I need acls for my repos that contains multiple projects, so I'm
going to start working on a pre-commit access control Perl (oops,
there's that word again) script that is discussed in this issue:
http://subversion.tigris.org/issues/show_bug.cgi?id=775
It'll check the txn and against a list of valid users and paths.
The question is how to set up a configuration file that lists who
has access to what parts of the tree.
One obvious one to base this off the acl config file format that
is used on the Apache tree. From cvs_acls.pl:
# ==== FORMAT OF THE acl FILE:
#
# The acl file determines whether you may commit files. It contains lines
# read from top to bottom, keeping track of a single "bit". The "bit"
# defaults to "on". It can be turned "off" by "unavail" lines and "on" by
# "avail" lines. ==> Last one counts.
#
# Any line not beginning with "avail" or "unavail" is ignored.
#
# Lines beginning with "avail" or "unavail" are assumed to be '|'-separated
# triples: (All spaces and tabs are ignored in a line.)
#
# {avail.*,unavail.*} [| user,user,... [| repos,repos,...]]
#
# 1. String starting with "avail" or "unavail".
# 2. Optional, comma-separated list of usernames.
# 3. Optional, comma-separated list of repository pathnames.
# These are pathnames relative to $CVSROOT. They can be directories or
# filenames. A directory name allows access to all files and
# directories below it.
#
# Example: (Text from the ';;' rightward may not appear in the file.)
#
# unavail ;; Make whole repository unavailable.
# avail|dgg ;; Except for user "dgg".
# avail|fred, john|bin/ls ;; Except when "fred" or "john" commit to
# ;; the module whose repository is "bin/ls"
This never really appealed to me, using the words "unavail" and "avail",
but aside from that, seems ok.
Given that we have multiple directories per project, such as
/trunk/proj1 and /tags/proj1, etc, it looks useful to have the
acl configuration file repository portions match regular expressions,
/trunk/proj1
/tags/proj1
then you could do
avail|joeblow|^/{tags|trunk}/proj1
but then we'd have to change the separator from | to something else.
There was a previous discussion regarding commit-email.pl to use
the Windows configuration file format with a single section per
rule.
# Make the entire repository read only.
[nowrite]
regex = .
access = readonly
# Give bob and joe write access to proj1.
[rule1]
regex = ^/{tags|trunk}/proj1
users = bob joe
access = readwrite
This one looks cleaner, so unless there are reasons not to do this,
I'm going to use this one.
Using this format will require the AppConfig module, unless I want
to write a new parser from scratch, which would be a complete waste
of time.
To see what requirements AppConfig has to install into your Perl,
I downloaded a fresh install of ActiveState Perl build 633 from
http://www.activestate.com/Products/Download/Download.plex?id=ActivePerl
installed it in a temporary directory and attempted to install
AppConfig into it. There were no additional Perl packages that
AppConfig required.
Best,
Blair
--
Blair Zajac <blair@orcaware.com>
Web and OS performance plots - http://www.orcaware.com/orca/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Jul 11 01:29:17 2002