Use Subversion, Apache, and WebSVN to view your repositories
WebSVN is a PHP-based client that, together with Apache, gives you a web-browser view of your Subversion repository. With a properly set up WebSVN installation you can see an easily navigable view of what was done in any given revision, check who was responsible for it, and compare two versions of a file. Combine WebSVN with the Apache DAV Subversion module and you can check out your repository over HTTP as well.
As we set up WebSVN, I'll assume that you already have a functioning Apache2 install. We'll look at installation on Debian/Ubuntu and on CentOS. You can also set up WebSVN on other Linuxes, on Windows, and Mac OS X.
Before looking at WebSVN, you need to set up Apache and Subversion so you can access the Subversion repository over HTTP. Install the necessary software with the appropriate command; on CentOS it's
sudo yum install subversion mod_dav_svn
On Debian or Ubuntu, use
sudo apt-get install subversion libapache2-svn
On CentOS, you'll need to add these lines in your Apache config to load the dav_svn module (Debian does this on install):
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
In both distros you also need to configure the module. Add these lines to your Apache config (on Debian/Ubuntu, check /etc/apache2/mods-enabled/dav_svn.conf for hints):
Note that when you first set up this repository, anyone can access it for read or write. We'll discuss providing better security via authentication in a moment.
Now, set up an SVN repository and give it the correct permissions so that Apache can access it:
sudo svnadmin create /var/lib/svnrepo
sudo chown -R www-data:www-data /var/lib/svnrepo
sudo chmod -R 700 /var/lib/svnrepo
Restart Apache, and check out the (currently empty) repository on http://localhost/svnrepo. This is a very basic Subversion plus Apache setup; we want to use WebSVN on top of that to get a more useful view of our repository. Install WebSVN, plus enscript, a package that converts text input to various output formats, or here, pretty-prints it. On CentOS, run:
sudo yum install websvn enscript
On Debian and Ubuntu, it's
sudo apt-get install websvn enscript
On Debian, the package installation should configure Apache2 suppport and set up access to the specified repository (in our case, http://localhost/svnrepo). To edit the settings manually, and to set up on CentOS, go to /etc/websvn. Either edit /etc/websvn/config.php directly, or if you prefer, put your settings in svn_my_conf.inc, and add this line in /etc/websvn/config.php:
The config should look like this:
$config->addRepository("my repos", "file:///var/lib/svnrepo");
You'll also need to set the
$locwebsvnreal variables in wsvn.php, and make sure that the provided Apache config is included or copied into your main Apache config files.
Fire up http://localhost/websvn (the default WebSVN location) in your browser; you should see the (still empty) repository.
Subversion checkout over HTTP
You probably want to be able to check out and commit things to the repository. WebSVN allows you to view and browse it, but not to access it directly. You can do this as usual via file:/// and the command line if your user has the correct permissions for the directory, or, now that the dav_svn Apache model is set up, you can do it via HTTP. Create a my_svn directory and check out the repository into it:
mkdir my_svn cd my_svn svn co http://localhost/svnrepo/
Note that the address of the repository is the one you set up with Apache, not the WebSVN shortcut. An alternative to these commands is to use
svn co http://localhost/svnrepo/ . (note the final .) to check out the contents directly into your current directory. Create and add a file (
touch file1; svn add file1; svn commit) and go back to the WebSVN view at http://localhost/websvn to see the new file there.
With the current setup, if you go to the "blame" view, there's no user there to blame, as you haven't identified yourself. Not only that, but at present anyone, anonymously, can write to your repository, which is probably not what you want (though you may be happy for anyone to read from or access your repository anonymously). To get some basic authentication in place, add these lines to the <Location /web_svn> section of your Apache config:
AuthName "SVN Repository"
<LimitExcept GET PROPFIND OPTIONS REPORT>
This sets up basic authentication (for which the auth_basic, authn_file, and authz_users Apache modules must be enabled; they usually are by default). With this setup, anyone can read the repository anonymously (and so can check it out, which means that WebSVN doesn't need to be authenticated), but committers must be authenticated. (Though do remember that basic authentication is not properly secure unless you're using HTTPS.) Add a test user to try it out:
sudo htpasswd -cm /etc/apache2/dav_svn.passwd svnuser
Now you should still be able to check out the repository without authenticating, but when you try to commit, you should be challenged for a password. You can give the svnuser username on the command line:
svn --username svnuser commit
However, be aware that there is a known bug in Subversion concerning group permissions. This means that while your commit will succeed (and be visible via WebDAV), you have to go in and manually make a permissions change in the repository:
sudo chmod g+w /var/lib/web_svn
You can of course use other forms of authentication, such as LDAP, to authenticate your users just as you can with any other Apache directory. This page includes an example of LDAP access to a repository.
Fine-grained access and multiple repositories
The authentication described above is quite broad – a given user either can or cannot access the repository. If you want finer-grained access control, you can use mod_authz_svn instead. To see how this works, first create multiple repositories:
svnadmin create /var/lib/svnparent/repo1
svnadmin create /var/lib/svnparent/repo2
To access these repositories via Apache, edit dav_svn.conf to comment out SVNPath and add SVNParentPath:
This gives access to any repository within the parent directory. You also need to edit /etc/websvn/svn_deb_conf.inc:
Restart Apache and look at http://localhost/websvn to see your two new repositories alongside your original repository.
To set up different access protection for your different repositories, you need to load and configure the mod_authz_svn module. On Debian/Ubuntu, it should automatically be loaded by mods-enabled/dav_svn.load. You can then edit the relevant section in mods-enabled/dav_svn.conf:
Now edit /etc/apache2/dav_svn.authz to set up your users:
test-group = user1, user2
test-group-2 = user3, user4
test-group-3 = user5
* = r
@test-group = rw
@test-group-2 = rw
user6 = rw
These settings are per-repository, but you can specify paths within the repository as well and further restrict access to those. To test it, add user1 through user6 to the dav_svn.passwd file as before, and try checking out and committing as the various users to ensure it's all working correctly.
Apache, Subversion, and WebSVN fit together neatly to allow you to look at repositories, compare files, check them out, and work on them, then view afterward who has done what and why. You can see users, log messages, and file differences laid out in an easy-to-understand way in your browser, then check a repository out to work on it locally. You can also set up either broad-brush or fine-grained control as you prefer, and even hook authentication to your existing authentication setup. One final neat WebSVN tip is that you can use the RSS button provided at the end of each file display line or at the top of the repository listing for the whole repository to generate an RSS feed of changes to the repository, which can be handy to keep you informed of what's going on!
This work is licensed under a Creative Commons Attribution 3.0 Unported License