[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

access control in Subversion

From: Dimitri Papadopoulos-Orfanos <papadopo_at_shfj.cea.fr>
Date: 2004-03-16 16:03:02 CET


We're considering moving from Perforce to Subversion and I'm trying to
decide how to configure Subversion at our site with respect to access

* We need closed source files to be readable only by a group A of
authentified and authorized persons.

* We need closed source files to be writable only by a group B of
authentified and authorized persons.

* We need open source files to be readable for anyone, even in the
absence of athentication.

* We need open source files to be writable only by a group C of
authentified and authorized persons.

* Groups A, B, and C are different, and we could actually have more
complex situations where different groups of developers work on
different projects. For example we could define groups A1 and B1 for
project 1 and A2 and B2 for project 2, all of them being different.

I guess other people on this list have similar requirements. Which
solution would you suggest? Is there a HOWTO?

Obviously the built-in authentication and authorization model won't do.
 From the book:
        Notice that svnserve only understands "blanket" access control.
        A user either has universal read/write access, universal read
        access, or no access. There is no detailed control over access
        to specific paths within the repository. For many projects and
        sites, this level of access control is more than adequate.
        However, if you need per-directory access control, you'll need
        to use Apache instead of svnserve as your server process.

Apache is not a solution locally, for reasons beyond my reach. We just
cannot install and run a Web server, no matter what it's used for - it
would mean too much efforts to get an authorization for that. Also I'm
not sure it's possible to require authentication for writing a file but
not for reading it. Finally it's too much hassle to install so many
different packages on the server and Apache access appears to be
significantly slower.

The only remaining solutions are svn+ssh (for authentified users) and
svn (for read access without authentication). The problem here is that
traditional POSIX file permissions are not expressive enough in our
case. It seems we need ACLs. ACLs are not supported by our backup system
by the way, but that's another problem. I've read "Supporting Multiple
Repository Access Methods" but I still think we need both svn+ssh and
svn access. Any thoughts on that? Any tips? Any HOWTOs about chossing
users and groups, setting ACLs and umasks?


Dimitri Papadopoulos
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Mar 16 16:03:31 2004

This is an archived mail posted to the Subversion Users mailing list.