I am not sure if this should be sent to the apache mailing list or
here... apologies if this question belongs in the apache list.
I have setup a subversion repository, it is accessible to users via
WebDAV, as remotely mounted file system. To the users, this just appears
as a "Web Folder" (in Windows) or a folder (Konqueror or Nautilus),
which they can drag-n-drop items to and from.
I turned on the auto-versioning in my httpd configuration.
I have issues with file-locking and such, but in general this works
fine. It achieves my goal of having a "shared folder" with versioning
capabilities.
In this single repository, I have just one project (trunk?) named
"Share" and created a folder in it named "Common". And in "Common, I
have folders/directories in it, with group names, such as "Accounting",
"HR", "Engineering"... etc.
So the directory structure looks kind of like this:
Share
Common/
Accounting/
private/
John_Jones/
Shelly_Thomas/
Confidential_Stuff/
Plan_to_Steal_Money/
Monthly_Pay_Stubs/
public/
Engineering/
private/
Jennifer_Jones/
Jack_Gable/
Confidential_Projects/
Secret_Project_One/
Secret_Project_Two/
public/
HR/
private/
Courtney_Matson/
Fire Irene/
Irene_Huang/
Fire Courney/
People_to_Fire/
Fire_John_Jones.txt
public/
John_is_fired/
Where users within each department can access the "private" folder, and
work on their projects, but not with other departments.
For example, Coutrney and Irene can work on their "People to Fire"
project together (both have read/write access), and have no access to
each other's private folders.
Everyone from other departments have read access to the "public" folder.
So John Jones can read the HR's public folder and finds out that he is
getting fired, but he cannot change the files in it.
Currently, I have a *very* long httpd.conf file to control the access to
each sub folder, and it looks kind of like this:
## View-only access to everyone other than engineers
<Location "/Share/Common/Engineering/public">
<LimitExcept GET PROPFIND OPTIONS REPORT>
Satisfy All
SetHandler ldap-status
Order deny,allow
Allow from all
AuthLDAPEnabled on
AuthLDAPURL ldap://ldap.my.com/dc=my,dc=com
AuthLDAPAuthoritative on
AuthType Basic
AuthName "Engineering Public Storage"
require group engineer
</LimitExcept>
</Location>
## Only engineers have access to this directory
<Location "/Share/Common/Engineering/private">
Satisfy All
SetHandler ldap-status
Order deny,allow
Allow from all
AuthLDAPEnabled on
AuthLDAPURL ldap://ldap.my.com/dc=my,dc=com
AuthLDAPAuthoritative on
AuthType Basic
AuthName "Engineering Private Storage"
require group engineer
</Location>
## Engineering Personal Directories
#### Jack Gable
<Location "/Share/Common/Engineering/private/Jack_Gable">
Satisfy All
SetHandler ldap-status
Order deny,allow
Allow from all
AuthLDAPEnabled on
AuthLDAPURL ldap://ldap.my.com/dc=my,dc=com
AuthLDAPAuthoritative on
AuthType Basic
AuthName "Jack's Private Storage"
require user jackgable
</Location>
#### Jennifer Jones
<Location "/Share/Common/Engineering/private/Jennifer_Jones">
Satisfy All
SetHandler ldap-status
Order deny,allow
Allow from all
AuthLDAPEnabled on
AuthLDAPURL ldap://ldap.my.com/dc=my,dc=com
AuthLDAPAuthoritative on
AuthType Basic
AuthName "Jen's Private Storage"
require user jenniferjones
</Location>
Evidently this is a horribly way to do it, because as the number of
users grow, my httpd.conf file also grows (rapidly!)
My questions are:
1) Is there a better way for access control? (perhaps via LDAP?)
2) I am only using one project to handle this, because I want users to
be able to connect to http://server/Share, and they automatically see a
listing of all available departments/groups. Are there any drawbacks to
this?
3) Is this a correct use of subversion? I ran into some limitations, and
I am wondering if I am pushing subversion to do something it's not
designed to do (such as a fine access control).
--
Josh Kuo <josh.kuo@prioritynetworks.net>
Received on Thu Oct 28 22:38:58 2004