Re: WARNING: Upcoming authn/authz policy change for svn.collab.net

From: C. Michael Pilato <cmpilato_at_collab.net>
Date: Tue, 11 Aug 2009 23:13:55 -0400

C. Michael Pilato wrote:
> Around 10pm or 11pm tonight (U.S. Eastern time), I'm going to take
> svn.collab.net offline for a bit to make these authn/authz simplifications
> I've been talking about. Here's the updated plan:
>
> * There will be a single password file for all repositories on this box.
> When merging password files, any password clashes for a given username
> will be resolved such that the password used for the most secure
> repository will win.
>
> * Non-SSL access to repositories and ViewVC will be anonymous only. No
> more authentication for non-SSL access, period.
>
> * SSL access will have the same authentication requirements as currently
> exist, with one notable exception: today we have both '/repos/svn-org'
> and '/repos/svn-org-no-anon' locations, required because of
> http://blogs.open.collab.net/svn/2007/03/authz_and_anon_.html . In
> the future, we'll still have two "locations" for this repository: one
> is "accessed via SSL, authn required" and the other is "accessed
> without SSL, authn-free, without permission to see the private portions
> of the repository." Both of these will use the URI path /repos/svn-org
> as expected.
>

This work is done now. Items of interest include:

* If you have an 'svn' repository working copy checked out without SSL and
you try to commit, you will get a MKACTIVITY error. Why? Because non-SSL
access is no longer authn-gated, so Apache sees no username, so you get no
commit. 'svn switch --relocate' is your friend.

* Here's the list of people whose 'svn' commit passwords were overwritten
with the password used for more sensitive repositories: rooneg, jrepenning,
maxb, breser.

* As an added bonus, ViewVC can now be used to view all the repositories on
the system. It's configured to honor the Subversion authz rules, anonymous
over non-SSL and authenticated over SSL.

Technically, we should probably update hacking.html and related docs to
recommend that developers check out http*S*://svn.collab.net/repos/svn/...

Finally, all these configuration changes were versioned, so if folks start
complaining, it should be pretty trivial to revert them all.

-- 
C. Michael Pilato <cmpilato_at_collab.net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2382758

application/pgp-signature attachment: OpenPGP digital signature

Received on 2009-08-12 05:41:21 CEST

This message: [ Message body ]
Next message: Paul Burba: "Re: Merging the subtree-mergeinfo branch back to trunk"
Previous message: Arfrever Frehtes Taifersar Arahesis: "Re: autogen.sh is not executable"
In reply to: C. Michael Pilato: "Re: WARNING: Upcoming authn/authz policy change for svn.collab.net"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]