Products

Tech Tips: Restricting Repository Access Via SVN WebClient

Welcome to another post from the Polarion Technical Support Team. From time to time we face challenging situations when the solution of the problem is not obvious at first glance and some research around is necessary. Let me share with you one such case that we successfully resolved.

When security isn’t quite secure enough


You probably are aware of Polarion’s multi-tier security architecture and granular permissions scheme that lets you fine tune who can access what. But you might encounter a situation when you require Polarion to be even more strict in its security, and setting permissions is not enough. Suppose, for example, that like one of our customers you want to restrict users’ access to Polarion’s Subversion repository via the SVN WebClient, which appears in the UI as the Repository Browser topic. Our customer said they didn’t want allow their users to upload or download files using that feature.

When I received the request asking how to restrict users from accessing the repository via SVN WebClient, I was convinced at first that it is absolutely not possible, as this component is tightly bundled within Polarion. Then I realized that it is at least possible to hide the Navigation topic in the UI. So in Polarion’s global administration, I went to the Portal > Topics configuration and removed the XML element that makes the SVN WebClient (i.e. Repository Browser) available in the UI:
<topic id=”repository_browser”/>.

OK, so this solution prevented new and less experienced users from accessing the SVN WebClient. But what happens if some users have saved its URL, or they have the link in some email or chat history, or they get it from someone on some internet forum? If they have the URL, they can access the client even if it’s access point is hidden in Navigation. It took me quite some time to figure out, but I got an idea for a neat little hack: what if I make a redirect in Apache to some custom page? I thought that should definitely work… and it really does.

The great repo browser hack in Apache


By using Apache mod_rewrite you can redirect any page you want. With simple syntax written to the polarion.conf file and then restarting everything, I convinced Polarion not to display the SVN WebClient even if someone hits its URL. Here’s the end result of this simple but effective hack:

Screenshot: result of Apache modification to block access to Polarion's Repository Browser


You can get inspired by the code below, where the important parameters of the rewrite rule are location of the SVN WebClient and a custom page that will be displayed in the portal instead of it.


<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^/polarion/svnwebclient /var/www/norepobrowser.html
</IfModule>

Still not tough enough?


What if your goal is to deny access to the whole repository from any SVN client… such as TortoiseSVN? There’s a simple solution: you can deny access from all IP addresses except some specific one (localhost or a server’s fully qualified domain name). The result is that nobody can access the repository from any address, using any client. Only Polarion itself, or an admin logged in to the server are eligible to access repository.

In the Apache configuration file where the repository location is specified (normally polarionSVN.conf), it will be necessary to add directives that deny access from all IP addresses and just allow it from one specific one. These lines added to the </repo> location definition will get the job done:

Order deny,allow
Deny from all
Allow from my.polarion.server.mydomain.com

…where my.polarion.server.mydomain.com is the fully qualified domain name of the Polarion server (same as in the system configuration file polarion.properties).

Happy hacking!


Sometimes some light hacking of the Apache configuration is just the trick you need. But it’s something you should undertake with caution, and be sure you know what you’re doing. Never experiment with your production system! Remember that you can always download a copy of Polarion with it’s built-in 30-day 3-user evaluation license, and install it on some test machine. Remember too that Polarion’s Gold support plan is available, which provides a free staging server, and help from our experts with any highly individualistic needs you may have.

In which other areas would you find this trick useful? Is there something you would like to see our support team blog about? Don’t forget to leave us a comment.


 

Banner: It's all about solutions - Polarion Silver and Gold Support

Hanzlikova Martina

Leave a Reply

This article first appeared on the Siemens Digital Industries Software blog at https://blogs.sw.siemens.com/polarion/tech-tips-restricting-repository-access-via-svn-webclient/