information - but only for one or a small set of servers.
i.e.
<ip address> <fqdn> <alias1> <alias n>
If you swap the <fqdn> and an alias - the server will not report itself as <fqdn> and if you have software which expects/utilizes the domain info; it won't work.
I have run into this with scripts/batch jobs which broke mysteriously when trying to key off of what should be <fqdn> when looking up information - but only for one or a small set of servers.
Tuesday, May 13, 2014
Welding for the birds?
Was out in the garage the other afternoon with the garage door open and had noticed some birds hanging out nearby. I didn't mind much until they started to fly into the garage on occasion. They went away and I didn't think much about them until I saw something fly into the corner. I suddenly had a feeling that some baby birds might be hiding under equipment along the wall so I went to shoo them away. It wasn't a baby bird but it left the garage.
So I headed back toward my welding cart to get some tools out of a drawer when something came flying out of the drawer at high speed. I nearly screamed like a girl (but with manly undertones). After a minute I opened the drawer and found that a bird (sparrow it seems) was trying to build a nest in my welding drawer. I tend to leave the drawer slightly ajar as it is hard to get to unless I roll the cart outside.
Got the drawer cleaned out a bit. Keeping the drawer closed now. Very glad that there were no eggs yet. Could be fun to get some bird size welding goggles and make some feathered friends.. As long as they don't nest or make a mess in my helmet!
I have had a good amount of wildlife encounters since starting to weld and do other metal working. Good for stories and plenty of laughter from the family.
So I headed back toward my welding cart to get some tools out of a drawer when something came flying out of the drawer at high speed. I nearly screamed like a girl (but with manly undertones). After a minute I opened the drawer and found that a bird (sparrow it seems) was trying to build a nest in my welding drawer. I tend to leave the drawer slightly ajar as it is hard to get to unless I roll the cart outside.
Got the drawer cleaned out a bit. Keeping the drawer closed now. Very glad that there were no eggs yet. Could be fun to get some bird size welding goggles and make some feathered friends.. As long as they don't nest or make a mess in my helmet!
I have had a good amount of wildlife encounters since starting to weld and do other metal working. Good for stories and plenty of laughter from the family.
Subscribe to:
Comments (Atom)