[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] introduce AuthzSVNRepoRelativeAccessFile configuration item for mod_authz_svn

From: C. Michael Pilato <cmpilato_at_collab.net>
Date: Mon, 01 Nov 2010 12:09:53 -0400

On 11/01/2010 11:49 AM, C. Michael Pilato wrote:
> On 11/01/2010 09:24 AM, Nick Piper wrote:
>> [[[
>> Implement AuthzSVNRepoRelativeAccessFile to allow SVNParentPath to use
>> a different authz configuration file for each repository.
>>
>> * subversion/mod_authz_svn/mod_authz_svn.c
>> (get_access_conf) Check if AuthzSVNRepoRelativeAccessFile is on, and
>> if so, load the conf/authz file from inside the repository being
>> accessed rather than one which is statically configured in the
>> Apache configuration.
>> (subreq_bypass, access_checker, check_user_id, auth_checker)
>> Recognise that it's valid not to have a AuthzSVNAccessFile if
>> AuthzSVNRepoRelativeAccessFile is used.
>> ]]]
>
> What is the current behavior of a configuration file specified as relative
> path? I don't see any notations in the code or docs which indicate how
> mod_authz_svn will interpret a relative pathspec. If there's no clear
> meaning today, perhaps we should consider defining that behavior as "find
> the named access file relative to the repository's conf/ subdirectory".
> This allows us to avoid adding another configuration option.

UPDATE: A quick test leads me to believe that a relative path here is
interpreted as relative to the Apache installation root
("/usr/local/apache2" on my box). Hard to say how many admins are banking
on that behavior -- we certainly wouldn't to disrupt their systems without
sufficient warning.

> In other words, if today "AuthzSVNAccessFile FOO", where FOO is a relative
> path, has a not-well-defined meaning, then let's change it to mean "Read
> from ${REPO}/conf/FOO".
>
> SVNPath-using <Location>'s could use "AuthzSVNAccessFile authz" to get the
> behavior you want.
>
> SVNParentPath-using <Location>'s could use "AuthzSVNAccessFile authz" to do
> the same. Or, they could use "AuthzSVNAccessFile ../../authz" to read the
> rules from a single file in the parent-path directory shared across the
> repositories in that parent-path. (That have that ability today when using
> an absolute path, but this would allow for a more template-izable
> SVNParentPath block.)
>
> Thoughts?
>

-- 
C. Michael Pilato <cmpilato_at_collab.net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand

Received on 2010-11-01 17:10:34 CET

This is an archived mail posted to the Subversion Dev mailing list.