I finally figured it out: passing "--tunnel-user <kerberos_principal>"
to svnserve solved the problem.
Dennis Shpakov wrote:
> Ryan Schmidt wrote:
>> On Jul 20, 2006, at 00:43, Dennis Shpakov wrote:
>>> I am setting up a subversion repository on a server that only allows
>>> kerberized ssh access. In general, developers are not allowed to
>>> have real accounts on the server but are supposed to come in as a
>>> generic user called svnuser via the .k5login file mechanism.
>>> I replaced the login shell of the svnuser account by a script that
>>> eventually hands execution over to svnserve -t. To implement
>>> per-project access control under the condition that the hook scripts
>>> run in the sterile environment, I made the login shell script
>>> extract the kerberos principal name from the credentials cache file
>>> (a user without a forwardable ticket is therefore denied access) and
>>> store it in a file with a name based on a process id. The
>>> start-commit hook then checks for the parent process id, reads the
>>> principal name from the corresponding file, and checks it against an
>>> access control list.
>>> Everything looks fine except that the svn:author property is always
>>> set to svnuser (which is expected, of course), while one would
>>> naturally want to have it set to the kerberos principal name of the
>>> author committing the change. Is there a simple way to do it in one
>>> of the hook scripts using the same identification scheme as in
>> I don't know if the situation you're experiencing is the expected
>> one, because I've never tried to set Subversion up like that.
> It is expected because the unix user that owns the svnserve process is
> always svnuser.
>> But yes, you can modify revision properties in for example the
>> pre-commit or post-commit hook.
> How should I do that? If I run something like
> /usr/bin/svn propset svn:author dshpakov -r12 --revprop
> in post-commit, I get the error message saying "svn: '.' is not a
> working copy".
> Thanks again,
To unsubscribe, e-mail: email@example.com
For additional commands, e-mail: firstname.lastname@example.org
Received on Fri Jul 21 18:15:58 2006