[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Ev2 and Authz

From: Branko Čibej <brane_at_apache.org>
Date: Tue, 17 Apr 2012 19:48:10 +0200

On 16.04.2012 15:12, C. Michael Pilato wrote:
> On 04/14/2012 11:00 AM, Hyrum K Wright wrote:
>> Good morning (in some parts of the world)!
>> I've been doing some poking around with Ev2 and copy operations on the
>> ev2-export branch, and have some observations which merit discussion.
>> In the working copy and elsewhere, all versioned nodes map to a
>> repos_relpath, and I've found it greatly simplifies things if we use
>> that repos relpath in Ev2 operations. Since an Ev2 drive doesn't need
>> to be "anchored" anywhere, using the repos_relpath in this way is
>> analogous to using local_abspaths throughout the working copy, giving
>> every node a single canonical name.
>> However, this has implications in the world of the dreaded issue 3242.
>> For instance, if a session is parented at the root, where the user
>> cannot write, then executes write operations somewhere deep in the
>> tree, where the user does have write privileges, we will produce
>> errors. This is obviously non-sensical and undesirable.
>> If somebody can write to /A/B/C/D, they should be able to open an
>> ra_session to any of the parents and write to their allowable paths
>> without consequence. I know this problem has been known for some
>> time; has anybody looked at what it would take to solve it?
> Hyrum, I begun some work on the authz-overhaul branch aimed at fixing this,
> but never made much progress there. My approach was simple: bifurcate the
> "read" permission into "read" and "exist", where "exist" meant "You can know
> this thing exists and behave accordingly, but you still can't read its
> contents." This would not be a user-visible permission -- just an
> implementation detail. Both "read" and "write" permissions imply having
> "exist" permission. And the rule is, "If you can know N exists, you can
> know that all of N's parents exist."

Can we please not reinvent the wheel re: ACL terminology and semantics?

The related right is called "directory traversal" and is, indeed,
orthogonal to read and write permissions on directories (which are
usually further split into read/write contents and read/write
attributes). It is a property of directories, not leaf objects.

Granted that you may be able to simplify to what you propose, I've
always found it to be a bad idea to /start off/ with a simplified model.

-- Brane
Received on 2012-04-17 19:48:18 CEST

This is an archived mail posted to the Subversion Dev mailing list.