[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Access control hook

From: Pavol Gono <pavol_gono_at_yahoo.com>
Date: 2005-06-28 22:51:44 CEST

Greetings

I want to create hook for svnserve. Goal is easy maintenance of
user database and more fine-grained access control.
Functionality should be similar to svnperms.py, but I want to
solve some problems (see
subversion.tigris.org/servlets/ReadMsg?listName=users&msgNo=33687).

My idea for this is:
- C language (because of speed), using svn libraries
- binary will be usable as pre-commit, pre-lock, pre-unlock,
maybe also start-commit (in simple UNIX configuration symlinks
in repository to real binary)
- configuration of hook is one file with format of
mod_authz_svn. I think this format is fairly good and users
won't be happy with different configurations for httpd and
svnserve. I just want to add possible accesses - there is now r
and rw; I suggest r (read as is), u (update/modify), a (add), d
(delete), p (change of properties), l (locking and unlocking
stuff). w can be synonym for uadp for backward compatibility.

- work of hook:
1) parse commandline arguments
2) extract possible activity for user from configfile
3) for pre-lock and pre-unlock case, we already have REPOS-PATH
and PATH - just decide now to exit with 0 or 1.
4) for pre-commit case, first detect user by something like
do_author() in svnlook code.
   Go through the delta tree (similar to do_changed() in
svnlook) and check access with help of node->action,
node->text_mod and node->prop_mod.
5) As soon as detected something not conforming to configfile,
exit 1; otherwise exit 0.

Other alternative can be simple C++ with std::strings and
lists, and executing svnlook when needed

- script for distributing one svnserve.conf, one passwd, one
hook's conf, one set of hooks to many repositories in one
directory level (copies in windows, symlinks in unix)
- something like RBAC - one have passwd file (users), file of
roles (mod_authz_svn syntax but without groups and repository
paths - only accesses for some general directory paths) and
file of assignments (one user can have many role:repository
pairs). All of this will be converted with script to hook's
configfile format.
- scripts which generate easy readable ascii-charts for
possible accesses in repository paths and possible accesses
from user point of view (someone can make GUI tools)

I am writing this because maybe someone did such tools and my
work would be needless. Maybe you plan do some better access
control inside svn code.
Anyway, is such hook worth of creating for svn community? I
would like to contribute if it make sense.
I also noticed Google students' project - path-based
authorization for snvserve. What are plans of this project?

Pavol

                
__________________________________
Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jun 28 22:53:31 2005

This is an archived mail posted to the Subversion Dev mailing list.