SVN Error when committing Access denied: 'foob

2019-02-12 10:02发布

问题:

I'm currently working with Apache and SVN with ActiveDirectory Authentication. The user is using TortoiseSVN client.

I should point out that I have 2 repos with same name and different mapping but redirected to the same "user url" since the permissions are the same for both repos.

eg 'http://mysrvr/svn/foo/bar/corge' and 'http://mysrvr/svn/foo/corge'

or 'http://mysrvr/svn/foo/bar/corge and' 'http://mysrvr/svn/foo/grault/corge'

This 2 repos thing is replicated with 8 "repo pairs" and the remaining 7 are working just fine.

Here is my error:

Commit failed(details follow):

access to '/svn/myDir/MYREPO/!svn/act/65bf494c-a66a-4f45-870e-d988f691a45d' forbidden

Finished!

It's not permissions, since the user foobar has rw access and he has successfully checked out the repository. This error happens on commit.

Things that would help to orientate to a precise solve:

  • Other repo pairs are doing fine. And the permissions are the same.
  • My svn administrator user can do at the same local PC as the troubled user that commit.
  • UPPERCASE/lowercase URL isn't the problem, i've checked
  • NTLM and Active Directory aren't the problem either since he has access to the other repo with the same permission file.
  • Other users of the same repo are experimenting the same problem. While I can still do the commit at their local PCs. (just as if they had no writing permission)

Here are the Apache logs:

Apache error.log

[dd mm 12:38:02 2011] [error] [client 10.x.x.x] Access denied: 'foobar' MKACTIVITY MYREPO:

[dd mm 12:39:40 2011] [error] [client 10.x.x.x] Access denied: 'foobar' MKACTIVITY MYREPO:

[dd mm 12:39:54 2011] [error] [client 10.x.x.x] Access denied: 'foobar' MKACTIVITY MYREPO:

Apache access.log

10.x.x.x - foobar [dd/mmm/yy:12:38:02 GMT] "OPTIONS /svn/myDir/MYREPO HTTP/1.1" 200 198

10.x.x.x - foobar [dd/mmm/yy:12:38:02 GMT] "PROPFIND /svn/myDir/MYREPO HTTP/1.1" 207 667

10.x.x.x - foobar [dd/mmm/yy:12:38:02 GMT] "MKACTIVITY /svn/myDir/MYREPO/!svn/act/65bf494c-a66a-4f45-870e-d988f691a45d HTTP/1.1" 403 266

svn_activity.log

[dd/mmm/yy:12:34:20 -0300] waldo commit r2

[dd/mmm/yy:12:39:07 -0300] fred status /src/trunk r1447

From the svn_activity.log I can deduce Apache catches and bounces the access, given that there is no foobar access at time-frame exposed previously.

So, hoping that the data i've collected is useful to solve this... any ideas?

回答1:

I've found it!

Ok here's the answer:

What was the problem:

My users check out a Repo in the directory /svn/myDir/MYREPO

Apache knows that he has to translate MYREPO to a lowercase directory so when you check out or do any read operation this was working just fine.

But when the users did try to do the commit operation Apache changes somehow the order of the operations he has to do to fulfill the users request so, first accepts the write operation and tries to write, and then changes to lowercase.

Again, it tries to write to the /svn/myDir/MYREPO, the issue is that:

  • permissions to the repo where set to myrepo and not MYREPO
  • the actual repo is myrepo and not MYREPO

So... MYREPO does not exist! myrepo does. That's why it throws that error:

  • ACCESS DENIED because there is no permission written for MYREPO.
  • And It does recognize the repo in the read way because apache understands what you are asking for and translates.

But for writing first works with it and after that takes a moment to understand what is he doing. And the exception comes previous to the understanding so Apache never get's there.

How to solve it:

This is the simplest thing:

  • Go to the checked out Repo
  • Do a Relocate from
    http://YourServer/svn/myDir/MYREPO
    to
    http://YourServer/svn/myDir/myrepo

My recommendation:

My recommendation for svn-administrators and users from now on, is do

EVERITHING LOWERCASE... sorry, I correct myself:

everything lowercase!



回答2:

Added to the above solution, please be informed that, prior to Subversion 1.7, Subversion treated repository names and paths in a case-insensitive fashion for the purposes of access control, converting them to lower case internally before comparing them against the contents of your access file. It now does these comparisons case-sensitively. If you upgraded to Subversion 1.7 from an older version, you should review your access files for case correctness.

Source - http://svnbook.red-bean.com/en/1.7/svn-book.html#svn.serverconfig.pathbasedauthz