[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Per-Directory Access Control without AuthzSVNAccessFile ?

From: Maurer, Hermann <Hermann.Maurer_at_gft.com>
Date: 2005-05-25 18:33:55 CEST

Hello folks,

I'm having the following problem:

There is a repository with the standard structure:

REPO-----+----|
| | |
TRUNK TAGS BRANCHES

In TRUNK there are some directories for the developers (D) and for the
project managers (PM). All the users have access to REPO via Apache
HTTPD 2.0 with dav_svn_module and authz_svn_module aktivated.

Due to a security reason only PM must be able to get access to the
directory DIR1 in TRUNK, D must not be able to read/see the content of
it.

At the moment, the following block in the httpd.conf is responsible for
the repository:
--------------------------------httpd.conf------------------------------
------
<Location /projects/REPO>
    DAV svn
    SVNPath /data/svn/projects/REPO
    allow from all
    AuthName "Access to the repository REPO"
    AuthLDAPEnabled on
    AuthLDAPURL "ldap://host.domain/dc=company,dc=com?cn?sub?"
    require group CN=svn_REPO,OU=groups,OU=city,DC=company,DC=com
    AuthzSVNAccessFile /data/svn/projects/REPO_access.conf
</Location>
--------------------------------httpd.conf------------------------------
------
As you can see, the users must supply there credentials and be a member
of the LDAP Group svn_REPO to be able to access to REPO.

This is the content of the file /data/svn/projects/REPO_access.conf:
-----------------------------REPO_access.conf---------------------------
-------
[groups]
team = user1,user2,user3,user4,user5,.....,user21
manager = pm1,pm2

[/]
@team = rw

[/branches]
@team =
@manager = rw
[/tags]
@team =
@manager = rw
[trunk/DIR1]
@team =
@manager = rw

[/trunk/DIR2]
@team = rw
@manager = rw
-----------------------------REPO_access.conf---------------------------
-------

I wouldn't like to use the directive AuthzSVNAccessFile, as I must then
keep the list of the members of both of the groups exactly the same: in
the LDAP directory AND in the file REPO_access.conf.

The anonymous access is not for us: If I use '* = r' in the file
REPO_access.conf, EVERY user can get access to REPO (not to DIR1) ! So
in the case I must not be a member of the LDAP Group svn_REPO :-( I
think, the directive AuthzSVNAccessFile has a 'higher priority' as the
directive Require.

____How should I restrict the access to DIR1 correctly and, if possible,

without AuthzSVNAccessFile ?____

The second problem is the following:
Let's assume, a PM decides to create a new branche and saves this in
BRANCHES. This would result, that I'd need to build a new rule to deny
access to the 'copied' content of DIR1 in BRANCHES ! Otherwise D can
suddenly get access to DIR1 under BRANCHES. The same would happen with
TAGS. Unforutnately there is no chance to use patterns in
REPO_access.conf now. Due to the reason I have to forbid the full access
of @team to BRANCHES and TAGS :-(
[/branches]
@team =
@manager = rw
But this is painful. Has anybody had and solved the problem ?

Thank you very much in advance !

Kind Regards,
Hermann Maurer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed May 25 18:36:06 2005

This is an archived mail posted to the Subversion Users mailing list.