[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: post-commit hook fires before post-lock hook

From: C. Michael Pilato <cmpilato_at_collab.net>
Date: Wed, 04 Mar 2009 13:03:02 -0500

[Please keep discussions of this sort on-list for the benefit of others.]

Mike Coyne wrote:
> My current configuration I has two "locations" the master user goes
> through svn-proxy-sync and regular users through /repos. How would I
> adjust the auth to get what you described? I have not setup apache like
> that before? I am not sure how to the get/pass the username.

[Potentially sensitive information stripped.]

I'm not precisely sure what you need. At a minimum, I think that your
<Location /svn-proxy-sync> block needs something like the following, where
W.X.Y.Z is the IP address of your master server:

   Order deny,allow
   Deny from all
   Allow from W.X.Y.Z

But you're using Kerberos auth for your real users, and Basic auth for your
sync stuff. So, maybe the trick is to keep usernames for all your users in
your slave server's Basic auth password file (and keep that list of
usernames in sync with your Kerberos configuration somehow ... handwaving
here ...), except define the passwords for all those users to be the same
private password (or maybe at least something calculable by the master
server based on username). That way, in the master server's hooks, you can use:

   svn lock SOME_URL --username USERNAME --password PRIVATE_PASSWORD

where USERNAME is the username provided to the hook, and PRIVATE_PASSWORD is
the password you've setup as the password assigned to all the users in the
slave's /etc/httpd/conf/password. This should allow
authenticated-as-real-usernames changes on the slave from the master,
without exposing the slave's repository to change from anywhere except the
master server.

Does that make sense? (Sorry, I can't help much more on this due to
ignorance of Kerberos auth.)

C. Michael Pilato <cmpilato_at_collab.net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand

Received on 2009-03-04 19:03:20 CET

This is an archived mail posted to the Subversion Dev mailing list.