C. Michael Pilato wrote:
> Around 10pm or 11pm tonight (U.S. Eastern time), I'm going to take
> svn.collab.net offline for a bit to make these authn/authz simplifications
> I've been talking about. Here's the updated plan:
>
> * There will be a single password file for all repositories on this box.
> When merging password files, any password clashes for a given username
> will be resolved such that the password used for the most secure
> repository will win.
>
> * Non-SSL access to repositories and ViewVC will be anonymous only. No
> more authentication for non-SSL access, period.
>
> * SSL access will have the same authentication requirements as currently
> exist, with one notable exception: today we have both '/repos/svn-org'
> and '/repos/svn-org-no-anon' locations, required because of
> http://blogs.open.collab.net/svn/2007/03/authz_and_anon_.html . In
> the future, we'll still have two "locations" for this repository: one
> is "accessed via SSL, authn required" and the other is "accessed
> without SSL, authn-free, without permission to see the private portions
> of the repository." Both of these will use the URI path /repos/svn-org
> as expected.
>
This work is done now. Items of interest include:
* If you have an 'svn' repository working copy checked out without SSL and
you try to commit, you will get a MKACTIVITY error. Why? Because non-SSL
access is no longer authn-gated, so Apache sees no username, so you get no
commit. 'svn switch --relocate' is your friend.
* Here's the list of people whose 'svn' commit passwords were overwritten
with the password used for more sensitive repositories: rooneg, jrepenning,
maxb, breser.
* As an added bonus, ViewVC can now be used to view all the repositories on
the system. It's configured to honor the Subversion authz rules, anonymous
over non-SSL and authenticated over SSL.
Technically, we should probably update hacking.html and related docs to
recommend that developers check out http*S*://svn.collab.net/repos/svn/...
Finally, all these configuration changes were versioned, so if folks start
complaining, it should be pretty trivial to revert them all.
--
C. Michael Pilato <cmpilato_at_collab.net>
CollabNet <> www.collab.net <> Distributed Development On Demand
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2382758
Received on 2009-08-12 05:41:21 CEST