[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Various Access Control Questions

From: Xandy Johnson <xandy_at_fgm.com>
Date: 2004-06-14 02:44:08 CEST

> -----Original Message-----
> From: Ben Collins-Sussman [mailto:sussman@collab.net]
> Sent: Sunday, June 13, 2004 5:38 PM
> To: Xandy Johnson
> Cc: users@subversion.tigris.org
> Subject: Re: Various Access Control Questions
>
> Xandy Johnson wrote:
>
> > <Location /svn>
> > DAV svn
> > SVNParentPath /export/subversion
> > AuthLDAPURL "ldap://some-long-ldap-url"
> > AuthLDAPBindDN "MY_DOMAIN\username"
> > AuthLDAPBindPassword password
> > AuthType Basic
> > AuthName "LDAP authentication for MY_DOMAIN"
> > require valid-user
> > </Location>
> >
> >
> > 1) How do I configure anonymous read-only access and retain read-write
> > access for all authenticated users without having to maintain the user
> list
> > in the AuthzSVNAccessFile? I get that I need to add something like:
> >
> > AuthzSVNAccessFile /etc/svnaccess
> > Satisfy Any
> >
> > And I get how to grant anonymous read-only access in /etc/svnaccess:
> >
> > [/]
> > * = r
> >
> > And I realize I could add access back for specific users with something
> > like:
> >
> > [/]
> > * = r
> > xandy = rw
> >
> > And even that I can have groups. But then I have to maintain users and
> > groups in /etc/svnaccess rather than leveraging what's already in Active
> > Directory.
>
> AuthzSVNAccessFile and Active Directory are both referring to the same
> authenticated usernames. But they have separate notions of groups, so
> you'll have to keep group definitions in sync.
>
> Of course, if you don't need per-repository or per-directory access
> control, then there's no need to use AuthzSVNAccessFile at all. Just do a
>
> <LimitExcept GET PROPFIND REPORT OPTIONS>
> Require valid-user
> </LimitExcept>
>
> This will allow all read requests to happen anonymously, and all write
> requests to demand authentication.

Thanks. That does satisfy the requirements as I stated them. However, it
seems I oversimplified things...

Please correct me if I'm wrong, but I think using the LimitExcept method
precludes the ability to restrict access further down the tree. So, it
seems I'm required to specify all usernames in the AuthzSVNAccessFile if I
want to have any restricted directories. If that is not correct, please let
me know how to do it. A simplified version of what I'm after is basically
like this:

    [/]
    anonymous = r
    all-authenticated-users = rw

    [/secret]
    anonymous =
    all-authenticated-users = r
    xandy = rw

    [/top-secret]
    anonymous =
    all-authenticated-users =
    xandy = rw

Even if the above is currently possible, I think it would be helpful to have
a richer set of constructs in the AuthzSVNAccessFile syntax. Exactly what
constructs would be best and how to represent them could be vetted by the
community, but I believe constructs should be added for (1) the anonymous
user (perhaps "@anonymous@"), and (2) all authenticated users (perhaps
"@authenticated@"). Such contructs may be of marginal utility for people
maintaining users specifically for Subversion, or even on the same machine
on which Subversion is running. However, I believe they would be very
useful for those of us who are delegating user maintenance to other
authorities.

Is there another way in which I should request such an enhancement, or is
this sufficient?

Thanks,
Xandy

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Jun 14 02:45:40 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.