[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Restricting access rights in AuthzSVNAccessFile

From: Nicolas Guerin <Nicolas.Guerin_at_xrce.xerox.com>
Date: 2005-01-31 18:46:37 CET

Thanks Nasser,

You are right: Apache would be the performance bottleneck here,
since it manages the access files through the mod_authz_svn module.
I will need to make a full scale test (with all users) to see how
performance is impacted.

Still, I would really prefer a way to list only those users I want to
deny access to the repository.
If others have any suggestions, they are more than welcome!

Thanks again,

Nicolas

Dassi, Nasser wrote:

> Hi Nicholas,
>
> [snip]
> Are there any other way to do this?
> Here, 'everybody' means 3000 users, and I guess performance would
> suffer if we listed all these users in the SVN access file.
> SVN would have to parse the full list for each repository access.
> (Actually, I did not try that. Do you think this could work?)
> [/snip]
>
> I may be wrong, but:
>
> Apache stores in-memory authentication and permissions. So Apache
> would be the performance bottleneck (if there is one). --> the same
> way httpd.conf changes do not affect Apache until the process is
> restarted/reloaded.
>
> Creating a single mega-list will take time at first, but you can then
> use it for all ACL lists later (if you want different groups in
> different repositories or projects... the most work is already done!).
>
> I hope somebody else helps clarify how fine-grained mod_authz_svn
> truly is. It is definitely an interesting question.
>
> - nasser
>
>
> -----Original Message-----
> *From:* Nicolas Guerin [mailto:Nicolas.Guerin@xrce.xerox.com]
> *Sent:* Thu 1/27/2005 9:24 AM
> *To:* Dassi, Nasser
> *Cc:* users@subversion.tigris.org
> *Subject:* Re: Restricting access rights in AuthzSVNAccessFile
>
> Nasser,
>
> Thanks for your explanation.
>
> If I understand well, a user cannot have less access than a group she
> belongs to, at least on the same directory: you can only restrict
> access on sub directories.
> Is that right?
>
> Then, it is a real problem for us, because what we really want to
> do is
> to provide read access to the whole repository to everybody but a few
> specified users.
> Are there any other way to do this?
> Here, 'everybody' means 3000 users, and I guess performance would
> suffer if we listed all these users in the SVN access file.
> SVN would have to parse the full list for each repository access.
> (Actually, I did not try that. Do you think this could work?)
>
> Thanks for your help!
>
> Nicolas
>
>
> Dassi, Nasser wrote:
>
> >Security (ACLs) typically run in the "path-of-least-resistence"
> fashion.
> >
> >Tom and John are anonymous until authenticated. Once authenticated,
> >they have as much access as possible with the least
> >challenge/resistence.
> >
> >In Example 1, everybody is granted Read access (path of least
> >resistence).
> >
> >In Example 2, nobody has Read access until otherwise granted (via
> >@allusers group).
> >
> >Hope that helps understand security/permissions (and this applies
> >everywhere).
> >
> >- nasser
> >
> >Nasser Dassi
> >Sr. Technical Programmer
> >=========================================
> >E: ndassi@141xm.com
> >=========================================
> >
> >-----Original Message-----
> >From: Nicolas Guerin [mailto:Nicolas.Guerin@xrce.xerox.com]
> >Sent: Wednesday, January 26, 2005 1:10 PM
> >To: users@subversion.tigris.org
> >Subject: Restricting access rights in AuthzSVNAccessFile
> >
> >Hi,
> >
> >I need to allow read access to a SVN repository to any authenticated
> >user but a few.
> >Since we're using mod_authz_svn for fine grained user access, I
> put in
> >place this simple AuthzSVNAccessFile access file:
> >
> > [groups]
> > restricted = tom,john
> >
> > [/]
> > * = r
> > @restricted =
> >
> >I hoped that read access would be granted to all but the 'restricted'
> >group.
> >Unfortunately, it is not the case: tom and john can still
> checkout the
> >repository.
> >
> >I also tried listing individual users instead of a group, but it
> didn't
> >help.
> >
> >The only workaround I see is to list ALL users (around 3000!) in a
> >group, and:
> >
> > [/]
> > * =
> > @allusers = r
> >
> >But I think that SVN performance would suffer...
> >BTW, I'm using SVN 1.0.6 with https access.
> >
> >Any idea why the first example does not work?
> >All suggestions welcome.
> >Thank you for your help!
> >
> >Nicolas
> >
> >
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> >For additional commands, e-mail: users-help@subversion.tigris.org
> >
> >
> >
> >
> >
> >.
> >
> >
> >
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Jan 31 18:49:06 2005

This is an archived mail posted to the Subversion Users mailing list.