[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [FEATURE]: extend authz algorithm with roles and wildcards to define branch policies.

From: Lieven Govaerts <lgo_at_mobsol.be>
Date: 2006-01-06 12:05:34 CET

> -----Original Message-----
> From: Brian Behlendorf [mailto:brian@collab.net]
>
> On Wed, 4 Jan 2006, David Anderson wrote:
> > So, can we have other opinions on these two proposed features?
>
> While something
> SVN-specific would be simple, for most users it would mean yet another
> place they need to worry about managing permissions and accounts in
> addition to wherever they do the same for other systems they use.

Brian, thanks for your input.

Maybe your remarks were outside the initial scope we intended for this
discussion, let me clarify that first.

Users of SVN now have two options to setup their system:
- with apache, allowing LDAP(+others) for user authentication and authz for
path-based authorization
- with svnserve, with its own user authentication and also ( svn 1.3 ) authz for
path-based authorization

The goal of my request was to improve path-based authorization, by adding
support for branch-types ( wildcard matches ) and roles.

Since group definition is now entirely handled in authz, and David prefers to
start with a solution that works with both svnserve & apache setups, the
proposal was to define the roles in the authz config file as well.

> CollabNet didn't see one 5 years ago and had to build an in-house one
> that I'd love to open source but it's not as easy (yet) as just doing
> it.
> Besides, I'd rather not release something like that if there's something
> better already being worked on that is likely to set some sort of
> standard in the same way LDAP did for authn. Someone mentioned
> WS-Security as solving the problem some day, but that feels like
> overkill...

I agree however with your remark that Subversion needs a better solution to
manage users, groups and roles, thereby integrating with Directory Servers over
LDAP ( or other ). We use LDAP with MS Active Directory here ourselves, the
ability to delegate account management from the SVN admin to the AD group
admins seems very natural.

Do you think both paths can/should be followed in parallel? I'm willing to
further discuss functionality of the LDAP authorization part. Maybe you can
explain or give pointers to documents explaining how the CollabNet solution
works?

Lieven

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Jan 6 12:06:53 2006

This is an archived mail posted to the Subversion Dev mailing list.