[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

R: Re: R: R: SVNParentPath and per Repository Permissions

From: Guido Anzuoni <guido.anzuoni_at_kyneste.com>
Date: 2004-09-08 09:07:48 CEST

OK, clear.
See interleaved comments.

Guido.

> -----Messaggio originale-----
> Da: Reinhard Brandstädter [mailto:r.brandstaedter@gmx.at]
> Inviato: martedì 7 settembre 2004 19.59
> A: users@subversion.tigris.org
> Oggetto: Re: R: R: SVNParentPath and per Repository Permissions
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Guido Anzuoni wrote:
>
> |>I am not sure I have fully understood your problem (a little
> |>example may help).
> |>Anyway, I will explain may conf hoping it would somehow be useful.
>
> You are right the explanation was somewhat short, sorry.
>
> This is what I'm using:
>
> <Location /svn/repos1>
> # configuration of LDAP module
> Include subversion/authenticate.conf
> ...
> SVNPath /home/subversion/repos1
> require group cn=project1,ou=groups,dc=sma,dc=com
> require group cn=managers,ou=groups,dc=sma,dc=com
> AuthzSVNAccessFile subversion/acl/auth-repos1.conf
> ...
> </Location>
>
> <Location /svn/repos2>
> # configuration of LDAP module
> Include subversion/authenticate.conf
> ...
> SVNPath /home/subversion/repos2
> require group cn=project2,ou=groups,dc=sma,dc=com
> AuthzSVNAccessFile subversion/acl/auth-repos2.conf
> ...
> </Location>
>
> Since there are 2 different (disjunct) require statements it's
> impossible to centrally define SVNParentPath.
> It would be possible if Apache 2 allowed nested <Location> directives:
>
> <Location /svn>
> <Location repos1> ### -> effective "location" = /svn/repos1
> </Location>
> </Location>
>
> Anyways it's more a theoretical question since I want to lock down
> access to different Locations to different groups (by LDAP). Once
> members of these groups are granted access, authorization is
> managed by
> the access control (AuthzSVNAccessFile).

Why mixing url authorization with repository path authorization (require group xxx is a sort of
authorization directive) ?
With "require valid-user" apache will activate DAV module only upon successful authentication.
Your conf could be:

<Location /svn>
         # configuration of LDAP module
         Include subversion/authenticate.conf
         ...
         SVNParentPath /home/subversion
        Require valid-user
         AuthzSVNAccessFile subversion/acl/auth-repos.conf
         ...
 </Location>
 
and in auth-repos.conf:

[groups]
managers = <members of ldap group cn=managers,ou=groups,dc=sma,dc=com >
repos1-team = <members of ldap group cn=project1,ou=groups,dc=sma,dc=com >
repos2-team = <members of ldap group cn=project2,ou=groups,dc=sma,dc=com >

[/]
* =

[repos1:/]
@repos1-team = rw
@managers = rw

[repos2:/]
@repos2-team = rw

.......

>
> I see so far:
> Pros: ACLs are more simple, since a * = r has only affect on the
> (previouisly) authenticated group of users (require group)
>
> Cons: Configuration of repositories is more complex. Can't add new
> repositories during runtime - have to restart Apache (or re-read
> configuration)

Let's compare the tasks once a new repository has been created.
Location approach:
1. Add <Location> to apache conf
2. (Optional) create ldap group and set membership
3. Set additional ACL in AuthzSVNAccessFile for the new repos
4. restart apache

AuthzSVNAccessFile approach:
1. (Optional) create AuthzSVNAccessFile group and set membership
2. Set ACL in AuthzSVNAccessFile for the new repos

Note that you can have in AuthzSVNAccessFile file:

[/]
* = r

[repos1:/]
* =
@repos1-team = rw
@managers = rw
.......

So that repos1 access (even read) is granted only to repos1-team and managers groups members.

>
> So far it's not a tragedy but if someone recommends a more elegant way
> to accomplish the same, please let me know.
>
> Reinhard
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFBPfbhkeAWQwM7gdsRAo6oAJwPUFKhDKKfcIT6TX9zB+RRY/gb9ACguS+a
> Fp1TWZh1vT5yW2JAK3SBNMo=
> =bxIY
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Sep 8 09:28:31 2004

This is an archived mail posted to the Subversion Users mailing list.