Re: authorization system status

On Tue, Aug 07, 2001 at 01:53:50PM -0500, kfogel@collab.net wrote:
>...
> 1. Apache .conf authorization. This is done by ra_dav &
> mod_dav_svn, and works basically the same way any Apache
> authorization works. We can protect the whole repository, or
> even paths within the repository (although there's no need to do
> so yet) by setting up <Location>...</Location> directives. The
> committers group is defined in a .conf file or some other place
> containing the authentication information for that group.
> Checkouts can be protected too. Thanks to Greg Stein for
> explaining this.

For the curious, this would look something like:

<LocationMatch "/svn/repos/$svn/ver/[^/]*/the/path">
  <Limit CHECKOUT>
    require group coders
  </Limit>
</LocationMatch>

Normally, we'll just do something like this:

<Location /svn/repos>
  DAV svn
  SVNPath /home/gstein/dav/svnrepos
  <Limit MKACTIVITY>
    require group coders
  </Limit>
</Location>

(plus some authentication stuff)

>...
> DISADVANTAGES: coarse-grained -- unlike a hook script (see
> below), you can't run arbitrary code to determine whether
> so-and-so is authorized to do such-and-such. You have to fit
> within Apache's idea of what things are appropriate to
> authorize. Luckily, most of what we do does fit into this idea.

Note that a custom Apache module can be as fine-grained as it would like to
be, and take anything into account. Of course, it is much more difficult to
write one of these, compared to a hook script.

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org