[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Restricting access rights in AuthzSVNAccessFile

From: Dassi, Nasser <NDassi_at_141xm.com>
Date: 2005-01-27 16:44:59 CET

Hi Nicholas,
 
[snip]
Are there any other way to do this?
Here, 'everybody' means 3000 users, and I guess performance would
suffer if we listed all these users in the SVN access file.
SVN would have to parse the full list for each repository access.
(Actually, I did not try that. Do you think this could work?)
[/snip]
 
I may be wrong, but:
 
Apache stores in-memory authentication and permissions. So Apache would be the performance bottleneck (if there is one). --> the same way httpd.conf changes do not affect Apache until the process is restarted/reloaded.
 
Creating a single mega-list will take time at first, but you can then use it for all ACL lists later (if you want different groups in different repositories or projects... the most work is already done!).
 
I hope somebody else helps clarify how fine-grained mod_authz_svn truly is. It is definitely an interesting question.
 
- nasser
 

        -----Original Message-----
        From: Nicolas Guerin [mailto:Nicolas.Guerin@xrce.xerox.com]
        Sent: Thu 1/27/2005 9:24 AM
        To: Dassi, Nasser
        Cc: users@subversion.tigris.org
        Subject: Re: Restricting access rights in AuthzSVNAccessFile
        
        

        Nasser,
        
        Thanks for your explanation.
        
        If I understand well, a user cannot have less access than a group she
        belongs to, at least on the same directory: you can only restrict
        access on sub directories.
        Is that right?
        
        Then, it is a real problem for us, because what we really want to do is
        to provide read access to the whole repository to everybody but a few
        specified users.
        Are there any other way to do this?
        Here, 'everybody' means 3000 users, and I guess performance would
        suffer if we listed all these users in the SVN access file.
        SVN would have to parse the full list for each repository access.
        (Actually, I did not try that. Do you think this could work?)
        
        Thanks for your help!
        
        Nicolas
        
        
        Dassi, Nasser wrote:
        
>Security (ACLs) typically run in the "path-of-least-resistence" fashion.
>
>Tom and John are anonymous until authenticated. Once authenticated,
>they have as much access as possible with the least
>challenge/resistence.
>
>In Example 1, everybody is granted Read access (path of least
>resistence).
>
>In Example 2, nobody has Read access until otherwise granted (via
>@allusers group).
>
>Hope that helps understand security/permissions (and this applies
>everywhere).
>
>- nasser
>
>Nasser Dassi
>Sr. Technical Programmer
>=========================================
>E: ndassi@141xm.com
>=========================================
>
>-----Original Message-----
>From: Nicolas Guerin [mailto:Nicolas.Guerin@xrce.xerox.com]
>Sent: Wednesday, January 26, 2005 1:10 PM
>To: users@subversion.tigris.org
>Subject: Restricting access rights in AuthzSVNAccessFile
>
>Hi,
>
>I need to allow read access to a SVN repository to any authenticated
>user but a few.
>Since we're using mod_authz_svn for fine grained user access, I put in
>place this simple AuthzSVNAccessFile access file:
>
> [groups]
> restricted = tom,john
>
> [/]
> * = r
> @restricted =
>
>I hoped that read access would be granted to all but the 'restricted'
>group.
>Unfortunately, it is not the case: tom and john can still checkout the
>repository.
>
>I also tried listing individual users instead of a group, but it didn't
>help.
>
>The only workaround I see is to list ALL users (around 3000!) in a
>group, and:
>
> [/]
> * =
> @allusers = r
>
>But I think that SVN performance would suffer...
>BTW, I'm using SVN 1.0.6 with https access.
>
>Any idea why the first example does not work?
>All suggestions welcome.
>Thank you for your help!
>
>Nicolas
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>
>
>
>.
>
>
>
        
        

Received on Thu Jan 27 16:48:55 2005

This is an archived mail posted to the Subversion Users mailing list.