[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

mod_authz_svn & MySQL db - possible contract

From: Jay Crouch <jay_at_thesafestream.com>
Date: 2006-09-20 18:27:56 CEST

Hi guys, before you guys ignore this post - I have already tried it on the
users list and got no feedback - also, it looks as if nothing exists to meet
our needs and we're willing to pay to have it developed. Please help, (a
contract wouldn't be particularly lucrative being that we would probably
want to add this mod back to the open source domain, but could make it worth
your while).


I'm looking for help in hooking up SVN authentication & authorization to a
MySQL db.


We are using subversion as a backbone for a web-app that is handling
document management services.


We already have our users and access rights stored in a MySQL db - these are
being used by our web-app; and now are hoping to expose access to the
repositories directly via WebDAV-SVN. We have 'matched' our access
permissions to the same logical format used by mod_authz_svn config files.


First, here's what I've found as far as solutions go:


Authentication - mod_auth_mysql - or LDAP, SAPI, etc.

Authorization - mod_authz_svn (file based config) or a named pipe that
queries the database and sends back the config file.


Second, here's why none of these solutions will work well:


* We don't have a static number of repositories - in fact we have 3
for every user in the system (1000's). Because of this, we need to do some
sort of pattern matching in apache; manually configuring locations for each
repository (much less access rights) would be out of the question. And
because of this, the repository in question needs to be involved in the
where clauses when querying the database.
* I'm concerned about an external or pipe based solution because with
this many repositories traffic is going to be very high (probably balanced
over quite a few servers) - so I need as efficient a process as possible.


Specifically I believe we are looking at 2 separate mods - one that we would
use in lieu of mod_auth_mysql for authentication - and another that would
replace mod_authz_svn. Both mods would do the exact same thing as far as
apache is concerned. However, both mods would need to parse the incoming
request URL/location (or use apache's pattern match variables) and execute
queries using these arguments in the where clause.


I'm not really familiar with the way apache works with pattern matching as
far as the resulting variable scope goes, but I think this should be a
relatively straight forward tweak to both mods (well, a piece of cake
regarding mod_auth_mysql; perhaps more difficult with mod_authz_svn since
you have to add db functionality).


If my understanding of apache is solid (which it isn't) then I believe these
mods could take a single extra parameter in the apache definition for the
location match which would basically specify the where clause to use, and
this string could include a reference to the relevant information derived
from the location match itself (i.e. the user and repo in question).


And a last, related question - we would want to match URLs like
https://domain/e1234 to path/to/users/uid/repoid/


I can't figure out how to do this with apache - obviously the SVN parent
path declaration comes to mind - but in this case, the repositories don't
all exist in the same root folder - instead they are spit up into many
subdirectories. We knew this could cause us problems before we implemented
the structure - but had no choice.

How can I set it up?




You may contact me directly: jay@thesafestream.com




Received on Wed Sep 20 18:28:27 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.