Welcome WANdisco Subversion Access Control admin guide. Subversion Access Control is a network proxy that provides Subversion Administrators with a comprehensive, easy to setup security agent that offers the following capabilities:
Subversion Access Control works as a proxy between Subversion users and the Subversion server. Subversion users connect to Access Control using the standard port 80. Access Control relays user interactions to the Subversion server using port 81. Subversion users never have direct access to Subversion, allowing administrators to keep control over their Subversion repositories.
Access Control uses Apache's 'mod_authz_svn' module to apply path-based authorization of Subversion repositories through an authz configuration file. Path-based authorization uses the repository's directory structure as the basis for permitting or denying specified users or groups of users read and or write access to repository files and folders. Through sets of user-created rules, precise control can be applied to what a user can access or overwrite. The limitation of path-based authorization is that once a user is granted permission to access and write to a particular path (directory), it's only possible to limit authorization to a specific file using rules based on regular expressions.
To some extent, running with path-based authorization should therefore dictate how repository files are arranged, ensuring that sensitive material is secured within subdirectories.
Specific permissions overrule inherited permissions.
Access Control tries to match the path itself, and then the parent of the path, then the parent of that, and so on. The net effect is that mentioning a specific path in the access file will always override any permissions inherited from parent directories.
Subversion's authz (authorization) implementation requires that your group definitions be defined within the authz file. As authz is unaware of Access Control (or any other third-party data stores), Access Control writes all user grouping and user permissions to the authz file. For more information, read our Knowledgebase article, Introduction to Authz.
authz and regular expression based Access Control rules
If you use authz to manage user authorization through Apache you need to be aware that Access Control rules that use regular expressions to define resources are not supported by authz so won't be written to the authz file.
Access Control rules that contain explicit resource paths will apply only to an exact match of the
path.
e.g.
With authz enabled,
/svn/repo_1/folder_a/.* RW (applied to all folders and files)
Will be treated as:
/svn/repo_1/folder_a/ RW (applied to all files but not subfolders)
This rule:
"svn/repo_1/folder_a RW"
applies the read/write privilege ONLY to "folder_a" and will not apply to any subfolders. In order for a rule to also apply to subfolders it must use a regular expression to
match all the parent folder's contents, e.g.:
/svn/repo_1/folder_a/.* RW
The wildcard .* will ensure that the rule applies to everything within "folder_a".
The implementation of regular expressions works predictably against "write" operations. However, when performing bulk updates, Subversion will only present the top-most path. So the implementation will not prevent "read" operations from returning repository objects that would be blocked if that path in question had been referenced as a top-most path.
If a rule is coded to prevent an account from accessing "/svn/repo_1/trunk/special_path/.*
" and the user requests an "svn checkout
" of "/svn/repo_1/trunk
" then the "/svn/repo_1/trunk/special_path
" (and all descendants) will be included in the checkout.
The only currently available mechanism for limiting read access on bulk updates is the use of the authz module, but the use of regular expressions are not supported when authz is used.
In this guide we'll refer to a number of concepts that you might not have previously encountered. Reading through this list will help ensure that you understand exactly what we mean when we use them:
Alert
The use of regular expressions to define access control patterns is not supported if the authz module is enabled.
Throughout this document we'll highlight things using the following types of information box.
Alert
We use alerts to highlight something we think is important for you to know.
Caution
The stop symbol is used when we want to caution you against doing something.
Tip
Tips are principles or practices that you'll benefit from knowing or using.
Knowledgebase
The KB symbol indicates that you can find out more about the subject in our online Knowledgebase.
uber
Tips that relate using Access Control with WANdisco's ubersvn.
This part of the Access Control Admin Guide will show you how to get started as an Access Control administrator, setting up teams, subteams and Access Rules for your Subversion users.
This sectio covers how, as an administrator, you manage Subversion users through Access Control. There are three approaches:
During installation you choose whether to have Access Control take control of each Subversion repository's password file.
If Access Control is managing the password file:
New users entered into Access Control automatically gain access to Subversion using the same authentication details.
If Access Control is not managing the password file:
New users created in Access Control must also have accounts (with identical details) created in Subversion.
If a user reports of getting an Access Denied message on their client, check they have been regisered on both Access Control AND Subversion.
How user's update their passwords will depend on how you set up 3.1.1 Users can update their passwords from the login screen:
http://<Access Control IP>:6444/
Use this procedure to manually add new Subversion users to Access Control. To add users en bulk, see 3.2 Importing Users.
The option is available to bulk import users in a comma delimited file, instead of entering them individually using the Create User screen.
Caution importing users to subteams
You can import users straight into teams by including an optional team name field (see the format, below). This will allow you to import to either top level teams or subteams if the subteam has a unique name.
Unique team names are only enforced at the top level and within each parent team. It's therefore possible to have two teams called "QA", so long as they are subteams for different parent teams. Importing a user to "QA" team when there is more than one "QA" team will result in the user being placed unpredictably into one of the teams.
If you are upgrading from 4.1 to 4.2 you will need to convert the access-control.xml file. To do this navigate to the backup folder you created through the System 4.2.9 Export Settings.
Then run perl /opt/svn-security/utils/convertacl41-42.pl access-control.xml. A new file convert-access-control.xml will be created in the same folder. Use this file for the following steps. Please note that running the script from any other folder will not work.
<username>,<first name>,<last name>,<email address>,<password>[,<team name>]
Teams are the basic unit of organisation within Access Control. All access policies are applied to teams. TO apply permissions to a single user, you will need to add the user to a team, even if the team is used only for that one user.
Team Names Must Be Globally Unique
All teams must have a unique name within Access Control. It's currently not possible to have two teams with the same name, even if they are located within different directories.
Team rules are the business end of the Access Control system, they define how a user who is a member of a team can interact with specific repository resource. A single rule can be useful in itself but the real power of Access Control comes for applying complex policies through a number of rules. The procedure below runs through the creation of a rule, and explains how it's applied.
Access Control applies three rules which define how rules are applied and interact:
No Permission by default: Access Control initially does not allow any user access to any resource. By default, all users are denied. This is essential for security: it closes the window of vulnerability that would allow everyone full access between the time WANdisco is first installed and the time it takes an administrator to create access rules. In order to grant access, the administrator has to explicitly create roles, groups (which define resources) and users.
No associated rules, no access
Newly setup users who report that they're unable to access Subversion may simply not have been assigned sufficient permissions.
Unless you associate access rules to a user either directly or through membership of a team they'll have no repository access.
Parent Directory Inheritance: team members automatically gain membership of subgroups created under their team. As a result they'll get access to all resources available to the subteam. So, access is controlled down the directory tree, while inheritance, goes up the directory tree.
Specific permissions overrule inherited permissions.
Access Control tries to match the path itself, and then the parent of the path, then the parent of that, and so on. The net effect is that mentioning a specific path in the access file will always override any permissions inherited from parent directories.
A user will need to have a certain level of permission on a file before they're able to perform a particular Subversion command. Check the table below to see how Access Control permissions correspond with Subversion Commands:
Subversion Command | Permission Required |
info | Read |
log | Read |
ls | Read |
status | Read |
cat | Read |
diff | Read |
checkout | Read |
cleanup | Read |
update | Read |
revert | Read |
annotate | Read |
propget | Read |
proplist | Read |
update | Read |
commit | Write |
import | Write |
add | Write |
unlock | Write |
move | Write |
mkdir | Write |
copy | Read |
delete | Write |
Permission Required = minimum permission needed to execute the corresponding Subversion command.
authz and regular expression based Access Control rules
If you use authz to manage user authorization through Apache you need to be aware that Access Control rules that use regular expressions to define resources are not supported by authz so won't be written to the authz file and the regular expressions are not checked by the proxy.
Once all the rule details have been added, click the Create Team Rule button.
Subteams are teams that have been created under a parent team. The users and repository resources available to a subteam are limited by those that appear in the parent team (which could itself be a subteam). Subteams allow system administrators to delegate responsibility for managing user access for a segment of their repository resources, without having to hand out total control of the repository to subordinates. This is very helpful for organisations working with satellite development sites where managing day-to-day access changes can be made difficult by the distance and time-zone difference between sites.
A Subversion user environment that requires complex access policies across large numbers of repository resources can require the creation of a lot of team rules. When users belong to multiple teams and have their access controlled by many rules it's possible for a user's access to a particular resource be mistakenly blocked. The Lookup/Search tool lets users identify which rules prevail for a given resource.
Subversion Access Control Export Settings tool, situated under the System tab is used to backup all of Access Control's settings (although not the Subversion repository data). This includes the users, teams and rules. See Export Settings.
What follows is a an example setup of an LDAP group withing Access Control (this should work much the same for connecting to an Active Directory service).
cn=Dharma Initiative,dc=wandisco,dc=com
ldap://host:port/dn?attributes?scope?filter?extensionsIn this example we're using the distinguished name of the Dharma Initiative, as described in step 1. See 4.1.6 Create LDAP Authority for a more detailed explanation of the entry fields.
LDAP admin/team polling frequency:
The frequency (in minutes) that MultiSite performs a check of the status of the admins / team members. (Default is 5 minutes)
Continue onto next LDAP authority on user not found:
Tick to enable MultiSite to run through all available authorities should a user's credentials are not present on the first authority.
Continue onto next LDAP authority on user authentication:
Tick to enable MultiSite to run through all available authorities should a user's authentication fail on the first authority.
Use LDAP authorities to authenticate administrators: Tick to enable MultiSite to authenticate its administrators (users who have access to the MultiSite admin console) via LDAP. This will be automatically be ticked and not editable if System Administrator Group? has been ticked in the authority's settings.
Subversion Access Control can be set up to use SSL encryption. First you should run through the following steps after extracting the Access Control files (but before running setup).
<INSTALL_DIR>/svn-replicator/config
./config
make a new directory called ssl.-rw-r--r-- 1 root root 267 May 30 12:01 deletionqueue.ser -rw-r--r-- 1 root root 512 May 28 10:38 license.key -rw-r--r-- 1 root root 3399 May 14 15:14 log.properties -rw-r--r-- 1 root root 763 May 28 11:01 logrotation.ser -rw-r--r-- 1 root root 387 May 28 11:00 mailconfig.properties drwxr-xr-x 5 root root 4096 May 28 10:40 membership drwxr-xr-x 3 root root 4096 May 28 10:40 prefs -rw-r--r-- 1 root root 2727 May 14 15:14 prefs-template.xml -rw-r--r-- 1 root root 2811 May 28 10:59 prefs.xml drwxr-xr-x 3 root root 4096 May 28 10:40 scm drwxr-xr-x 5 root root 4096 May 28 10:40 security drwxr-xr-x 2 root root 4096 May 28 11:01 sessions [root@Centos-71 config]$ mkdir ssl
cd ssl
$JAVA_HOME/bin/keytool -genkey -keyalg RSA -keystore <PRIVATE KEY> -storepass <YOUR PASSWORD>
Knowledgebase
Read more about the Java keystore generation tool in the KB article - Using Java Keytool to manage keystores
If no password is specified on the command, you'll be prompted for it. Your entry will not be masked so you (and anyone else looking at your screen) will be able to see what you type.
Most commands that interrogate or change the keystore will need to use the store password. Some commands may need to use the private key password. Passwords can be specified on the command line (using the -storepass
and -keypass
options).
However, a password should not be specified on a command line or in a script unless it is for testing purposes, or you are on a secure system.
The utility will prompt you for the following information
What is your first and last name? [Unknown]: What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes
Enter key password for <mykey> (RETURN if same as keystore password):
SSLv3 is support (though not enforced). If your browser setting has SSLv3 disabled, you will get a handshake error message. If it has both SSLv3 and TLS enabled, then, depending on the browser, it will try to switch from TLS to SSLv3 during the handshake. If you receive a handshake error message in your browser, make sure that TLS is disabled and only SSLv3 is enabled. All current browsers support SSLv3.
In the keystore, the server certificate is associate with a key. By default, we look for a key named server
to validate the certificate. If you use a key for the server with a different name, enter this in the SSL settings.
A complete debug of the SSL logging will be required to diagnose the problems. To capture the debugging, run the java process with:
'-Djavax.net.debug=all' flag.
To enable the logging of SSL implemented layer, turn the logging to FINEST for 'com.wandisco.platform.net' package.
If you're specifying secure email (using a truststore) and LDAP authentication over SSL (using a truststore), the same truststore must be used for both sets of certificates. If different truststores are used then the LDAP truststore will overwrite the email truststore and secure emails will stop working.
Welcome to the admin guide for WANdisco's Subversion Access Control. This guide will help you take control and manage the access of your Subversion repositories.
Access Control has a browser-based Admin Console for making user access changes, changing settings or viewing system logs.
Connecting to the Admin Console
Connect to the Admin Console through a web browser, using your server's hostname or IP address, along with the administration port (defaults to 6444).
On connecting you'll be prompted for a login. The default admin username is admin and the password is specified during setup. This section will run through the different screens available in the Admin Console, explaining what they do.
The admin console screen consists of the following elements:
Top menu bar: includes the product license and any expiry date, along with links to documentation and support.
Section tabs: The admin consoles different sections are seperated on tabs. They consist of the following sections:
Alert
The layout and features available in admin console alter depending on your license agreement. So you may not see all the elements described in this guide.
Section menu: Appears on the left-hand side and contains links to features that are specific to the tab.
Product version line appears at the bottom of the screen and shows the product version and build, the version of Java installed and the operating system.
On the authentication screen there are a number of links available, even if you don't login.
Proxy Status - Proxy Status Displays the node's status in the tab's main panel.
Change User Password - Follow this link to change the password of a User, it's not used for changing the Admin password.
The security tab handles all user related functionality.
Tip
The Security tab features product capabilities that are available when the Access Control product has been bundled with Subversion MultiSite. The documentation for using Access Control can be found in the User Guide Section.
In Access Control a Team is a group of users who are associated with a resource or collection of resources. Teams underpin how user authorization is managed in Access Control.
Team Names Must Be Globally Unique
All teams must have a unique name within Access Control. It's currently not possible to have two teams with the same name, even if they are located within different directories.
List Teams is the default screen of the Security tab. All teams and subteams are listed, along with the number of users in the team, the number of sub teams and the number of team rules that apply to the team /sub team.
You can view a team by clicking on it's name. You can edit a team's settings by clicking on the Actions drop down and then clicking Edit.The details of a team can be viewed by clicking on the team's name on the List Teams screen. This will show the team's summary tab which shows the teams details. The summary screen doesn't allow any changes to teh team to be made directly, instead, click on the tab that correspond to the property that you wish to change.
Default Team Leader Permissions.
When you make a user into a team leader, you enable them to change the team's setup. However, they need to be further assigned specific permissions to Create Users, Create Subteams and Disable users. See the next section for how to enable Team Leader User permissions.
Denied by default
In the absense of any team rules, all team members are denied access to all repository resources. This might seem like 'bunker mentality' but it's the only sensible strategy for ensuring that a repository's data is secured against unauthorized access.
The Edit Team screen lets you make changes to an existing team.
Disable User is universal
It's important to realise that Disable Users doesn't currently work on a per team basis, and that a team leader who disables one of their team members will also disable the user in all other teams in which the user belongs.
The Create Sub Team screen works the same way as the Create Team screen, except that the resulting team can only draw upon the users and resources that appear in its parent team. The parent team is noted at the top of the screen.
Team rules are used to specify what permissions that some or all of the team's users have on some or all of the team's available reponsitory resources. Again, you'll only be able to specify users and resources that are available to the team or subteam.
The Create User screen is used to add a new users to the WANdisco MultiSite, which will, providing that MultiSite is managing the Subversion password, also give the user access to Subversion, subject to whatever teams and team rules are applied to the user.
Use the Edit User screen to modify the user's account details.
The user view is available if you click on a username anywhere in the admin console. It lists all the user's details, the teams to which they belong, as well as their System Administrator status, and whether their accoutn is currently disabled. When viewed as a team leader or system administrator, there will also be an Edit button to enable you to make changes to the user's account.
The Edit screen lets you change of the user's account entries, enable or disable System Administrator permission, disable or re-enable the account.
It's possible to import users instead of entering them manually through the Create User screen. Use a comma delimited (CSV) format for the import, with the following fields:
<username>,<first name>,<last name>,<email address>,<password>[,<team name>]
Click on Choose File and navigate to your import file. When selected click the Import button. A message window will appear, indicating whether the import was successful.
Caution importing users to subteams
You can import users straight into teams by including an optional team name field (see the format, below). This will allow you to import to either top level teams or subteams if the subteam has a unique name.
Unique team names are only enforced at the top level and within each parent team. It's therefore possible to have two teams called "QA", so long as they are subteams for different parent teams. Importing a user to "QA" team when there is more than one "QA" team will result in the user being placed unpredictably into one of the teams.
The Lookup/Search tool lets you test a user's access permissions for a specfied repository resource. For users who are members of multiple teams and to whom numerous team rules are applied, the Lookup/Search greatly simplifies the verification of their access permissions.
Click Lookup to initiate the test. The results are presented as a Read Results and a Write Results. Each result will indicate whether access is granted or denied, and from which rule the permission was granted, and from which team the rule was applied. This is enough information to help you fine-tune permissions without a lot of blind trial-and-error changes.
It's possible to set up a number of LDAP authorities, if your organisation is runs from more than one LDAP server. Use the Create LDAP Authoritity screen to define your authorities as well as the order in which they are executed.
Order: The priority given to the LDAP URL. e.g. A Location Order of 1 means that Access Control will look within that defined authority for a user first. If unsuccessful then Access Control will then check the authority with the next order number (e.g. 2).
Regular Expression: The regular expression offers a means of limiting the number of queries that Access Control attempts when searching for a user accross the available authorities. For example, if you set up an authority whose users have a specific top-level domain in their email addresses, you can use a regular expression to match them to a particular authorities.
URL: the URL for the LDAP authority, using the format
ldap://host:port/dn?attributes?scope?filter?extensions
Active directory allows the definition of groups that are themselves members of a parent group. This provides the administrator with a useful organizational structure.
sanramon (group synchronized to team in access control) +- Jon (user) +- Kev (user) +- support (group) +- Gaz (user)
Looking at the above heirarchy which shows the "San Ramon" (sanramon) team, and set a filter to get all users that are members of the 'sheffield' group. Access control will normally create three users in the team: Jon, Kev and support. What this query does is create three users: Jon, Kev and Gaz (through a recursive search of the 'support' group).
ldap://10.2.2.45:389/CN=Users,DC=sr,DC=wandisco,DC=com? sAMAccountname?sub?(memberOf:1.2.840.113556.1.4.1941:=CN=shef_devs_grp,OU=Belfast,DC=sr,DC=wandisco,DC=com)
The LDAP settings screen contains all the settings for any LDAP services that you use with Subversion MultiSite. By default, LDAP is not activated. Click on Authenticate using pre-replication LDAP to enable any authorities that you've entered in the LDAP Authorities screen.
When enabled, all LDAP authorities will be listed, along with the following options:
Order: LDAP authorities are listed in the order of execution that you set when defining the authorities' properties.
Regular Expression: The regular expression offers a means of limiting the number of queries that Access Control attempts when searching for a user accross the available authorities. For example, if you set up an authority whose users have a specific top-level domain in their email addresses, you can use a regular expression to match them to a particular authorities.
Delete Authorities Select from the list using the checkbox, then click the Delete Authorities button. Using this method to delete multiple authorities in a single action. You can delete a single authority by clicking on its corresponding Actions button and clicking on "Delete".
Note that should you delete the last remaining active LDAP authority you'll see a warning that LDAP authentication will be switched off if you complete the deletion. This is to ensure that you don't get locked out
Test Authorities Use this to verify that Access Control can talk to authority that you select by ticking their corresponding check boxes. On clicking Test Authorities you get a report on the number of authorities to which Accesss Control can successfully connect.
Create Authority: To create a new LDAP authority, click the Create Authority button.
Actions: The following, additional actions can be performed on each authority by clicking on the Actions drop-list.
LDAP admin/team polling frequency:
The frequency (in minutes) that MultiSite performs a check of the status of the admins / team members. (Default is 5 minutes)
Continue onto next LDAP authority on user not found:
Tick to enable MultiSite to run through all available authorities should a user's credentials are not present on the first authority.
Continue onto next LDAP authority on user authentication:
Tick to enable MultiSite to run through all available authorities should a user's authentication fail on the first authority.
Use LDAP authorities to authenticate administrators: Tick to enable MultiSite to authenticate its administrators (users who have access to the MultiSite admin console) via LDAP. This will be automatically be ticked and not editable if System Administrator Group? has been ticked in the authority's settings.
Disable non-admin users on removal from last LDAP team: Tick to automatically disable users who no longer belong on any available LDAP authority.
Click SAVE LDAP Settings to save any changes you make on the LDAP Settings screen.
perl /svn-security/utils/ldapadminrest
The system tab is used to manage system functions such as viewing the Access Control log or importing and exporting user settings.
Log Viewer - View Access Controls log file.
Logs can be generated over multiple lines, which can make reading/performing greps difficult. It's possible to limit each log to a single line by using the following procedure:
org.nirala.trace.WandiscoLoggingFileHandler.formatter = org.nirala.trace.SingleLineFormatter
Set how Access Control monitors disk usage, warning you if the system's available disk space gets too small.
Use disk monitor: Tick the checkbox to have the disk monitor running.
Interval between checks (in milliseconds): 900000 (15 minutes) is the default interval time between checks.
Determine disk state by: Choose to measure disk usage either by percentage used or bytes free (in bytes, or append KB, MB or GB).
Warn Level: State the level of usage (either as a percentage or bytes free) at which point an alert email will be sent, and resent each time the disk monitor completes a check. So, if you set the Interval between checks to 900000 milliseconds, a warning email will be triggered every 15 minutes.
Critical Level: State the level of usage (either as a percentage or bytes free) at which the node will send an alert email and then shutdown. This will prevent the data on the node from being corrupted.
Click the Save Settings button to save any changes you make.
Alert
You MUST restart the node for any changes you make to take effect.
The License Info page contains the details of your WANdisco product license, useful for confirming the details of a number of license-specific features.
Company: Your company name.
Product: The product type. This is currently either svn (Subversion) or (CVS).
License Type: This indicated whether the license is either for evaluation or production.
Access Control:
Shows if Access Control has been enabled on the product.
Number of Allowed Nodes: Number of replicator instances that have been licensed.
Licensed IP Addresses: The IP addresses of each node.
Number of Allowed Users: Total number of possible users that are covered under the license.
License Expires: The date on which the current license will expire.
Maintenance Start Date: The first date covered by the current maintenance contract.
Maintenance End Date: The final date covered by the current maintenance contract.
The system settings screen provides a number of extra controls that allow you to fine-tune Access Control for potential performance improvements.
Enable Access Control Prevayler snapshot:
Tick this option to enable
Run automated backup:
Tick this option to have Access Control automatically run a backup at the end of each day (at midnight). When ticked you can then specify the length of your backup history, which is set at 30 days by default.
To restore Access Control to one of your backup points, use the Import Settings feature.
Enable Audit Trail logging:
Tick this option to record all Subversion activity in the AuditTrail logs. This feature is switched off by default as it creates some additional overhead in transaction processing.
Enable User Access Tracking:
Tick this option to have Access Control save timestamps against each user indicating the last time they interacted with a repository, which can be useful for user management. This feature is switched off by default as it creates some additional overhead in transaction processing.
The SSL Settings screen controls all settings related to the keystore and truststore management, used when the secure socket layer protocol is used to encrypt traffic between the replicator and clients.
Keystores and Truststores
You might be familiar with the Public-key system that allows two parties to use encryption to keep their communication with each other private (incomprehensible to an intercepting third-party).
The keystore is used to store the public and private keys that are used in this system. However, in isolation, the system remains susceptible to the hijacking of the public key file, where an end user may receive a fake public key and be unaware that it will enable communication with an impostor. Enter Certificate Authorities (CAs). These trusted third parties issue digital certificates that verify that a given public key matches with the expected owner. These digital certificates are kept in the truststore.
An SSL implementation that uses both keystore and truststore files offers a more secure SSL solution.
Use SSL for replication:
Tick the checkbox to enable SSL encryption for Subversion traffic.
Certificate Alias:
The certificate name of the server.
Key Password:
(Optional) password to control access to keys in the KeyStore. All keys in the keystore must have the same password.
KeyStore Filename:
The file in which private keys are stored. Click on the spyglass icon if you need to browse for the file.
KeyStore Password:
Optional password to control access to keys in the KeyStore. All keys in the keystore must have the same password.
TrustStore Filename:
This is the file in which public keys are stored. This can be the same as the KeyStore. Click on the spyglass icon if you need to browse for the file.
TrustStore Password:
Password to control access to the TrustStore.
For more information about running Subversion MultiSite with SSL, see 2.7 Using SSL.
Access Control uses one log, and the default level is info. The levels vary from severe, where you get only the most severe warnings, to finest, which logs every action.
This command frees the memory (GC stands for garbage collection and is only applicable when Access Control is used with the Subversion Multisite.) The command occurs on clicking the Free Memory menu link. The display shows information on the command that was just performed.
The backup settings offer basic backup and recovery features
This command allows you to export WANdisco settings, including all user related data, making it available for restoration at a later date..
The export routine creates a directory containing the files necessary to import user settings back into Access Control.
Backup directories use a name string YYYY-MM-DD.HH-MM-SS::XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX ,
e.g.
2012-01-23.16-21-03::2775e033-45b1-11e1-acb4-21d651998aa9
A typical backup directory will look like this:
File properties -rw-r--r-- 1 root root 87232 May 30 14:01 access-control.xml -rw-r--r-- 1 root root 101 May 30 14:01 ExcludeUsersDB.xml -rw-r--r-- 1 root root 387 May 30 14:01 mailconfig.properties -rw-r--r-- 1 root root 6 May 30 14:01 MembershipConfigurationRegistry.xml -rw-r--r-- 1 root root 87 May 30 14:01 NewUsersDB.xml -rw-r--r-- 1 root root 809 May 30 14:01 NodeRegistry.xml -rw-r--r-- 1 root root 2440 May 30 14:01 NonResettableDynamicPreferences.xml -rw-r--r-- 1 root root 2811 May 30 14:01 prefs.xml -rw-r--r-- 1 root root 162 May 30 14:01 RepoSettings.xml -rw-r--r-- 1 root root 1162 May 30 14:01 Repos.xml -rw-r--r-- 1 root root 6 May 30 14:01 ViewRegistry.xml [root@10-2-5-145 2012-05-30.14-01-50_41e13ec5-a8ab-11e1-a03f-515d761f3659]#
The Proxy tab handles Access Control proxy settings which alter the way that Access Control works between Subversion and users.
Proxy Status - Displays the node's status in the tab's main panel.
Click on the change proxy or admin port link to change either the port that Subversion clients will use to connect on, ot the admin port that is used to access the admin console (6444 is the default).
uber
When using Access Control with ubersvn, be aware that changing the proxy or admin port will stop the Access Control API from working properly - objects created/linked in uberSVN will stop being carried over into Access Control.
workaround: After changing the Access Control port (Default:6444), open the file ubersvn/plugins/accesscontrol/uber-plugin.xml
and update it to reference the new port number.
You can view the logs, including the main log - SVNProxyServer-prefs.log
.
The Node section deals with settings that apply to the server on which you are running Subversion and the Access Control proxy.
The SVN Settings section contains many crucial settings for how Access Control will interact with your Subversion server.
Access Rules when Authz is not enabled
Read how access rules work differently when Apache authz is not enabled -
How we apply rules when authz is not enabled
You can Edit, Delete any of the Subversion repositories that you run behind Access Control - although .
Add Repository: Click to add an additional repositories, either using SVNPath or Parent Path.
Edit Repository
Click on the Edit link to open the repository's settings screen.
The edit repository screen lets you modify a number of repository specific settings:
Directory on File System: This is the fully qualified path to the Subversion repository. Not the URL used by clients. You can seach for the location by clicking on the magnifying glass button.
Manage Password File: There are some big benefits to having Access Control manage the Subversion Password file - with this check box ticked, you can add Subversion users by entering their details via the Create Users screen of the admin console.
Password File: Provide a link to the SVN password file on the local file system.
Authentication Realm: Associate an authentication realm with the repository. You should follow the guidance in the Apache documentation for the AuthName Directive.
If you select Yes, SVNParentPath is used in the apache location directive, you'll be presented with a entry box that allows you to select and edit available Root Names.
The email settings screen stores any settings that you have in place
SMTP Authentication: If you select No, you'll need to provide your account.
Username and Password in the following entry boxes.
Use SSL/TLS: Choose yes if you wish to send emails over a secure connection.
Host: Enter the address of your mail server.
Port: Enter the SMTP port, 25 by default.
Send Admin Notification To: The email address (You can only specify a single address, not a comma delimited list) to where notifications will be sent.
Email settings are optional. If you don't need alert emails, click Skip to continue. Otherwise, click Next.
Email settings that Access Control uses to send status alerts.
Stops Access Control and prevents client access.
Shuts down Access Control completely.
Copyright © 2010-2015 WANdisco, Inc.
All Rights Reserved
This product is protected by copyright and distributed under licenses restricting copying, distribution, and decompilation.