[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: R: R: SVNParentPath and per Repository Permissions

From: Reinhard Brandstädter <r.brandstaedter_at_gmx.at>
Date: 2004-09-07 19:58:57 CEST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guido Anzuoni wrote:

|>I am not sure I have fully understood your problem (a little
|>example may help).
|>Anyway, I will explain may conf hoping it would somehow be useful.

You are right the explanation was somewhat short, sorry.

This is what I'm using:

<Location /svn/repos1>
        # configuration of LDAP module
        Include subversion/authenticate.conf
        ...
        SVNPath /home/subversion/repos1
        require group cn=project1,ou=groups,dc=sma,dc=com
        require group cn=managers,ou=groups,dc=sma,dc=com
        AuthzSVNAccessFile subversion/acl/auth-repos1.conf
        ...
</Location>

<Location /svn/repos2>
        # configuration of LDAP module
        Include subversion/authenticate.conf
        ...
        SVNPath /home/subversion/repos2
        require group cn=project2,ou=groups,dc=sma,dc=com
        AuthzSVNAccessFile subversion/acl/auth-repos2.conf
        ...
</Location>

Since there are 2 different (disjunct) require statements it's
impossible to centrally define SVNParentPath.
It would be possible if Apache 2 allowed nested <Location> directives:

<Location /svn>
        <Location repos1> ### -> effective "location" = /svn/repos1
        </Location>
</Location>

Anyways it's more a theoretical question since I want to lock down
access to different Locations to different groups (by LDAP). Once
members of these groups are granted access, authorization is managed by
the access control (AuthzSVNAccessFile).

I see so far:
Pros: ACLs are more simple, since a * = r has only affect on the
(previouisly) authenticated group of users (require group)

Cons: Configuration of repositories is more complex. Can't add new
repositories during runtime - have to restart Apache (or re-read
configuration)

So far it's not a tragedy but if someone recommends a more elegant way
to accomplish the same, please let me know.

Reinhard

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBPfbhkeAWQwM7gdsRAo6oAJwPUFKhDKKfcIT6TX9zB+RRY/gb9ACguS+a
Fp1TWZh1vT5yW2JAK3SBNMo=
=bxIY
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Sep 7 19:59:33 2004

This is an archived mail posted to the Subversion Users mailing list.